• Welcome to TechPowerUp Forums, Guest! Please check out our forum guidelines for info related to our community.

Apple, Google and Microsoft commit to expanded support for FIDO standard to accelerate availability of passwordless sign-ins

Joined
Jun 18, 2021
Messages
2,569 (2.00/day)
Then there is the question of entities storing data insecurely, which is how these data leaks are happening in the first place. So imagine losing password, but then imagine losing your fingerprint because the entity got hacked. You can use unique password for every service, but not a unique fingerprint.

This is a problem because their idea of security is having more black boxes. Like, at least (or hopefully) the fingerprint data never leaves the device because it's only used to unlock the titan/pluton/knox/t2/whatever-black-box-macguffin that actually gives the one time generated crypto key to unlock the service, but all of this happens in a black box that us mere mortals aren't allowed to see or verify which is bad.
 
Joined
Jul 16, 2014
Messages
8,219 (2.16/day)
Location
SE Michigan
System Name Dumbass
Processor AMD Ryzen 7800X3D
Motherboard ASUS TUF gaming B650
Cooling Artic Liquid Freezer 2 - 420mm
Memory G.Skill Sniper 32gb DDR5 6000
Video Card(s) GreenTeam 4070 ti super 16gb
Storage Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Steeseries Esports Wireless
Keyboard Corsair K100
Software windows 10 H
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
Screw that nonsense...

That is unacceptable as well. The current system of username/password needs improvement, NOT replacement.

Requiring users to create longer & more secure passwords that are then salted and encrypted clientside before transmission is the correct solution.

Properly crafted longer passphrase passwords are easy to remember, are impossible to guess and extremely difficult to brute force.

Example(please note, this is not my personal password, if you try using it to access my account W1zzard will likely ban your IP, only warning):

Long.Pass=Phra53s-Canb3fUn

The above passphrase password example is easy to memorize, easy to type out and is unbreakable. This 26 character passphrase meets all of the requirements for proper password security. It is greater than 24 characters, is made up of upper and lower case letters, contains several numbers and special characters making brute-force prohibitively tedious and a dictionary(technical or traditional) type attack would fail as it is acceptably complex. Coupled with the above mentioned proper salting & encryption and passwords like this are unbreakable in the wild. Mixed language passphrase passwords are even more secure.
Example:

Long.Pass=Phra53s-Canb3fUn,paTok

In this case, the same password is mixed with a misspelled insult from a fictional language. Still easy to memorize but impossible to guess or brute-force. With properly implemented 128bit encryption, the fastest computer array currently on Earth would need approximately 1.2billion years to crack it by brute-force methods. Using 160bit encryption that time increases to 43billion years. Even the slowest phone on Earth can handle 160bit encryption without much effort.

These large corporations are overlooking the obvious and need to leave security concerns to security experts instead of nitwits trying to climb the ladder.


Sorry man, IPV6 is ridiculously insecure. "House of Cards" kind of insecure.


Absolutely nothing and it happens all the time.
This is a good example, the drawback is trying to remember for a password for multiple apps or sites, and assuming no one is foolish enough to use the same password on multiple sites, there is always paper and pen.. This means there is a need for password managers. I bet many people here on TPU use Lastpass or the in-browser password manager or other addons. If you do most of your internet access from home, I'd strongly recommend a standalone manger like Keepass. Lastpass has?had? a stand alone but that still requires an internet connection to access your database.

I havent checked in a while, but I thought there was home biometrics that didnt need a connection.
 
Joined
Feb 1, 2019
Messages
3,667 (1.70/day)
Location
UK, Midlands
System Name Main PC
Processor 13700k
Motherboard Asrock Z690 Steel Legend D4 - Bios 13.02
Cooling Noctua NH-D15S
Memory 32 Gig 3200CL14
Video Card(s) 4080 RTX SUPER FE 16G
Storage 1TB 980 PRO, 2TB SN850X, 2TB DC P4600, 1TB 860 EVO, 2x 3TB WD Red, 2x 4TB WD Red
Display(s) LG 27GL850
Case Fractal Define R4
Audio Device(s) Soundblaster AE-9
Power Supply Antec HCG 750 Gold
Software Windows 10 21H2 LTSC
@lexluthermiester I dont know of any instance of IP spoofing on established connections, you can spoof a source ip in one way transmission such as denial of service attacks, but internet usage like using this forum is two way transmission, I have never ever heard of IP spoofing in that regard, its not possible as any ack packets and other returned data will go to the real IP of which you wouldnt receive. So I think that needs to be clear as people might get misunderstood, now you can of course hide your IP by using a proxy server, a VPN, but thats not IP spoofing, then maybe if someone e.g. uses a VPN ip on a ACL, and then that VPN gets compromised sure, but not spoofing. :)

I also never suggested getting rid of passwords, just I think ACL combined with them is very powerful and indeed you might even be logging into services using soft ACL without even realising it. Steam e.g. uses it combined with passwords. We do agree on the way passwords and other data is stored, the compromises are not down to password usage and could still happen with fingerprints and the like been compromised.

The closest thing to IP spoofing is there is ways to take over an IP block you not authorized to use, but thats more like IP block hijacking, and again you not really spoofing an IP.

In the security industry IP whitelist ACL is considered an extremely good way to restrict authorization but isnt typically used by itself its used in addition to other measures. You can steal password,s fingerprints, etc. but you cannot steal IP's.

 
Last edited:
Joined
Jul 5, 2013
Messages
28,260 (6.75/day)
I dont know of any instance of IP spoofing on established connections, you can spoof a source ip in one way transmission such as denial of service attacks, but internet usage like using this forum is two way transmission, I have never ever heard of IP spoofing in that regard
Just because you haven't heard of it doesn't mean it doesn't happen. It's not common, but it is easy when done properly.
That article doesn't really support your argument very well. Doesn't support mine either.
 
Joined
Sep 17, 2019
Messages
495 (0.26/day)
The more security we make the less it becomes secure. I mean two teir and 3 teir is pretty strong for security now. FIDO talks about face finger prints and voice which can all be faked if you know how. Security keys well that one way but then you lost the usb key and well good luck. Somehow and someway the criminals always find a way around it.
I agree with this 100%. Anything Digital can be hacked/overcome by anyone with the skillset to do it.
 
Joined
Feb 1, 2019
Messages
3,667 (1.70/day)
Location
UK, Midlands
System Name Main PC
Processor 13700k
Motherboard Asrock Z690 Steel Legend D4 - Bios 13.02
Cooling Noctua NH-D15S
Memory 32 Gig 3200CL14
Video Card(s) 4080 RTX SUPER FE 16G
Storage 1TB 980 PRO, 2TB SN850X, 2TB DC P4600, 1TB 860 EVO, 2x 3TB WD Red, 2x 4TB WD Red
Display(s) LG 27GL850
Case Fractal Define R4
Audio Device(s) Soundblaster AE-9
Power Supply Antec HCG 750 Gold
Software Windows 10 21H2 LTSC
Just because you haven't heard of it doesn't mean it doesn't happen. It's not common, but it is easy when done properly.

That article doesn't really support your argument very well. Doesn't support mine either.
You are welcome to explain it if its such an easy process or link to an explanation, given what I know I will check back here for this information later.

A quick explanation, when you use a internet service over the TCP protocol, you have to make a connection request, the server responds with an acknowledgement then you respond again, its two way communication.

Now imagine what happens when you pretend you connecting from another IP, you will never get the response which means the connection can never be established and as such you wont be able to use the service.

So if you cannot explain this easy process, then I have no reason to believe its a thing that exists, and sorry for my persistence here, but with multiple decades of experience with networking security you have gained my curiosity here. If this was actually possible easily we wouldnt be using the current IP protocol anymore, Hackers also wouldnt need to compromise certificates and end points to try and intercept traffic, they could merely spoof an IP instead.

I do expect you might mean something slightly different or maybe there is something for me to learn here hence my response.

--

A quick google yields similar to what I just explained.

 
Last edited:
Joined
Jul 16, 2014
Messages
8,219 (2.16/day)
Location
SE Michigan
System Name Dumbass
Processor AMD Ryzen 7800X3D
Motherboard ASUS TUF gaming B650
Cooling Artic Liquid Freezer 2 - 420mm
Memory G.Skill Sniper 32gb DDR5 6000
Video Card(s) GreenTeam 4070 ti super 16gb
Storage Samsung EVO 500gb & 1Tb, 2tb HDD, 500gb WD Black
Display(s) 1x Nixeus NX_EDG27, 2x Dell S2440L (16:9)
Case Phanteks Enthoo Primo w/8 140mm SP Fans
Audio Device(s) onboard (realtek?) - SPKRS:Logitech Z623 200w 2.1
Power Supply Corsair HX1000i
Mouse Steeseries Esports Wireless
Keyboard Corsair K100
Software windows 10 H
Benchmark Scores https://i.imgur.com/aoz3vWY.jpg?2
Anything Digital can be hacked/overcome by anyone with the skillset to do it.
This is like saying anyone can [legally] drive a car if they are old enough [to get a license].
 
Joined
Jul 5, 2013
Messages
28,260 (6.75/day)
You are welcome to explain it if its such an easy process or link to an explanation, given what I know I will check back here for this information later.
Clearly you've already looked, so keep looking.
A quick google yields similar to what I just explained.

Ok, clearly you have a bias. I have professional experiences and am not going to get into a technical debate with someone who thinks their opinion over-rides everything else.
 
Joined
Aug 20, 2007
Messages
21,542 (3.40/day)
System Name Pioneer
Processor Ryzen R9 9950X
Motherboard GIGABYTE Aorus Elite X670 AX
Cooling Noctua NH-D15 + A whole lotta Sunon and Corsair Maglev blower fans...
Memory 64GB (4x 16GB) G.Skill Flare X5 @ DDR5-6000 CL30
Video Card(s) XFX RX 7900 XTX Speedster Merc 310
Storage Intel 905p Optane 960GB boot, +2x Crucial P5 Plus 2TB PCIe 4.0 NVMe SSDs
Display(s) 55" LG 55" B9 OLED 4K Display
Case Thermaltake Core X31
Audio Device(s) TOSLINK->Schiit Modi MB->Asgard 2 DAC Amp->AKG Pro K712 Headphones or HDMI->B9 OLED
Power Supply FSP Hydro Ti Pro 850W
Mouse Logitech G305 Lightspeed Wireless
Keyboard WASD Code v3 with Cherry Green keyswitches + PBT DS keycaps
Software Gentoo Linux x64 / Windows 11 Enterprise IoT 2024
You can spoof an IP but it's not really easy. You need to do what's called a man-in-the-middle attack, or compromising a router between you and your destination. Needless to say this barely ever happens outside academic settings. I've seen it precisely once in my entire career, and it relied on compromised cable node and firmware on the modem being changed as well. It was a helluva exceptional case.
 
Joined
Feb 1, 2019
Messages
3,667 (1.70/day)
Location
UK, Midlands
System Name Main PC
Processor 13700k
Motherboard Asrock Z690 Steel Legend D4 - Bios 13.02
Cooling Noctua NH-D15S
Memory 32 Gig 3200CL14
Video Card(s) 4080 RTX SUPER FE 16G
Storage 1TB 980 PRO, 2TB SN850X, 2TB DC P4600, 1TB 860 EVO, 2x 3TB WD Red, 2x 4TB WD Red
Display(s) LG 27GL850
Case Fractal Define R4
Audio Device(s) Soundblaster AE-9
Power Supply Antec HCG 750 Gold
Software Windows 10 21H2 LTSC
You can spoof an IP but it's not really easy. You need to do what's called a man-in-the-middle attack, or compromising a router between you and your destination. Needless to say this barely ever happens outside academic settings. I've seen it precisely once in my entire career, and it relied on compromised cable node and firmware on the modem being changed as well. It was a helluva exceptional case.
You can do that yep, although thats not spoofing technically at that point. Not particularly easy either. Thank you for stepping in here.

@lexluthermiester I am sorry for the way you responded, I did invite a response on exactly what you meant, and its clear you dont want to, so this particular discussion between us with IP spoofing will have to end here as its perhaps going too far now.
 
Joined
Jul 5, 2013
Messages
28,260 (6.75/day)
You can spoof an IP but it's not really easy. You need to do what's called a man-in-the-middle attack, or compromising a router between you and your destination. Needless to say this barely ever happens outside academic settings. I've seen it precisely once in my entire career, and it relied on compromised cable node and firmware on the modem being changed as well. It was a helluva exceptional case.
It's actually easier than you think, but requires both know-how and the right hardware. Many people who work for an ISP know this. It's how governments(including our own) conduct digital surveillance.
You can do that yep, although thats not spoofing technically at that point. Not particularly easy either. Thank you for stepping in here.

@lexluthermiester I am sorry for the way you responded, I did invite a response on exactly what you meant, and its clear you dont want to, so this particular discussion between us with IP spoofing will have to end here as its perhaps going too far now.
There are several reasons why I'm not willing to go into any specific details, some of them ethical, some legal. It would be irresponsible, not to mention both illegal and unethical for me to disclose that information. But the information is out there to be found. If you really want to understand, go look for it.
 
Top