IRC log of #maemo for Thursday, 2020-06-11

« Wednesday, 2020-06-10 Index Friday, 2020-06-12 »
*** KindTwo has joined #maemo00:18
*** KindOne has quit IRC00:19
*** KindTwo is now known as KindOne00:22
*** pagurus has quit IRC00:22
*** florian has quit IRC00:23
*** florian has joined #maemo00:24
*** Kabouik has quit IRC00:30
*** Pali has joined #maemo00:34
*** mva_ has joined #maemo01:05
*** mva has quit IRC01:06
*** Kabouik has joined #maemo01:27
*** freemangordon has quit IRC01:49
*** freemangordon has joined #maemo01:56
*** drathir_tor has quit IRC02:12
*** Kabouik has quit IRC02:18
*** drathir_tor has joined #maemo02:20
*** florian has quit IRC02:33
*** Kabouik has joined #maemo02:37
*** jskarvad has quit IRC02:53
*** Kilroo has joined #maemo02:58
*** Pali has quit IRC02:59
*** KindOne has quit IRC03:22
*** KindOne has joined #maemo03:31
*** KindTwo has joined #maemo04:23
*** KindOne has quit IRC04:25
*** KindTwo is now known as KindOne04:27
*** LauRoman|S has joined #maemo04:58
*** KindTwo has joined #maemo05:17
*** KindOne has quit IRC05:19
*** KindOne has joined #maemo05:21
*** KindTwo has quit IRC05:22
*** sicelo has quit IRC05:40
*** sicelo has joined #maemo05:41
*** sicelo has quit IRC05:41
*** sicelo has joined #maemo05:41
*** KindTwo has joined #maemo05:41
*** KindOne has quit IRC05:42
*** tm has quit IRC05:44
*** KindTwo is now known as KindOne05:45
*** tm has joined #maemo05:47
*** KindTwo has joined #maemo06:33
*** KindOne has quit IRC06:35
*** KindTwo is now known as KindOne06:38
*** KindOne has quit IRC06:48
*** DocScrutinizer05 has quit IRC07:26
*** DocScrutinizer05 has joined #maemo07:26
*** APic has quit IRC08:36
*** APic has joined #maemo08:38
*** Kilroo has quit IRC09:09
brolin_empeyI love these lame applications that tell the user that their password has expired and needs to be changed but happily accept the expired password as the “new” password, such as the Web site for my current (since 2018 June) credit card provider who just expired my original password.09:31
*** Kabouik has quit IRC09:33
brolin_empeyEven Windows 2000 originally did this but Microsoft may have fixed it in one of the service packs.09:34
*** Kabouik has joined #maemo09:44
*** Kabouik has quit IRC09:51
*** Kabouik_ has joined #maemo09:57
*** Kabouik_ has quit IRC10:10
luke-jrbrolin_empey: is there a legit use case for expiring passwords?10:30
*** Pali has joined #maemo10:51
*** jskarvad has joined #maemo10:57
*** pagurus has joined #maemo11:24
*** luke-jr has quit IRC11:37
*** luke-jr has joined #maemo11:38
sixwheeledbeastI fail to see the point in expiring passwords. Some companies have it as a policy. People are lazy you make it harder for people that use password management and the ones that dont care generally use the same password but change the last character.11:47
sixwheeledbeastAs much as I hate biometrics it works for people that aren't interested.11:49
*** Kabouik has joined #maemo12:10
*** chgvisua- has quit IRC12:27
*** chgvisual has joined #maemo12:27
MaxdamantusI hate that most things even use passwords.12:40
*** eMHa has quit IRC12:41
MaxdamantusIf a system is relyping on something like email as its actual authority (eg, systems where you can reset a password as long as you have access to an email address), a password is only really a convenience feature that makes it quicker to authorise (enter a memorised password instead of go through an email validation cycle).12:42
MaxdamantusMost sites should either just use email validation to log in. If it's something that someone is using frequently, then allow their broswser to remember the a long-lived session cookie, otherwise if they're using it infrequently, they're going to forget their password and go through an email validation cycle anyway.12:45
Maxdamantuss/either //12:45
infobotMaxdamantus meant: Most sites should just use email validation to log in. If it's something that someone is using frequently, then allow their broswser to remember the a long-lived session cookie, otherwise if they're using it infrequently, they're going to forget their pas...12:45
sixwheeledbeastYour requiring the need for email and browser which maybe inconvenient. i don't want my browser to remember any cookies between sessions.13:05
sixwheeledbeastA password is providing a weak form of 2FA. If your email is compromised then you validate all sessions from there its a single point failure.13:08
sixwheeledbeastAlso i believe we where referring to security more generally so logging into the system in the first place for example.13:10
MaxdamantusNo. Allowing a password is a weakening of the system. 2FA is about requiring an *extra* requirement for authentication. Most password systems are about providing an *alternative* requirement for authentication.13:25
MaxdamantusSince most password systems allow you to authenticate if you've forgotten the password.13:25
MaxdamantusSo the password is not actually required, it's just a way of access the system quicker.13:26
Maxdamantus2FA requires 2 factors when authenticating. Password systems usually allow you to authenticate using only one factor (the password). Those systems also usually allow you to authenticate using the email, but they don't require you to authenticate using both.13:29
MaxdamantusSo again, you've got two alternative ways of accessing the system, therefore it's strictly weaker.13:29
Maxdamantusand passwords seem like a very weak system.13:29
MaxdamantusSince people reuse passwords all the time.13:29
Maxdamantus> If your email is compromised then you validate all sessions from there its a single point failure.13:31
MaxdamantusMost password systems allow you to recover if you have access to email.13:32
MaxdamantusSo by having a password, they're not protecting against that.13:32
*** Kabouik has quit IRC13:33
*** Kabouik has joined #maemo13:33
MaxdamantusIt's like allowing your friend into your house by opening the door for them (you are the primary authority), and then for convenience you can give them a door key.13:37
MaxdamantusGiving them a key is a weakening of security.13:38
sixwheeledbeastNot protecting no, but not providing access to everywhere else. If you have forgotten a password you would have to validate in the same way as registering the account in the first place and this would clear the password.13:38
MaxdamantusRight, so why not just require them to validate the same way each time they log in?13:39
MaxdamantusInstead of giving out extra keys that can be used to bypass the primary authority mechanism?13:40
sixwheeledbeastWell because it inconvenient just like never leaving your house so you can let your friend in.13:40
sixwheeledbeastto use your analogy13:40
*** Kabouik has quit IRC13:40
MaxdamantusRight, so it's a convenience feature. It's a weakening of security.13:40
*** Kabouik has joined #maemo13:42
sixwheeledbeastI don't agree. It's systematically not compatible with people but itself it isn't a weakness IMO.13:42
MaxdamantusIf it's a site that's used once every month or two, you might as well just have that initial validation as the way people log in, because it's likely that at that length of time, it's going to be more annoying trying to memorise a password than checking an email.13:42
MaxdamantusIt's clearly a weakness. You still have the alternative way of authenticating (using email or whatever). Like the door analogy, you can still ask your friend to let you in.13:43
MaxdamantusBut having a password/key is an extra vulnerability that can be exploited by others.13:44
MaxdamantusYou could accidentally leave your key somewhere, or you could reuse a password, or you could enter your password into another website as you're trying to remember their password.13:44
Maxdamantusthe password/key is a way of bypassing that primary authority mechanism (asking the friend, or verifying an email address)13:45
sixwheeledbeastAs I say it not just about websites, you have security before you even get to a browser or email client. Using passwords incorrectly is down to the user not the method.13:46
MaxdamantusI'm not opposed to passwords overall. I just think most of them are useless.13:47
MaxdamantusThere are relatively few things that should actually use passwords. That does not include most websites.13:47
MaxdamantusMost websites ultimately authenticate using email validation. Obviously if you're talking about access to an email account, or access to some system using ssh, you're not ultimately using email validation, so a password might make sense in those situations.13:48
Maxdamantuss/useless/useless and a security liability/13:49
infobotMaxdamantus meant: Most websites ultimately authenticate using email validation. Obviously if you're talking about access to an email account, or access to some system using ssh, you're not ultimately using email validation, so a password might make sense in those situation...13:49
*** Kabouik has quit IRC13:51
*** Kabouik has joined #maemo13:52
sixwheeledbeastYou can't expect to validate every session via email on every site everytime you start a new browsing session.13:52
MaxdamantusThen remember the session.13:55
sixwheeledbeastThe overhead created both ways would be ridiculous, also your email would not be protected via HTTPS. Leaving your browsing session open would be like leaving your front door open.13:55
MaxdamantusYou mentioned password managers before. Where is the password being saved?13:56
*** Kabouik has quit IRC13:56
sixwheeledbeastencypted somewhere else13:56
MaxdamantusEncrypted using what?13:56
MaxdamantusTo the extent that most people use password management, it's just making the password accessible to the browser.13:57
MaxdamantusMight as well just store cookies instead. At least cookies are essentially forced to be randomly generated instead of potentially reused across different websites.13:57
sixwheeledbeastEncrypted with whatever the latest standard is an stored away from the session.13:58
*** Kabouik has joined #maemo13:58
MaxdamantusIt would be fine if passwords were also required to be randomly generated (as often happens when people use more advanced password managers), but the point of a password is generally that the user is able to choose a common phrase that they can remember. There's nothing preventing them from reusing that phrase across different sites.13:58
MaxdamantusWhat's the difference between encrypting the password and encrypting the cookies?13:59
Maxdamantus(When I said "encrypted using what?" I meant: what is the source of the encryption key. You can't just encrypt something and then claim you've added security. If you store the encryption key next to the encrypted data, there's no added security.)14:01
sixwheeledbeastI am not saying the are perfect and that the system systematically helps people use them correctly.14:02
MaxdamantusIf passwords are being encrypted using, eg, the user's OS password (so the actual key is encrypted using the user's OS password), browsers might as well just be doing the same thing with their cookie stores. If you forget your OS password, you lose access to your cookies.14:04
sixwheeledbeastWell you could be flexible the key can be anything:- psychical hardware, a piece of data, a "strong master password" that is only knowledge and not used elsewhere.14:04
Maxdamantusimo that's a pretty decent system.14:04
*** Kabouik has quit IRC14:06
*** Kabouik has joined #maemo14:07
sixwheeledbeastUltimately my ideal solution is a device combined with a password. (something I have and something I know). Which is pretty much what i have now, the random passwords that the manager makes up mean nothing to me or anyone.14:11
*** Kabouik has quit IRC14:12
MaxdamantusSure, so that's not really a password. It's still probably a weakening of the system, but it's not as weak as a typical password setup.14:13
Maxdamantus(typical password setup as in where the user remembers a password and types it in each time)14:13
sixwheeledbeastthe issue with cookies is being tracked, you have no easy control over saving just the password and not the rest of the session to login quickly.14:14
sixwheeledbeastYer i see what you mean from the POV of I am using the "Password" box as a "Key" so it's not really a "password"14:16
sixwheeledbeastI have never considered a password to be a "password" it's just a string of memorable characters.14:19
Maxdamantusalso, in cases where websites do legitimately need to use actual passwords, I want there to be some sort of augmented PAKE system (eg, SRP or OPAQUE). It requires support from the web browser or OS, but it means it's not unsafe to, eg, reuse a password across multiple sites.14:20
MaxdamantusI imagine the main issue with PAKE is getting a UX that people learn to use properly, so they're informed that the browser/OS is asking for the password instead of the website.14:21
*** Kabouik has joined #maemo14:25
Maxdamantusimo SRP would also be suitable in place of ssh password authentication.14:25
sixwheeledbeastThey are not going away, as other options all have equal flaws or implementation issues.14:25
*** florian_kc has joined #maemo14:43
*** Kabouik has quit IRC14:52
*** Kabouik has joined #maemo15:00
*** Kabouik has quit IRC15:04
*** Kabouik has joined #maemo15:30
*** ^[_ has quit IRC15:33
*** ^[_ has joined #maemo15:33
*** eMHa has joined #maemo16:07
*** Kabouik has quit IRC16:19
*** Kabouik has joined #maemo16:21
*** troulouliou_div2 has quit IRC16:21
*** troulouliou_div2 has joined #maemo16:24
*** sunshavi has quit IRC16:29
*** troulouliou_div2 has quit IRC16:31
*** troulouliou_div2 has joined #maemo16:31
*** troulouliou_div2 has quit IRC16:39
*** Kabouik has quit IRC16:44
*** sunshavi has joined #maemo16:46
*** sunshavi has quit IRC16:48
*** troulouliou_div2 has joined #maemo17:03
*** LauRoman|S has quit IRC17:09
*** Kabouik has joined #maemo17:19
*** Kabouik has quit IRC17:40
*** Kabouik has joined #maemo17:42
*** troulouliou_div2 has quit IRC17:52
*** troulouliou_div2 has joined #maemo18:00
*** sunshavi has joined #maemo18:00
*** troulouliou_div2 has quit IRC18:00
*** troulouliou_div2 has joined #maemo18:00
*** LauRoman|S has joined #maemo18:08
*** Kabouik has quit IRC18:23
*** Kabouik has joined #maemo18:36
*** Kabouik has quit IRC18:50
*** sunshavi has quit IRC19:00
*** infobot has quit IRC19:14
*** Kabouik has joined #maemo19:23
*** Kabouik has quit IRC19:25
*** thuttu77 has joined #maemo19:50
*** sunshavi has joined #maemo19:53
*** Kabouik has joined #maemo19:53
*** infobot has joined #maemo19:56
*** ChanServ sets mode: +v infobot19:56
*** infobot has quit IRC20:01
*** thuttu77 has quit IRC20:01
*** Kabouik has quit IRC20:04
*** Kabouik has joined #maemo20:05
*** Kabouik has quit IRC20:13
*** Kabouik has joined #maemo20:26
*** florian_kc has quit IRC20:26
*** Kabouik has quit IRC20:32
*** jskarvad has quit IRC21:03
*** florian_kc has joined #maemo21:36
*** dos1 has quit IRC21:43
*** dos1 has joined #maemo21:46
*** florian_kc is now known as florian21:53
*** ced117 has joined #maemo22:13
*** ced117 has joined #maemo22:13
*** infobot has joined #maemo22:19
*** ChanServ sets mode: +v infobot22:19
*** infobot has quit IRC22:38
*** infobot has joined #maemo22:39
*** ChanServ sets mode: +v infobot22:39
*** ced117 has quit IRC22:42
*** ced117 has joined #maemo22:44
*** ced117 has joined #maemo22:44
*** l_bratch has quit IRC23:11
*** l_bratch has joined #maemo23:13
« Wednesday, 2020-06-10 Index Friday, 2020-06-12 »

Generated by irclog2html.py 2.15.1 by Marius Gedminas - find it at mg.pov.lt!