• envis10n [he/him]@hexbear.net
    link
    fedilink
    English
    arrow-up
    5
    ·
    1 year ago

    Absolutely agree on the usage of a password manager. And yes, as hardware increases in power we run into the issue of timelines being shorter. I disagree on MD5 being not totally broken, considering a collision can be found in seconds on even low end hardware these days. Even salted, a collision would still be viable.

    Again, the real problem overall is adoption. Getting people to use better passwords/phrases that are less likely to be brute forced. Everyone should be using non-SMS 2FA, ideally with an authenticator app or physical key. As well, password length should only be limited by a minimum value rather than being in a small range. Services should be using algorithms that are recent, well audited, and have the ability to artificially inflate the time taken to get the result for future-proofing. SSO is also an option, since services without IT departments or people with the ability to handle passwords should offload it to a service that can. SSO as a service provider is very appealing, as you no longer have the responsibility of storing sensitive hashes and account information.

    • Sphere [he/him, they/them]@hexbear.net
      link
      fedilink
      English
      arrow-up
      6
      ·
      1 year ago

      Was not aware of the latest efforts on MD5, in all honesty; I take back what I said before.

      I agree with everything you said there 100% except the bit about SSO. SSO is great for people working in managed environments (I wish my workplace would make broader use of it, honestly), but expanding it to everyone as a whole creates some serious issues (putting everyone’s eggs in the same basket is a security risk, and worse, having a centralized third party notified of every login request totally undermines user privacy).

      • envis10n [he/him]@hexbear.net
        link
        fedilink
        English
        arrow-up
        4
        ·
        1 year ago

        I don’t mean to imply that it should be everywhere, rather it is appealing as an option when the only other option is to roll your own setup.

        It’s useful for connected services, orgs, etc. Especially when it comes to easily setting up access controls. But you’re right, it’s not a solution that should be used everywhere due to the fact that a single point of failure is bad.

        Btw this has been a great discussion and I hope that others reading this might help further the goal of creating a safer internet