A reason why every site should move past passwords: Kiwi Farms hack.

submitted by [deleted] from (self.technology)

[deleted]

all 11 comments
sorted by:
top
newinsightfulfun

[–][deleted] 3 insightful - 3 fun3 insightful - 2 fun4 insightful - 3 fun -  (4 children)

Maybe use an old school dongle as a second factor. Some providers allow using more than one phone number as a second factor.

When I can, I only use passwords with 24 characters length. I watched a terrifying lecture on quantum computing last year and according to it, this kind of risks are only to mitigate by increasing password length. (We'll never really know what kind of computing power is at somebodies command in some secret lab, sadly.)

Otherwise, from a user's perspective, I try to spread my risk by using different E Mail from different providers.

[–][deleted]  (3 children)

[deleted]

    [–][deleted] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (2 children)

    I'd prefer not to, too.

    But in EU this is mandatory for online-banking e.g.

    [–]iamonlyoneman 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (1 child)

    Online banking is stupid.

    [–][deleted] 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

    I know. But since i got to manage accounts that are kept in Lithuana, i'm sometimes out of options regarding this.

    [–]iamonlyoneman 3 insightful - 1 fun3 insightful - 0 fun4 insightful - 1 fun -  (0 children)

    "we should move beyond passwords on one site" is another way to say "we should use passwords on a different site" usually with "oh and fucking record your biometrics so those can be hacked when othersite is hacked too LOL"

    Passwords are not the problem. Poor website security is the problem. A corollary problem is retards using realnames and personally important and ID-traceable email accounts to register online.

    [–]LarrySwinger2 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

    /u/magnora7 <-- this is how to summon him.

    Users can address this issue by using unique passwords. I'm guessing the average person will have trouble remembering one password for each site, but that's what password managers are for, and they can generate passwords for you as well.

    [–]GB43 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

    The solution is not to get rid of passwords. It is for people who run websites to pay attention to security. For example, I run a small social media site. On my site, users' passwords are stored 256-bit encrypted with a long salt. So, even I can't decrypt them. If they are stolen, it isn't really a big deal, because all the thief has is gibberish. I also do not ask users for ANY private information, so there is nothing else on my server that a thief might want. Josh Moon seems to me to be too smart to store passwords unencrypted on his site, so I hope you just misinterpreted what he was saying.

    By the way, I have been following the drama surrounding Kiwi Farms, and it is a fascinating illustration of the current state of free speech on the Internet.

    [–]JasonCarswell 1 insightful - 2 fun1 insightful - 1 fun2 insightful - 2 fun -  (1 child)

    The correct solution is cryptographic signatures. It doesn't require 0-auth which has its own problems especially for privacy.

    What's the matter with OAuth?
    https://en.wikipedia.org/wiki/OAuth

    But no site wants to be the first to scare users by asking them to participate in their own security,

    I'm not an I.T. guy, nor admin, nor a coder - but I'd be happy to help facilitate whatever is needed to make more ethically-managed (FOTPACH fair, open, transparent, peaceful, accountable, consistent, honest), self-regulated, decentralized instances to be as flexible, resilient, robust, secure, and sustainable as possible.

    I have several guys and communities eager to fund the set up with several local communities keen to relocate to Movim, YaCy, etc. Maybe SaidIt folks might like a couple Lemmys too, maybe not.

    Why tell this to people who mostly don't build websites and mostly use them? Because when you see a company doing the right thing and getting rid of passwords (if they are swapping them for signatures) it helps if consumers understand that they are the good guys for it and to not get angry. That fear of consumer anger is what prevents things from actually being secure.

    Truth-seekers, free-thinkers, and freedom/resistance folks understand what is at stake. Those are the only folks I/we need to worry about when starting up.

    [–][deleted] 2 insightful - 1 fun2 insightful - 0 fun3 insightful - 1 fun -  (0 children)

    What's the matter with OAuth?

    When you give an app OAuth credentials you effectively give it carte blanche to access data associated from your other accounts using those credentials.

    Personally I think passwords are less of problem than OP. If you want to do key signing, the problem is that you are still relying on a central key authority, randomly generating non-unique keys, or using some secret phrase hash that is essentially a password anyway. The password is at least under your control. Although things like ensuring the password isn't stored in cleartext in the database is not

    [–]package 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (0 children)

    ... op the post literally breaks down exactly what happened and it has nothing to do with passwords. It isn't saying that they store your password as plaintext or even that anything to do with passwords or anything else was accessed. It is saying that regardless of the severity of any hack on any site, it is always a good idea to assume the worst and update all security info.

    [–]fizzparentlanguid 1 insightful - 1 fun1 insightful - 0 fun2 insightful - 1 fun -  (1 child)

    Administrators of online platforms should take precautions to prevent unauthorized access to their platforms. For instance, I manage a little social networking site. Passwords on my site are 256-bit AES encrypted and salted for further security. This means that even I am unable to read them in their encrypted form. It's not a big deal if they get stolen because the thief will only driving directions be left with meaningless nonsense. Moreover, I do not solicit any kind of personal data from my visitors, thus there is nothing of value on my server that a criminal might steal. I think Josh Moon is too savvy to save passwords in plaintext on his site, therefore I'm crossing my fingers that you misunderstood him.