[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Salsa update: no more "-guest" and more

On 4/26/20 8:34 PM, Bernd Zeimetz wrote:
> On 4/26/20 12:41 AM, Thomas Goirand wrote:
>> On 4/25/20 11:14 PM, Bernd Zeimetz wrote:
>>> Actually I think 2FA should be enforced for everybody.
>>> Even debian.org related passwords might get lost.
>> I use strong password, stored with keepassxc, with the password db
>> encrypted using the HMAC of my yubikey. In what way is this not safe
>> enough already? 2FA will add nothing in my case, just more annoyance.
> And then somebody sends you a phishing mail and you enter your password
> into salsa.debiana.org...

Nice try but ... I use the "Append Domain" plugin in Firefox, so that
Keepasxc can auto-type passwords if they match the URL of the site I'm
visiting, to what Keepassxc has in its database. So nice try, but your
phishing example doesn't work on me. :P

On 4/26/20 9:04 PM, Bernd Zeimetz wrote:
> So you have a browser integrated password manager and consider it
> secure? Interesting...

This wasn't addressed to me, but I'll reply anyways...

No, I don't use *any* browser integration. I just use the window title
of my browser with the "append domain" plugin to differentiate domains,
and the auto-type feature of Keepassxc. Yes, it's probably possible to
hack into the window title with Javascript, though I still consider it
kind of safer.

Now, if you want to go this way, we can go even further, and I can
miss-quote you to have fun:

"So, you use a browser and consider it secure?"

Because at the end, that's how far it goes... :)

> And if it doesn't happen to you, it happens to somebody else.

I very much advise everyone to use the same setup I have so that what
you describe cannot happen. But that's not the idea. The idea is that
everyone must be taken as accountable for keeping his/her password safe.
Someone not using a password manager should be using 2FA indeed, but
please don't *enforce* it. It makes me think about these stupid sites
that ask me to use upper case, special char, numbers, etc. when really,
I'm generating all of my passwords with OpenSSL. Don't try to know
better than I do please...

> Or you or
> somebody else has to use a more public or work computer for whatever reason.

I don't enter passwords on computers who aren't mine. Never. Ever...

Though that's not the point. You're applying the same pattern again:
you're giving example of idiots doing stupid things, and because of
these idiots, you want to enforce a security which doesn't help on every
case. Some people will always fall into traps, 2FA or not.

Did you ever realize that it's possible to defeat 2FA with phishing,
simply by asking the user to enter the 2FA code, and reuse that to
immediately login fraudulently?

> There are more ways to loose a password than you seem to be able to
> think of.

There are more idiots than you may think of (warning: entertaining!!!):


Now, if you want something safer, maybe we could implement something
that involves crypto a smarter way, like SQRL, so we avoid storing any
password in Salsa, even hashed:

Because seriously, I'm more concerned with Salsa itself being hacked,
and the password db of *all accounts* being stolen, or the Salsa SSO
provider being hacked, rather than having a *single* idiot user falling
into a phishing trap.


Thomas Goirand (zigo)

Reply to: