• chevron_right

      Passkeys may not be for you, but they are safe and easy—here’s why

      news.movim.eu / ArsTechnica · Friday, 12 May, 2023 - 20:43

    Passkeys may not be for you, but they are safe and easy—here’s why

    Enlarge (credit: Aurich Lawson | Getty Images)

    My recent feature on passkeys attracted significant interest, and a number of the 1,100+ comments raised questions about how the passkey system actually works and if it can be trusted. In response, I've put together this list of frequently asked questions to dispel a few myths and shed some light on what we know—and don't know—about passkeys.

    Q: I don’t trust Google. Why should I use passkeys?

    A: If you don’t use Google, then Google passkeys aren’t for you. If you don’t use Apple or Microsoft products, the situation is similar. The original article was aimed at the hundreds of millions of people who do use these major platforms (even if grudgingly).

    Read 32 remaining paragraphs | Comments

    • chevron_right

      Passwordless Google accounts are easier and more secure than passwords. Here’s why.

      news.movim.eu / ArsTechnica · Monday, 8 May, 2023 - 13:50 · 1 minute

    Passwordless Google accounts are easier and more secure than passwords. Here’s why.

    Enlarge (credit: Aurich Lawson | Getty Images)

    By now, you’ve likely heard that passwordless Google accounts have finally arrived . The replacement for passwords is known as "passkeys."

    There are many misconceptions about passkeys, both in terms of their usability and the security and privacy benefits they offer compared with current authentication methods. That’s not surprising, given that passwords have been in use for the past 60 years, and passkeys are so new. The long and short of it is that with a few minutes of training, passkeys are easier to use than passwords, and in a matter of months—once a dozen or so industry partners finish rolling out the remaining pieces—using passkeys will be easier still. Passkeys are also vastly more secure and privacy-preserving than passwords, for reasons I'll explain later.

    This article provides a primer to get people started with Google's implementation of passkeys and explains the technical underpinnings that make them a much easier and more effective way to protect against account takeovers. A handful of smaller sites—specifically, PayPal, Instacart, Best Buy, Kayak, Robinhood, Shop Pay, and Cardpointers—have rolled out various options for logging in with passkeys, but those choices are more proofs of concept than working solutions. Google is the first major online service to make passkeys available, and its offering is refined and comprehensive enough that I’m recommending people turn them on today.

    Read 24 remaining paragraphs | Comments

    • chevron_right

      The time has come: GitHub expands 2FA requirement rollout March 13

      news.movim.eu / ArsTechnica · Friday, 10 March, 2023 - 22:36

    A GitHub-made image accompanying all the company's communications about 2FA.

    Enlarge / A GitHub-made image accompanying all the company's communications about 2FA. (credit: GitHub )

    Software development tool GitHub will require more accounts to enable two-factor authentication (2FA) starting on March 13 . That mandate will extend to all user accounts by the end of 2023.

    GitHub announced its plan to roll out a 2FA requirement in a blog post last May. At that time, the company's chief security officer said that it was making the move because GitHub (which is used by millions of software developers around the world across myriad industries) is a vital part of the software supply chain. Said supply chain has been subject to several attacks in recent years and months, and 2FA is a strong defense against social engineering and other particularly common methods of attack.

    When that blog post was written, GitHub revealed that only around 16.5 percent of active GitHub users used 2FA—far lower than you'd expect from technologists who ought to know the value of it.

    Read 7 remaining paragraphs | Comments

    • chevron_right

      LastPass Breach

      news.movim.eu / Schneier · Saturday, 24 December, 2022 - 18:23 · 2 minutes

    Last August, LastPass reported a security breach, saying that no customer information—or passwords—were compromised. Turns out the full story is worse :

    While no customer data was accessed during the August 2022 incident, some source code and technical information were stolen from our development environment and used to target another employee, obtaining credentials and keys which were used to access and decrypt some storage volumes within the cloud-based storage service.

    […]

    To date, we have determined that once the cloud storage access key and dual storage container decryption keys were obtained, the threat actor copied information from backup that contained basic customer account information and related metadata including company names, end-user names, billing addresses, email addresses, telephone numbers, and the IP addresses from which customers were accessing the LastPass service.

    The threat actor was also able to copy a backup of customer vault data from the encrypted storage container which is stored in a proprietary binary format that contains both unencrypted data, such as website URLs, as well as fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data.

    That’s bad. It’s not an epic disaster, though.

    These encrypted fields remain secured with 256-bit AES encryption and can only be decrypted with a unique encryption key derived from each user’s master password using our Zero Knowledge architecture. As a reminder, the master password is never known to LastPass and is not stored or maintained by LastPass.

    So, according to the company, if you chose a strong master password—here’s my advice on how to do it—your passwords are safe. That is, you are secure as long as your password is resilient to a brute-force attack. (That they lost customer data is another story….)

    Fair enough, as far as it goes. My guess is that many LastPass users do not have strong master passwords, even though the compromise of your encrypted password file should be part of your threat model. But, even so, note this unverified tweet:

    I think the situation at @LastPass may be worse than they are letting on. On Sunday the 18th, four of my wallets were compromised. The losses are not significant. Their seeds were kept, encrypted, in my lastpass vault, behind a 16 character password using all character types.

    If that’s true, it means that LastPass has some backdoor—possibly unintentional—into the password databases that the hackers are accessing. (Or that @Cryptopathic’s “16 character password using all character types” is something like “P@ssw0rdP@ssw0rd.”)

    My guess is that we’ll learn more during the coming days. But this should serve as a cautionary tale for anyone who is using the cloud: the cloud is another name for “someone else’s computer,” and you need to understand how much or how little you trust that computer.

    If you’re changing password managers, look at my own Password Safe . Its main downside is that you can’t synch between devices, but that’s because I don’t use the cloud for anything.

    News articles . Slashdot thread .

    • chevron_right

      Recovering Passwords by Measuring Residual Heat

      news.movim.eu / Schneier · Tuesday, 11 October, 2022 - 19:34 · 1 minute

    Researchers have used thermal cameras and ML guessing techniques to recover passwords from measuring the residual heat left by fingers on keyboards. From the abstract:

    We detail the implementation of ThermoSecure and make a dataset of 1,500 thermal images of keyboards with heat traces resulting from input publicly available. Our first study shows that ThermoSecure successfully attacks 6-symbol, 8-symbol, 12-symbol, and 16-symbol passwords with an average accuracy of 92%, 80%, 71%, and 55% respectively, and even higher accuracy when thermal images are taken within 30 seconds. We found that typing behavior significantly impacts vulnerability to thermal attacks, where hunt-and-peck typists are more vulnerable than fast typists (92% vs 83% thermal attack success if performed within 30 seconds). The second study showed that the keycaps material has a statistically significant effect on the effectiveness of thermal attacks: ABS keycaps retain the thermal trace of users presses for a longer period of time, making them more vulnerable to thermal attacks, with a 52% average attack accuracy compared to 14% for keyboards with PBT keycaps.

    “ABS” is Acrylonitrile Butadiene Styrene, which some keys are made of. Others are made of Polybutylene Terephthalate (PBT). PBT keys are less vulnerable.

    But, honestly, if someone can train a camera at your keyboard, you have bigger problems.

    News article .

    • chevron_right

      When Security Locks You Out of Everything

      news.movim.eu / Schneier · Tuesday, 28 June, 2022 - 16:49 · 1 minute

    Thought experiment story of someone who lost everything in a house fire, and now can’t log into anything:

    But to get into my cloud, I need my password and 2FA. And even if I could convince the cloud provider to bypass that and let me in, the backup is secured with a password which is stored in—you guessed it—my Password Manager.

    I am in cyclic dependency hell. To get my passwords, I need my 2FA. To get my 2FA, I need my passwords.

    It’s a one-in-a-million story, and one that’s hard to take into account in system design.

    This is where we reach the limits of the “Code Is Law” movement.

    In the boring analogue world—I am pretty sure that I’d be able to convince a human that I am who I say I am. And, thus, get access to my accounts. I may have to go to court to force a company to give me access back, but it is possible .

    But when things are secured by an unassailable algorithm—I am out of luck. No amount of pleading will let me without the correct credentials. The company which provides my password manager simply doesn’t have access to my passwords. There is no-one to convince. Code is law.

    Of course, if I can wangle my way past security, an evil-doer could also do so.

    So which is the bigger risk?

    • An impersonator who convinces a service provider that they are me?
    • A malicious insider who works for a service provider?
    • Me permanently losing access to all of my identifiers?

    I don’t know the answer to that.

    Those risks are in the order of most common to least common, but that doesn’t necessarily mean that they are in risk order. They probably are, but then we’re left with no good way to handle someone who has lost all their digital credentials—computer, phone, backup, hardware token, wallet with ID cards—in a catastrophic house fire.

    I want to remind readers that this isn’t a true story. It didn’t actually happen. It’s a thought experiment.

    • chevron_right

      Bypassing Two-Factor Authentication

      Bruce Schneier · news.movim.eu / Schneier · Wednesday, 30 March, 2022 - 14:38

    These techniques are not new, but they’re increasingly popular :

    …some forms of MFA are stronger than others, and recent events show that these weaker forms aren’t much of a hurdle for some hackers to clear. In the past few months, suspected script kiddies like the Lapsus$ data extortion gang and elite Russian-state threat actors (like Cozy Bear, the group behind the SolarWinds hack) have both successfully defeated the protection.

    […]

    Methods include:

    • Sending a bunch of MFA requests and hoping the target finally accepts one to make the noise stop.
    • Sending one or two prompts per day. This method often attracts less attention, but “there is still a good chance the target will accept the MFA request.”
    • Calling the target, pretending to be part of the company, and telling the target they need to send an MFA request as part of a company process.

    FIDO2 multi-factor authentication systems are not susceptible to these attacks, because they are tied to a physical computer.

    And even though there are attacks against these two-factor systems, they’re much more secure than not having them at all. If nothing else, they block pretty much all automated attacks.

    • chevron_right

      “Change Password”

      Bruce Schneier · news.movim.eu / Schneier · Thursday, 17 March, 2022 - 20:10

    Oops :

    Instead of telling you when it’s safe to cross the street, the walk signs in Crystal City, VA are just repeating ‘CHANGE PASSWORD.’ Something’s gone terribly wrong here.