Hacker News new | past | comments | ask | show | jobs | submit login

Is that sarcasm?



Users are at least partially responsible if they use a non unique password and then get hacked.


However, passwords are a shared secret, so you actually don't necessarily know who was responsible for the secret leaking, you or the other party.

Most proposed replacements or supplements are no better except (you can guess I'm about to say) WebAuthn. WebAuthn is built out of public key signatures, so a Relying Party has no idea how to present valid credentials even for their own system. Obviously you could just add a back door if you want one, but the WebAuthn credentials you're storing aren't like a password, or a password hash, or a TOTP seed. They're just an opaque ID and a public key.


Thats very true. But i think if sendgrid leaked their password db the level of spam would be mich higher.

Of course its always possible the password db leaked but it was using argon2 or something so only really weak passwords could be decoded.

I agree webauthn is great, and its the only option (other than TLS client certs which is a usability disaster, and maybe push notice 2fa depending on how its implemented) that protect against server side breach. However the vast majority of issues are password reuse, and to a much lesser extent dictionary attacks. TOTP effectively stops those. Then again so would choosing the users passwords for them.


All the "Push notice" 2FA systems I've used or looked at are already cheerfully bypassed by systems for phishing TOTP and SMS 2FA.

That's because they're relying on a human to make a security decision and humans are terrible at this job.

The human is at fake-site.example which they think is the real site because humans are lazy and incompetent. The fake site's backend automatically calls the real site, and the real site sends the human a push notice as 2FA. "Are you signing into Real Site®?". "Actually I wasn't sure until I got this reassuring message" thinks the human, "Yes". And now the bad guys have access to their account.

There are a lot of HN stories which are dubious about AI because they suspect it can't ever match a human in terms of vague things like intuition and learning. But you know what computers are unmistakably good at? Trivial symbol matching. fake-site.example is not real-site.example, those strings are different. That's why you just can't use your real-site.example WebAuthn credentials on fake-site.example




Consider applying for YC's Spring batch! Applications are open till Feb 11.

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: