Apple, Google and Microsoft commit to expanded support for FIDO standard to accelerate availability of passwordless sign-ins

[trsttte]

Then there is the question of entities storing data insecurely, which is how these data leaks are happening in the first place. So imagine losing password, but then imagine losing your fingerprint because the entity got hacked. You can use unique password for every service, but not a unique fingerprint.

This is a problem because their idea of security is having more black boxes. Like, at least (or hopefully) the fingerprint data never leaves the device because it's only used to unlock the titan/pluton/knox/t2/whatever-black-box-macguffin that actually gives the one time generated crypto key to unlock the service, but all of this happens in a black box that us mere mortals aren't allowed to see or verify which is bad.

 

[DeathtoGnomes]

Screw that nonsense...

That is unacceptable as well. The current system of username/password needs improvement, NOT replacement.

Requiring users to create longer & more secure passwords that are then salted and encrypted clientside before transmission is the correct solution.

Properly crafted longer passphrase passwords are easy to remember, are impossible to guess and extremely difficult to brute force.

Example(please note, this is not my personal password, if you try using it to access my account W1zzard will likely ban your IP, only warning):

Long.Pass=Phra53s-Canb3fUn

The above passphrase password example is easy to memorize, easy to type out and is unbreakable. This 26 character passphrase meets all of the requirements for proper password security. It is greater than 24 characters, is made up of upper and lower case letters, contains several numbers and special characters making brute-force prohibitively tedious and a dictionary(technical or traditional) type attack would fail as it is acceptably complex. Coupled with the above mentioned proper salting & encryption and passwords like this are unbreakable in the wild. Mixed language passphrase passwords are even more secure.
Example:

Long.Pass=Phra53s-Canb3fUn,paTok

In this case, the same password is mixed with a misspelled insult from a fictional language. Still easy to memorize but impossible to guess or brute-force. With properly implemented 128bit encryption, the fastest computer array currently on Earth would need approximately 1.2billion years to crack it by brute-force methods. Using 160bit encryption that time increases to 43billion years. Even the slowest phone on Earth can handle 160bit encryption without much effort.

These large corporations are overlooking the obvious and need to leave security concerns to security experts instead of nitwits trying to climb the ladder.


Sorry man, IPV6 is ridiculously insecure. "House of Cards" kind of insecure.


Absolutely nothing and it happens all the time.

This is a good example, the drawback is trying to remember for a password for multiple apps or sites, and assuming no one is foolish enough to use the same password on multiple sites, there is always paper and pen.. This means there is a need for password managers. I bet many people here on TPU use Lastpass or the in-browser password manager or other addons. If you do most of your internet access from home, I'd strongly recommend a standalone manger like Keepass. Lastpass has?had? a stand alone but that still requires an internet connection to access your database.

I havent checked in a while, but I thought there was home biometrics that didnt need a connection.

 

[chrcoluk]

@lexluthermiester I dont know of any instance of IP spoofing on established connections, you can spoof a source ip in one way transmission such as denial of service attacks, but internet usage like using this forum is two way transmission, I have never ever heard of IP spoofing in that regard, its not possible as any ack packets and other returned data will go to the real IP of which you wouldnt receive. So I think that needs to be clear as people might get misunderstood, now you can of course hide your IP by using a proxy server, a VPN, but thats not IP spoofing, then maybe if someone e.g. uses a VPN ip on a ACL, and then that VPN gets compromised sure, but not spoofing.

I also never suggested getting rid of passwords, just I think ACL combined with them is very powerful and indeed you might even be logging into services using soft ACL without even realising it. Steam e.g. uses it combined with passwords. We do agree on the way passwords and other data is stored, the compromises are not down to password usage and could still happen with fingerprints and the like been compromised.

The closest thing to IP spoofing is there is ways to take over an IP block you not authorized to use, but thats more like IP block hijacking, and again you not really spoofing an IP.

In the security industry IP whitelist ACL is considered an extremely good way to restrict authorization but isnt typically used by itself its used in addition to other measures. You can steal password,s fingerprints, etc. but you cannot steal IP's.

Common misconceptions about IPv6 security | APNIC Blog

Guest Post: I’ll seek to set the record straight for several of the most common misconceptions about IPv6 security.

blog.apnic.net

 

[lexluthermiester]

I dont know of any instance of IP spoofing on established connections, you can spoof a source ip in one way transmission such as denial of service attacks, but internet usage like using this forum is two way transmission, I have never ever heard of IP spoofing in that regard

Just because you haven't heard of it doesn't mean it doesn't happen. It's not common, but it is easy when done properly.

Common misconceptions about IPv6 security | APNIC Blog

Guest Post: I’ll seek to set the record straight for several of the most common misconceptions about IPv6 security.

blog.apnic.net

That article doesn't really support your argument very well. Doesn't support mine either.

 

[Icon Charlie]

The more security we make the less it becomes secure. I mean two teir and 3 teir is pretty strong for security now. FIDO talks about face finger prints and voice which can all be faked if you know how. Security keys well that one way but then you lost the usb key and well good luck. Somehow and someway the criminals always find a way around it.

I agree with this 100%. Anything Digital can be hacked/overcome by anyone with the skillset to do it.

 

[chrcoluk]

Just because you haven't heard of it doesn't mean it doesn't happen. It's not common, but it is easy when done properly.

That article doesn't really support your argument very well. Doesn't support mine either.

You are welcome to explain it if its such an easy process or link to an explanation, given what I know I will check back here for this information later.

A quick explanation, when you use a internet service over the TCP protocol, you have to make a connection request, the server responds with an acknowledgement then you respond again, its two way communication.

Now imagine what happens when you pretend you connecting from another IP, you will never get the response which means the connection can never be established and as such you wont be able to use the service.

So if you cannot explain this easy process, then I have no reason to believe its a thing that exists, and sorry for my persistence here, but with multiple decades of experience with networking security you have gained my curiosity here. If this was actually possible easily we wouldnt be using the current IP protocol anymore, Hackers also wouldnt need to compromise certificates and end points to try and intercept traffic, they could merely spoof an IP instead.

I do expect you might mean something slightly different or maybe there is something for me to learn here hence my response.

--

A quick google yields similar to what I just explained.

Is it possible to spoof an IP address to an exact number?

The title says it all really. Say my IP address was 1.2.3.4 and I wanted to change or 'spoof' it so that its exactly 2.3.4.5, would this be possible or are there too many varying factors that need ...

security.stackexchange.com

 

[DeathtoGnomes]

Anything Digital can be hacked/overcome by anyone with the skillset to do it.

This is like saying anyone can [legally] drive a car if they are old enough [to get a license].

 

[lexluthermiester]

You are welcome to explain it if its such an easy process or link to an explanation, given what I know I will check back here for this information later.

Clearly you've already looked, so keep looking.

A quick google yields similar to what I just explained.

Is it possible to spoof an IP address to an exact number?

The title says it all really. Say my IP address was 1.2.3.4 and I wanted to change or 'spoof' it so that its exactly 2.3.4.5, would this be possible or are there too many varying factors that need ...

security.stackexchange.com

Ok, clearly you have a bias. I have professional experiences and am not going to get into a technical debate with someone who thinks their opinion over-rides everything else.

 

[R-T-B]

You can spoof an IP but it's not really easy. You need to do what's called a man-in-the-middle attack, or compromising a router between you and your destination. Needless to say this barely ever happens outside academic settings. I've seen it precisely once in my entire career, and it relied on compromised cable node and firmware on the modem being changed as well. It was a helluva exceptional case.

 

[chrcoluk]

You can spoof an IP but it's not really easy. You need to do what's called a man-in-the-middle attack, or compromising a router between you and your destination. Needless to say this barely ever happens outside academic settings. I've seen it precisely once in my entire career, and it relied on compromised cable node and firmware on the modem being changed as well. It was a helluva exceptional case.

You can do that yep, although thats not spoofing technically at that point. Not particularly easy either. Thank you for stepping in here.

@lexluthermiester I am sorry for the way you responded, I did invite a response on exactly what you meant, and its clear you dont want to, so this particular discussion between us with IP spoofing will have to end here as its perhaps going too far now.

 

[lexluthermiester]

You can spoof an IP but it's not really easy. You need to do what's called a man-in-the-middle attack, or compromising a router between you and your destination. Needless to say this barely ever happens outside academic settings. I've seen it precisely once in my entire career, and it relied on compromised cable node and firmware on the modem being changed as well. It was a helluva exceptional case.

It's actually easier than you think, but requires both know-how and the right hardware. Many people who work for an ISP know this. It's how governments(including our own) conduct digital surveillance.

You can do that yep, although thats not spoofing technically at that point. Not particularly easy either. Thank you for stepping in here.

@lexluthermiester I am sorry for the way you responded, I did invite a response on exactly what you meant, and its clear you dont want to, so this particular discussion between us with IP spoofing will have to end here as its perhaps going too far now.

There are several reasons why I'm not willing to go into any specific details, some of them ethical, some legal. It would be irresponsible, not to mention both illegal and unethical for me to disclose that information. But the information is out there to be found. If you really want to understand, go look for it.