#accountlockout — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #accountlockout, aggregated by home.social.
-
@jtb : an increasing number of people I know do no longer use desktops (that is, at home). An iPhone and an iPad, or an Android phone (and optionally a Chromebook), suffice for most people.
Commercial password managers will try to lock you in as a customer, while using open source (such as KeePass compatible) apps leads to other risks (such as stopped maintenance or malicious take over).
Most people I know even refuse to use password managers because of their complexity - while they enormously underestimate their risks by using one or a few weak passwords written on paper or stored in excel sheets.
Some of them feel betrayed after being advised to use TOTP 2FA - which is not phishing resistant, effectively *is* a password manager, too often without backups (of the shared secrets) being made, leading to account lockout after losing their phones (or app malfunction). And I'm not even considering privacy invasive and insecure TOTP apps such as Authy.
Nobody warned them of risks associated with TOTP, as nobody warns them for the risks that come with passkeys. People are, IMO, righfully not interested in the crap the industry is trying to enforce on them.
-
@jtb : an increasing number of people I know do no longer use desktops (that is, at home). An iPhone and an iPad, or an Android phone (and optionally a Chromebook), suffice for most people.
Commercial password managers will try to lock you in as a customer, while using open source (such as KeePass compatible) apps leads to other risks (such as stopped maintenance or malicious take over).
Most people I know even refuse to use password managers because of their complexity - while they enormously underestimate their risks by using one or a few weak passwords written on paper or stored in excel sheets.
Some of them feel betrayed after being advised to use TOTP 2FA - which is not phishing resistant, effectively *is* a password manager, too often without backups (of the shared secrets) being made, leading to account lockout after losing their phones (or app malfunction). And I'm not even considering privacy invasive and insecure TOTP apps such as Authy.
Nobody warned them of risks associated with TOTP, as nobody warns them for the risks that come with passkeys. People are, IMO, righfully not interested in the crap the industry is trying to enforce on them.
-
@jtb : an increasing number of people I know do no longer use desktops (that is, at home). An iPhone and an iPad, or an Android phone (and optionally a Chromebook), suffice for most people.
Commercial password managers will try to lock you in as a customer, while using open source (such as KeePass compatible) apps leads to other risks (such as stopped maintenance or malicious take over).
Most people I know even refuse to use password managers because of their complexity - while they enormously underestimate their risks by using one or a few weak passwords written on paper or stored in excel sheets.
Some of them feel betrayed after being advised to use TOTP 2FA - which is not phishing resistant, effectively *is* a password manager, too often without backups (of the shared secrets) being made, leading to account lockout after losing their phones (or app malfunction). And I'm not even considering privacy invasive and insecure TOTP apps such as Authy.
Nobody warned them of risks associated with TOTP, as nobody warns them for the risks that come with passkeys. People are, IMO, righfully not interested in the crap the industry is trying to enforce on them.
-
@jtb : an increasing number of people I know do no longer use desktops (that is, at home). An iPhone and an iPad, or an Android phone (and optionally a Chromebook), suffice for most people.
Commercial password managers will try to lock you in as a customer, while using open source (such as KeePass compatible) apps leads to other risks (such as stopped maintenance or malicious take over).
Most people I know even refuse to use password managers because of their complexity - while they enormously underestimate their risks by using one or a few weak passwords written on paper or stored in excel sheets.
Some of them feel betrayed after being advised to use TOTP 2FA - which is not phishing resistant, effectively *is* a password manager, too often without backups (of the shared secrets) being made, leading to account lockout after losing their phones (or app malfunction). And I'm not even considering privacy invasive and insecure TOTP apps such as Authy.
Nobody warned them of risks associated with TOTP, as nobody warns them for the risks that come with passkeys. People are, IMO, righfully not interested in the crap the industry is trying to enforce on them.
-
@jtb : yes, but AFAIK passkey private keys cannot be exported from "Apple Passwords" and neither from "Google Passwords". Which are probably used most.
Why would people install a third party password manager (often payed, and/or a privacy/security risk - remember Lastpass) if your phone comes with such an app and they're unaware of the risks?
Edited to add: my Feb. 2024 write up on Full Disclosure still mostly applies.
Screenshots, chronological:
1) Top right: contents of Google Password Manager after creating a passkey on https://webauthn.io
2) Left: tapping the "Delete data" button in https://chrome.google.com/sync
3) Bottom right: contents of Google Password Manager after tapping the "Delete data" button in https://chrome.google.com/sync. The passkey is gone.
People are wrongly made to believe that Google passkeys are stored safely on their device; they are not.
-
@jtb : yes, but AFAIK passkey private keys cannot be exported from "Apple Passwords" and neither from "Google Passwords". Which are probably used most.
Why would people install a third party password manager (often payed, and/or a privacy/security risk - remember Lastpass) if your phone comes with such an app and they're unaware of the risks?
Edited to add: my Feb. 2024 write up on Full Disclosure still mostly applies.
Screenshots, chronological:
1) Top right: contents of Google Password Manager after creating a passkey on https://webauthn.io
2) Left: tapping the "Delete data" button in https://chrome.google.com/sync
3) Bottom right: contents of Google Password Manager after tapping the "Delete data" button in https://chrome.google.com/sync. The passkey is gone.
People are wrongly made to believe that Google passkeys are stored safely on their device; they are not.
-
@jtb : yes, but AFAIK passkey private keys cannot be exported from "Apple Passwords" and neither from "Google Passwords". Which are probably used most.
Why would people install a third party password manager (often payed, and/or a privacy/security risk - remember Lastpass) if your phone comes with such an app and they're unaware of the risks?
Edited to add: my Feb. 2024 write up on Full Disclosure still mostly applies.
Screenshots, chronological:
1) Top right: contents of Google Password Manager after creating a passkey on https://webauthn.io
2) Left: tapping the "Delete data" button in https://chrome.google.com/sync
3) Bottom right: contents of Google Password Manager after tapping the "Delete data" button in https://chrome.google.com/sync. The passkey is gone.
People are wrongly made to believe that Google passkeys are stored safely on their device; they are not.
-
@jtb : yes, but AFAIK passkey private keys cannot be exported from "Apple Passwords" and neither from "Google Passwords". Which are probably used most.
Why would people install a third party password manager (often payed, and/or a privacy/security risk - remember Lastpass) if your phone comes with such an app and they're unaware of the risks?
Edited to add: my Feb. 2024 write up on Full Disclosure still mostly applies.
Screenshots, chronological:
1) Top right: contents of Google Password Manager after creating a passkey on https://webauthn.io
2) Left: tapping the "Delete data" button in https://chrome.google.com/sync
3) Bottom right: contents of Google Password Manager after tapping the "Delete data" button in https://chrome.google.com/sync. The passkey is gone.
People are wrongly made to believe that Google passkeys are stored safely on their device; they are not.
-
Zwakke 2FA/MFA werkt AVERECHTS
In https://www.security.nl/posting/912441/65-plussers+gebruiken+tweestapsverificatie+minder+vaak+dan+gemiddeld#posting912477 schreef ik eerder deze week:
❝
2FA (MFA) is ruk.Laat de overheid een wachtwoordmanager adviseren die wél op domeinnamen checkt.
❞
(Dat laatste kan standaard onder Android, iOS en iPadOS - middels "AutoFill").Op veler "verzoek" onderbouwde ik die stelling (niet voor de eerste keer) in https://www.security.nl/posting/912441/65-plussers+gebruiken+tweestapsverificatie+minder+vaak+dan+gemiddeld#posting912530.
En in https://www.security.nl/posting/912441/65-plussers+gebruiken+tweestapsverificatie+minder+vaak+dan+gemiddeld#posting912733 legde ik uit waarom online inloggen *lastig* veilig te krijgen is - wat je ook verzint (het blijven shared secrets).
Vandaag heb ik Microsoft Authenticator ook maar weer eens getest (onder Android). Mijn bevindingen leest u in (de tweede helft van) https://www.security.nl/posting/912441/65-plussers+gebruiken+tweestapsverificatie+minder+vaak+dan+gemiddeld#posting912864 - hieronder een stukje daaruit.
#ZwakkeMFA #SMS #AuthenticatorApps #Zwakke2FA #Weak2FA #WeakMFA #MicrosoftAuthenticator #2FAsucks #MFAsucks #Phishing #NepWebsites #PhaaS #Evilginx2 #SIMswap #SS7 #AcountTakeOver #CookieTheft #AccountLockout