OMG! Password resets!

[Metanis]

In light of the newest data breach that supposedly includes nearly every bit of information about a person I thought it would be a good idea to reset all my major passwords! (Yahoo, Google, Microsoft, & Banking).

Sweet mother of God what a pain! No wonder all our users never bother! I think Microsoft was the worst with unexpected error messages that my account was locked due to too many invalid logins. Eventually I found a way through but couldn't explain it now if I tried.

Western society is doomed if we expect the average user to go through these hoops.

Want some serious business? Recommend in your next newsletter that it's urgent to change your password. You'll have more support calls than you can handle!

 

[britechguy]

In light of the newest data breach that supposedly includes nearly every bit of information about a person

And which one would that be? I haven't seen any hyperventilating about this recently.

 

[Metanis]

And which one would that be? I haven't seen any hyperventilating about this recently.

MSN

 

[britechguy]

@Metanis,

Thanks. I've been involved in several of the "big breaches" over the past 5 or 6 years, so my credit accounts at all the agencies are already frozen.

There's nothing in what's noted in that article that suggests to me that passwords of any kind were a part of this breach, as that isn't the sort of data that the source of said data keeps/kept.

I've long ago accepted that my SSN is probably out there somewhere, multiple times, and since I was offered identity monitoring after every breach that's happened in the past, and it's still active from the most recent one, it just is what it is.

 

[lan101]

In light of the newest data breach that supposedly includes nearly every bit of information about a person I thought it would be a good idea to reset all my major passwords! (Yahoo, Google, Microsoft, & Banking).

Sweet mother of God what a pain! No wonder all our users never bother! I think Microsoft was the worst with unexpected error messages that my account was locked due to too many invalid logins. Eventually I found a way through but couldn't explain it now if I tried.

Western society is doomed if we expect the average user to go through these hoops.

Want some serious business? Recommend in your next newsletter that it's urgent to change your password. You'll have more support calls than you can handle!

My area had a local ISP that got rid of their email system so a bunch of people had to get a whole new email...definitely had some busy days for a bit lol.

 

[Sky-Knight]

The key is to eliminate passwords entirely, passwordless authentication operates via automatically rotating key structures. A breach happens, and the rotation is automatic, the user doesn't have to do or change anything.

Passwords... suck. They always have! We need to stop using them!

 

[britechguy]

We need to stop using them!

You keep saying this, and I'm not even disagreeing that there are much better ways. But what I am saying is that everyone here will be dead and gone before passwords are.

Certain things stick around for reasons you may not believe are "good reasons," but they exist nonetheless.

 

[Metanis]

I discovered that my 401k account had not had a password reset in 11 years. And that the original password wasn't even very complex. And that I had never enabled 2FA.

I guess it was worth the 4 hours I spent reviewing and resetting my main accounts today. I know there is no ultimate security, but hopefully my accounts aren't low hanging fruit any more. Or I'm running from the bear a bit faster than the rest of the crowd?

 

[sapphirescales]

Passwords... suck. They always have! We need to stop using them!

Yeah but the alternatives are terrible, just in a different way. What's worse? Having a password that can be leaked in a data breach or using something like passkeys that you lose when the hardware that stores them dies or gets lost? There are password managers that support passkeys but the password managers themselves are protected by a password! Your average end user is so stupid they can't even remember their password, which is usually something like combining their birthday with their dog's game "82164shadow." If you're lucky they'll add an exclamation mark at the end of it but they won't ever remember doing that so when they go to type in their password again they'll forget the exclamation mark and have to reset their password, which will be equally as bad as their last one. Password suck but there's no way to avoid them. All you can do is combine them with some sort of 2FA method and hope these same stupid people don't give out their 2FA code sent via SMS to scammers.

 

[frase]

Yeah but the alternatives are terrible, just in a different way. What's worse? Having a password that can be leaked in a data breach or using something like passkeys that you lose when the hardware that stores them dies or gets lost? There are password managers that support passkeys but the password managers themselves are protected by a password! Your average end user is so stupid they can't even remember their password, which is usually something like combining their birthday with their dog's game "82164shadow." If you're lucky they'll add an exclamation mark at the end of it but they won't ever remember doing that so when they go to type in their password again they'll forget the exclamation mark and have to reset their password, which will be equally as bad as their last one. Password suck but there's no way to avoid them. All you can do is combine them with some sort of 2FA method and hope these same stupid people don't give out their 2FA code sent via SMS to scammers.

Passphrases are better than Passwords IMHO.

 

[britechguy]

Passphrases are better than Passwords IMHO.

While I agree, the difference is only length. They are still passwords.

 

[Sky-Knight]

Yeah but the alternatives are terrible, just in a different way. What's worse? Having a password that can be leaked in a data breach or using something like passkeys that you lose when the hardware that stores them dies or gets lost? There are password managers that support passkeys but the password managers themselves are protected by a password! Your average end user is so stupid they can't even remember their password, which is usually something like combining their birthday with their dog's game "82164shadow." If you're lucky they'll add an exclamation mark at the end of it but they won't ever remember doing that so when they go to type in their password again they'll forget the exclamation mark and have to reset their password, which will be equally as bad as their last one. Password suck but there's no way to avoid them. All you can do is combine them with some sort of 2FA method and hope these same stupid people don't give out their 2FA code sent via SMS to scammers.

If your passkeys aren't portable, you're doing it wrong.
If you can't remember the one password you use all the time to access your passkeys... you're also doing it wrong.

Seriously, that's now how this works, not how any of it works.

But you're not wrong, in that passwords are going to be around awhile. Too many systems need changed to make passkeys a universal thing.

 

[Blues]

The truth is all security fails do to the failings of the average person with most security options available.

 

[Sky-Knight]

The truth is all security fails do to the failings of the average person with most security options available.

This is false, defeatist, and unproductive.

Security doesn't function because it must be built into software fundamentally to function correctly. Market forces demand software be sell-able, that means an exclusive focus on a feature that is to be sold. Security is never that feature, and so it's never been important enough to be baked in on a fundamental level.

It can be done, it can be done well, but it's viewed as a "cost" at all levels. And will continue to remain so until regulation forces the issue, until then we'll continue to see ad hoc efforts and lip service played as "insurance" companies drive the conversation. Which is 100% of the financial pressure on the market to perform these actions today.

 

[britechguy]

This is false, defeatist, and unproductive.

No, it's not. Your being utterly convinced that there exists a technological solution to a human factors problem and human nature is, quite simply, wrong.

 

[YeOldeStonecat]

... we'll continue to see... lip service played as "insurance" companies drive the conversation. Which is 100% of the financial pressure on the market to perform these actions today.

Thankfully we've been seeing this for a few years now, and more and more often..a client forwards me a "questionnaire" from their insurance asking me to answer the questions.

If the IT guy isn't have the conversation with their clients, I'm happy insurance companies are picking up the slack. They're doing the drive for us (although...I drive hard anyways, always trying to stay ahead of the curve)

 

[Sky-Knight]

Thankfully we've been seeing this for a few years now, and more and more often..a client forwards me a "questionnaire" from their insurance asking me to answer the questions.

If the IT guy isn't have the conversation with their clients, I'm happy insurance companies are picking up the slack. They're doing the drive for us (although...I drive hard anyways, always trying to stay ahead of the curve)

Yes, because now that it's hitting wallets leadership has no choice but to make the investment.

Security improves when leadership takes the ball and runs with it, the conversation cannot end successfully when it's started from the IT side of the fence. The issue here is "security" being "an IT problem."

That's why when I start talking about standard Conditional Access policy I let people know... get with your legal advisor, and your HR person before we go further. Usually, they look shocked, then I respond... when we do this, your employees will be required to use personal equipment for authentication OR you'll be providing equipment and the employee will be financially bound to that equipment in some way. There are business process and disciplinary practices on the table, and until you're ready to fire people for non-compliance to a new employment contract... you're not ready for us to do squat.

Ticking the MFA box requires legal transformation FIRST.

 

[nlinecomputers]

If your passkeys aren't portable, you're doing it wrong.
If you can't remember the one password you use all the time to access your passkeys... you're also doing it wrong.

Seriously, that's now how this works, not how any of it works.

But you're not wrong, in that passwords are going to be around awhile. Too many systems need changed to make passkeys a universal thing.

That’s the problem. No one is implementing passkeys correctly. Passkeys are supposed to replace usernames and passwords. Amazon just uses it as a replacement MFA. You still need to input username and password before you use the passkey.

Microsoft only lets you use passkeys with their Authenticator app. You can’t use the native Android or iOS stores. And third party applications are obviously out.

Passkeys are totally broken.

 

[Sky-Knight]

That’s the problem. No one is implementing passkeys correctly. Passkeys are supposed to replace usernames and passwords. Amazon just uses it as a replacement MFA. You still need to input username and password before you use the passkey.

Microsoft only lets you use passkeys with their Authenticator app. You can’t use the native Android or iOS stores. And third party applications are obviously out.

Passkeys are totally broken.

Correct, both Microsoft and Google authenticators suck. Which is why I Bitwarden.

Microsoft Authenticator is useful for M365 use, nothing personal.
Google Authenticator is useful for Google things, only personal.

It is quite infuriating because they don't have to be this difficult!

Google's Authenticator is flatly not portable, and Microsoft's Authenticator is arguably TOO portable and insecure to boot!

 

[nlinecomputers]

Microsoft's Authenticator is arguably TOO portable and insecure to boot!

And yet it can’t cross the Google/iOS divide.