this post was submitted on 04 Nov 2023
152 points (96.9% liked)

Open Source

31250 readers
324 users here now

All about open source! Feel free to ask questions, and share news, and interesting stuff!

Useful Links

Rules

Related Communities

Community icon from opensource.org, but we are not affiliated with them.

founded 5 years ago
MODERATORS
top 25 comments
sorted by: hot top controversial new old
[–] [email protected] 57 points 1 year ago* (last edited 1 year ago) (5 children)
[–] [email protected] 7 points 1 year ago

The site is actually asking me for login now via Google or something else. In recent times, many sites like Howtogeek or MakeUseOf have kinda paywalled unless you login. It works properly with adblocker (uBlock Origin) once I login though.

[–] [email protected] 2 points 1 year ago* (last edited 1 year ago) (1 children)
[–] [email protected] 14 points 1 year ago (1 children)

The point is its a shitty thing to do and I would rather not give them any attention especially since the entire thing is explained in a blog post on bitwardens site.

[–] [email protected] -1 points 1 year ago

Yeah makes sense. but the attention doesn't really matter if we are blocking the ads.

[–] [email protected] 1 points 1 year ago

Doesn't happen on uBO

[–] [email protected] 0 points 1 year ago

I have all my filters enabled on Firefox uBO and it gets rid of that

[–] [email protected] 0 points 1 year ago

Works fine with Fennec (F-Droid) and uBlock Origin

[–] [email protected] 17 points 1 year ago (3 children)

I have yet to get a Yubikey, mostly because I'm scared of losing or breaking it.

[–] [email protected] 15 points 1 year ago (1 children)

That's why you should get two.

And if you only need FIDO2/passkeys, the Security Key series is half the cost ($25) of the Yubikey 5 ($50) and all you really lose is OpenPGP and PIV (smart card) functionality.

Now I like playing with all the features of the 5, but most people should just need FIDO2.

[–] [email protected] 6 points 1 year ago (1 children)

I looked into this a year ago and most sites did not offer to register a second key, so if you lose your key, you can kiss many of your accesses goodbye. I would never have the key to my digital life on a keychain... The idea is good, but it will cause huge damage if you lose your HW key. On the other hand, if you are cautious and use different PWs and a password manager with 2FA, you are quite safe.

[–] [email protected] 2 points 1 year ago

Hear hear. Not allowing spare keys doesn't make sense. I have as many spare keys for my digital stuff as my apartment. But yeah, too few sites support that

[–] [email protected] 6 points 1 year ago

I have had three of them on my keyring for years (one old personal, one newer personal and one for work) and even though they sometimes get lodged between the keys and a separate ring I have on the main ring none of them ever even got close to looking damaged (excluding some mild fading of the print on the oldest one).

[–] [email protected] 6 points 1 year ago

You can store alternative 2FA methods and backup codes in a safe place just in case your YubiKey fails.

[–] [email protected] 13 points 1 year ago (1 children)

Oh, nice! Doesn't look like it's hit the Firefox Addons repo yet, but I'll be looking forward to it when it does.

[–] [email protected] 9 points 1 year ago* (last edited 1 year ago) (3 children)

uh. for the slower ones.... how does this improve security? 🤔

edit. thanks @[email protected], @azron, @[email protected] i still dont really get it, but feel confident to trust you guys on this one.

[–] [email protected] 14 points 1 year ago* (last edited 1 year ago) (1 children)

My understanding is:

Passkeys are like a password + 2FA mashed together. If someone steals your "passkey password" they still can't use it to login without the hardware component. That means phishing is harder. Since passkeys are generated for the user from their hardware it also forces better hygiene on the user by not allowig any password duplication.

A downside is it is tied to hardware and a provider that can cause problems witb loss of device or when you change devices but it is hard to say how painful that is going to be.

[edited for a bit more clarity]

[–] [email protected] 2 points 1 year ago (3 children)

but butwarden already makes phishing impossible, and even if someone gets the password, they don't have the 2fa?

[–] [email protected] 8 points 1 year ago

It's more about supporting a new standard. Plenty of folks are using same credentials everywhere, and passkeys could potentionally change that. Also, entering 1 thing is easier than entering 2.

[–] [email protected] 5 points 1 year ago

Continuing on what Rolling Resistance said (sorry for the delay, had to step away for a while), I know plenty of people who do use a password manager and still use a static password in some places (hell, I've been guilty of that in a few places - but generally on network-isolated systems). Some people also don't use 2FA because they find it inconvenient.

Passkeys are more or less very similar to how SSH keys work if you're familiar with those, your device (or password manager) generates a secret key that it only has access to, and then gives the public key to the website (and a new keypair is generated for every single website). When you login to a website, the website sends you a challenge which you sign with your private key, that the website can then verify using the public key that you used when enrolling the passkey. This way, a website never has any form of secret - making say password hash leaks less relevant, whereas in theory you could give your public key(s) and post it on Google's homepage without any repercussions... but don't quote me on that one.

So even if you use a password manager, if you still have a few websites that share the same password, and one of those gets compromised - those other websites may still be vulnerable which wouldn't be possible with a passkey.

[–] [email protected] 0 points 1 year ago

If you use a password manager like bit warden, on a compromised machine, the credentials used to log into a site, could get copied. Then somebody else could log into that site as you.

Using pass keys, or hardware security keys means the private information never goes over the internet. So somebody who's compromised the system, still doesn't get the private key. So they can't impersonate you later

[–] [email protected] 13 points 1 year ago* (last edited 1 year ago)

Passkeys are client-driven.

When you visit a website you'd like to login to, your browser generates a public/private key pair and gives the public key to the site.

When you want to login:

  • The browser uses the website domain name to generate a challenge and sends it to the website.
  • The website verifies the challenge by sending back a randomly generated long text, encrypted with the public key.
  • Browser confirms by sending back the decrypted text as proof.

Now both website and browser are sure the other is legit, there are no passwords involved, the login process is standardized and can be upgraded with new protocols and cyphers whenever needed, you can't be phished, you can't be tricked by a fake domain that looks in Unicode like the correct one, and if anybody breaks in and steals the public key they can't do anything with it.

[–] [email protected] 9 points 1 year ago (1 children)

This is the best primer that I've found: https://www.eff.org/deeplinks/2023/10/what-passkey

The main advantage is that, like hardware security keys, they're immune to Man in the Middle phishing attacks, but are far simpler to use so should hopefully see much more widespread use.

[–] [email protected] 1 points 1 year ago (1 children)

but it one would use a security key for the butwarden login, all of thst is pointless, no?

[–] [email protected] 1 points 1 year ago

butwarden login

That is different kind of protection. 😄

but it one would use a security key for the butwarden login, all of thst is pointless, no?

The phishing protection is still very valuable. Also presumably you'd protect your Bitwarden account better than any number of random sites.