Lastpass customer vaults taken in last attack.

[britechguy]

The only message I want to convey in this case is passwords suck, they've always sucked, and they only continue to suck more with time.

Whether you believe it or not I've never disagreed with you on this on the fundamental technical level. But what I do know is that, as far as the vast majority of the general computer using public is concerned, you'll pry passwords as the primary authentication method from their cold, dead hands.

Rationality has nothing at all to do with this, familiarity does. It's what they know and all they're willing to use. That's why banks and other financial institutions, which are really, really loathe to lose money, are as loosey-goosey as they are about authentication. The customer has to have maximum ease of access and use, and that still means passwords and no MFA required.

I'm simply trying to make the best of an undoubtedly bad situation (actually, many bad situations, but this is among them). What I am saying is in no way a defense of passwords, or a claim of their fitness for purpose, but is instead a version of the old cliché, "it is what it is."

 

[Sky-Knight]

People don't like change. Even in IT, where adaptability should be second nature, resistance is still common. It's surprising, but it's true.

That's what makes good authentication so powerful. The passwordless methods I advocate aren't just more secure, they're easier to use. That combination is rare. Traditionally, security and usability are in conflict. The more secure something is, the harder it becomes to use. But when passwordless is implemented correctly, that tension disappears. Security and simplicity coexist.

I've seen it work every time. My success rate is 100 percent. The only variable is how quickly an organization adopts the change. You can't force people to adjust. That approach fails. But you can invite them to try something better. That takes time. All it takes is one person willing to take the leap. Once they do, they become the spark. They show others that easy and secure can go hand in hand. That experience spreads, because it's genuinely better.

And change is necessary. Password-based authentication weakens with every advance in GPU power and AI capabilities. What was once considered strong is now increasingly vulnerable. The only current remediation is longer passwords, which we all know isn't sustainable. There's a distinct human limit on password length that hardware will never respect.

The challenge is that most systems still don't support these improved authentication methods. But that's changing. Slowly, yes. But inevitably.

That said, we've drifted from the original topic this thread began with the LastPass compromise. And here's the truth: if we were using good authentication methods, it simply wouldn't matter. Let that sink in. The breach would not matter. Indications of compromise would have automatically triggered rotation of digital tokens tied to physical possession. The user's interaction wouldn't change, but the process would adapt behind the scenes automatically. The process assumes breach, and responds accordingly, automatically.

That's the future I see clearly. It's the future I already deliver to customers in specific contexts. And it's deeply frustrating that I can't bring it to the world at large, because institutions like banks still refuse to adopt reasonable methods on their websites. I can't get them to change until the public demands, and the public doesn't demand until they know better, typically after a breach occurs and inflicts pain. I prefer a gentler approach, so I educate, and advocate.

 

[timeshifter]

So what's the answer for people like me and others here who help small businesses and residential users? I use a few passkeys here and there. I have a 1Password on all my devices. Use a combination of iPhone, Mac, Windows systems. Google Authenticator.

I like what Microsoft (and maybe a handful of others) are doing with simply sending a code to an email to sign in. Not sure where that fits in your vision.

So without taking a college level course in cryptography where would you recommend I start?

 

[callthatgirl]

@timeshifter "So what's the answer for people like me and others here who help small businesses and residential users?"

Are you managing those systems or just setting up for them hourly/break/fix?

 

[Sky-Knight]

@timeshifter, Passkeys are becoming the popular choice for secure logins. I am not completely comfortable with them. It is not because the technology is flawed, but because of how it is being used.

Passkeys act like a virtual version of a physical security key (FIDO2). You do not create a password or save anything in a manager. Instead, the system uses cryptography to register itself with the service. This method removes the need for passwords and improves both security and ease of use.

The problem is that services like Google Authenticator, Microsoft Authenticator, and Apple iCloud can all create and store these passkeys, but they are not easy to move between platforms or devices. Your login credentials end up tied to whichever company you use. Ideally, these passkeys should belong to the person, not be locked inside a company’s system. Bitwarden has one of the better setups I have seen, but it is still controlled by a company. In the end, this approach will probably win because these tools are built into nearly every smartphone. This situation gets even more complex when you watch the major web browsers fight over a slice of that pie too. They know whomever controls the authentication flow, gets a leg up in the "attention war" we're currently fighting.

The real challenge comes when someone loses access. These cryptographic tokens cannot be recovered like a password reset. If you did not keep track of where they were used, you have to start over. You can create a new token, but then you must manually register it with every account it was connected to before. And since there is no automatic list of those accounts, you are left trying to remember them all.

You will also note, buried in the subtext above...
None of us will be ever able to impersonate a user without their token present. This means current workflows now require keeping the customer's cell phone, and be granted the ability to unlock it.
The issues attached to this reality are substantial.

 

[nlinecomputers]

@timeshifter, Passkeys are becoming the popular choice for secure logins. I am not completely comfortable with them. It is not because the technology is flawed, but because of how it is being used.

Passkeys act like a virtual version of a physical security key (FIDO2). You do not create a password or save anything in a manager. Instead, the system uses cryptography to register itself with the service. This method removes the need for passwords and improves both security and ease of use.

The problem is that services like Google Authenticator, Microsoft Authenticator, and Apple iCloud can all create and store these passkeys, but they are not easy to move between platforms or devices. Your login credentials end up tied to whichever company you use. Ideally, these passkeys should belong to the person, not be locked inside a company’s system. Bitwarden has one of the better setups I have seen, but it is still controlled by a company. In the end, this approach will probably win because these tools are built into nearly every smartphone. This situation gets even more complex when you watch the major web browsers fight over a slice of that pie too. They know whomever controls the authentication flow, gets a leg up in the "attention war" we're currently fighting.

The real challenge comes when someone loses access. These cryptographic tokens cannot be recovered like a password reset. If you did not keep track of where they were used, you have to start over. You can create a new token, but then you must manually register it with every account it was connected to before. And since there is no automatic list of those accounts, you are left trying to remember them all.

You will also note, buried in the subtext above...
None of us will be ever able to impersonate a user without their token present. This means current workflows now require keeping the customer's cell phone, and be granted the ability to unlock it.
The issues attached to this reality are substantial.

The problem is that I don't think that there is a good way to export a passkey. Any method to do so would be something that a hacker could emulate. Tied to a device, or a service, means it can leave it by ANY means. Maybe a true free coalition service could be created. But that would mean all passkeys would live on that service. I use Bitwarden, which lets me use it on any device.

 

[Sky-Knight]

The problem is that I don't think that there is a good way to export a passkey. Any method to do so would be something that a hacker could emulate. Tied to a device, or a service, means it can leave it by ANY means. Maybe a true free coalition service could be created. But that would mean all passkeys would live on that service. I use Bitwarden, which lets me use it on any device.

That's exactly my point. If you store your passkeys in Bitwarden, you can gain access to the keys on any device via the vault. And yes, this is the best implementation of this tech so far because of that simple fact!

The only downside is again the keys are in the hands of a 3rd party. For these devices to be truly effective, they need to be as personal, and integral as your house key.

 

[frase]

A large percentage of these breaches not including cyber security firms, though personal users is via inane social media, via social enginering. Users using the same password over many site or passwords that include their own birthdates or information as such. Also as I stated before social media is full of scamming and clicking on some advertisment can then lead one down to the darkness.

 

[Sky-Knight]

A large percentage of these breaches not including cyber security firms, though personal users is via inane social media, via social enginering. Users using the same password over many site or passwords that include their own birthdates or information as such. Also as I stated before social media is full of scamming and clicking on some advertisment can then lead one down to the darkness.

This is addressed with Passkey, there are no credentials to steal, and if you get an authorization token it's short lived by design, and get replaced automatically quickly.

This forces the threat actor to enroll a new token to retain persistence, which tends to fire alerts and get people's attention.

 

[timeshifter]

@timeshifter "So what's the answer for people like me and others here who help small businesses and residential users?"

Are you managing those systems or just setting up for them hourly/break/fix?

I guess the answer is both. While I don't operate as an MSP, I do manage many aspects of my clients networks and systems, but it's on an hourly basis, not on a monthly retainer or monthly fee.

 

[callthatgirl]

@timeshifter I thought so. I got out of backup and never got into passwords, for me I can't manage those and it would not work for my business. Too many unknowns and I don't want to be responsible for anything with either lol.

 

[HCHTech]

Honestly, advancing this tech seems like it requires a generational change. All of us old folks need to die off so that the younger people more receptive to better security are the main userbase (as end users, corporate users and developers). Without buy-in from the userbase, the best idea in the world will wither and die.

I use BitWarden myself and in my shop, and while I recommend it to customers, that recommendation is made carefully. I am hesitant to use and store passkeys just because the impact of losing access would be so great. For me, I'm not talking about forgetting my master password (which has grown over the years and is now 24 characters) but instead I'm concerned about something going wrong on BitWarden's end. I don't think I can ever trust them enough...

Now for customers using passkeys, this is a very real concern. They can't remember their simple passwords, let alone something more secure. So much of our job these days is resetting passwords. All of those success stories of regaining access to their stuff would instead turn into failures - "Sorry, you just lost all of your data - would you care to start over?"

 

[britechguy]

Without buy-in from the userbase, the best idea in the world will wither and die.

As history has shown us, again, and again, and again, and again.

A variant of this observation:

In a democracy only those laws which have their bases in folkways or the approval of strong groups have a chance of being enforced.
~ Abraham Myerson

 

[Sky-Knight]

@HCHTech You won't have that kind of time, with the explosion of GPU capacity being extended due to the AI arms race, passwords are dying faster than they were previously.

Some estimates I've read have the password being rendered functionally useless in as little as five years. My instinct is more conservative, I'm thinking a decade or so. And between here and there will be breach, after breach, after breach.

Not that this wasn't already true of course, I meant what I said when I said this was inevitable.

 

[lan101]

Now for customers using passkeys, this is a very real concern. They can't remember their simple passwords, let alone something more secure. So much of our job these days is resetting passwords. All of those success stories of regaining access to their stuff would instead turn into failures - "Sorry, you just lost all of your data - would you care to start over?"

Yeah that's what concerns me the most. Basically we won't be able to perform those miracles anymore. I got out of backup and never got into passwords, for me I can't manage those and it would not work for my business. Too many unknowns and I don't want to be responsible for anything with either lol.

I got out of backup and never got into passwords, for me I can't manage those and it would not work for my business. Too many unknowns and I don't want to be responsible for anything with either lol.

I've tried doing that for a few businesses and it's always a nightmare with internet based logins because someone will always change something and not notify anyone etc. For the ones I consistently work for I keep some offline notes of important ones but even then it's not bullet proof if someone goes changing something lol. I try to stay out of storing any password crap as much as possible.