This week, Google announced they would be shutting down their "Dark Web Report" tool which would alert you if your data—such as email address, password, name, address, and more—appeared in any known dark web data breach sites, citing that "it didn't provide helpful next steps."
Most people in the privacy community argued that this was just an excuse to collect more data, however it is or better said it was a good tool to know for normies when their passwords were breached.
I have a super hot take that it’s completely irrelevant if your password gets breached and password managers are only a UX tool rather than a security/privacy tool. As I see it, passwords are just a part of your login id and systems that require strong passwords only engage in security theater.
All systems that contain sensitive data should be monitoring logging patterns and requiring 2FA. If they don’t then account breaches are not important and accounts in that system are just a way to customize and remember user preference. 2FA (eg TOTP) are the real modern day passwords.
I have a super hot take that it’s completely irrelevant
This start well …
if your password gets breached and password managers are only a UX tool rather than a security/privacy tool.
Does the “if” also count for the PWM are UX tools or is this your opinion?
All systems that contain sensitive data should be monitoring logging patterns and requiring 2FA.
In the best sceneries, but sometimes you deal with companies that do not have 2FA or only weak 2FA and companies who don’t really care about your security at all. That have sensitive data of you.
If they don’t then account breaches are not important and accounts in that system are just a way to customize and remember user preference. 2FA (eg TOTP) are the real modern day passwords.
I agree.
The best system for me is Password + FIDO2 with the YubiKey pin required.
The only issues I have hear are:
True, which is why 2FA TOTP gets phished like the good ol’ password (:
Here’s a nice read about how Fly.io’s[1] Twitter account got pwnd: Kurt Got Got · The Fly Blog (mirror).
tbf, you’re kind of right that Passkeys and 2FA but with FIDO (as @Onscreen5341 points out) are better as browsers, the primary phishing vector, integrate with those natively.
disclaimer: I’m acquainted with folks at Fly, and use their infra for most of my projects ↩︎
True, which is why 2FA TOTP gets phished like the good ol’ password (:
This is true, but this targets more companies and people with higher threat model.
I haven’t seen a single phising attack that also steals the MFA code from normies. Although it is technical no problem at all.
My guess is, since normies do mostly not use MFA at all, that threat actors who target the broad range of people are not interested in doing more work, since they are getting enough money from it.
Thanks for pointing that out and that blog post was a fun read. I haven’t thought deeply about TOTP phishing and sadly I’m not important enough that someone would go to such great lengths as to personally phish me like that Kurt CEO guy. I’ll try to use more FIDO though.
This is a truly nightmare scenario. Sensitive data, but the company doesn’t give a shit. Such as the case with the oligopoly of major banks in my country that I can’t fully escape. For them I do use a very strong password, hold on to my butt cheeks and hope for the best.
Politely, I think that’s objectively untrue. Assuming that the same org is also hashing your passwords correctly (eg, using bcrypt or something similar) then using a strong password is a solid line of defense.
That said, we have seen plenty of orgs using outdated hash algorithms (if any) so of course I always advocate for 2FA whenever available. But to say it’s “security theater” and to suggest that password managers are just a “UX tool” that offer no privacy/security comes with caveats at best.
You say it’s untrue, but then offer no explanation why you think it’s untrue.
Hashing is just there for when your DB gets stolen so that it can’t be easily brute forced or rainbow tabled (need salt). We can then talk about all the proper security practices (ex. proper website CSP to fight XSS) and the end user has to hope that the site/app follows them. My point is that even all of that will never be enough. Passwords can be phished and who’s to say that the user doesn’t have a keylogger on their machine? This is why I wrote that strong passwords are security theater and any sensitive sites/apps should require TOTP (I was corrected that FIDO2 is actually much better).
You say it’s untrue, but then offer no explanation why you think it’s untrue.
I did. I said it’s because of hashing. As long as the password is sufficiently strong and properly hashed, then the odds of it being cracked are low.
To me this is the kind of thinking that can go on as long as you want it to. Okay fine, use TOTP. But wait, the key is stored somewhere right? So what if that’s compromised? What if your FIDO2 key was compromise en-route in transit from the seller somehow? We could play the “what-if” game all day.
Furthermore, two things can be real. Yes, passwords can be phished. Just because something isn’t perfect doesn’t make it “security theater.” Definition: “Security theater is the practice of implementing security measures that are considered to provide the feeling of improved security while doing little or nothing to achieve it.” Passwords are the first line of defense.
By your logic, that’s like saying Fort Knox isn’t secure because it has entryways. Yes, passwords have weaknesses and workarounds, which I fully acknowledge and which is why I expressly said “of course I always advocate for 2FA whenever available.” But again, to blanket say “strong passwords do nothing and password managers are also just for show” is objectively, provably untrue.
Regarding having a keylogger on your machine, your FIDO doesn’t matter much either. If I log into my bank with a Yubikey and I’ve got a keylogger taking screenshots of my machine, my Yubikey isn’t really doing me much good there either as they can still potentially see the account numbers and any other sensitive information they need to “confirm my identity.” There’s holes in everything, that’s why we have 2FA. Defense in depth.