
Ask HN: What's your greatest security challenge? - peacemakr_io
Or if you&#x27;re ignoring these set of challenges, why? Or, until when?<p>Food for thought:<p>* Ring hacked https:&#x2F;&#x2F;www.nytimes.com&#x2F;2019&#x2F;12&#x2F;15&#x2F;us&#x2F;Hacked-ring-home-security-cameras.html<p>* Odds against startups https:&#x2F;&#x2F;www.forbes.com&#x2F;sites&#x2F;samanthadrake1&#x2F;2017&#x2F;02&#x2F;03&#x2F;chances-are-your-startup-is-going-to-get-hacked-heres-what-to-do&#x2F;#7f081da2ce25<p>* Why does it matter? https:&#x2F;&#x2F;medium.com&#x2F;@mcla0181&#x2F;why-the-best-tech-startups-take-data-security-seriously-c9cc6fae3e32?sk=bfb142e801996eca7295d1879b030b1b
======
bernierocks
Ring was hacked because the victims used the same password across multiple
websites and those other websites had data breaches.

You can't really do anything about this, no matter how great your security is.

I suppose Ring could enforce 2FA across the entire platform, but many people
wouldn't accept this and they would lose customers.

I use a password manager and don't reuse any password for any site and have
2FA enabled on all of my important accounts. The problem is that most people
don't want to be inconvenienced.

~~~
peacemakr_io
I find punching in a username + password extremely inconvenient, and this is
why I never create new accounts from scratch.

OpenIDConnect is integrated across several platforms, and allows for us to
centralize authN and authZ behind a single secure trusted Identity Provider,
such as google auth, facebook auth, github auth - whatever make the most sense
for your audience. It's the same idea as password-manager, a single trusted
login, but better, because there's no password-management nonsense.

I'd argue is not the failure of user, but, the failure of the tech community.

So what I am hearing from you is "user authentication" is your greatest
security challenge?

~~~
bernierocks
"google auth, facebook auth, github auth"

So you now have a handful of failure points. I also am against the idea of
building my entire user base off of someone else's platform. It's just asking
for trouble down the road.

"I find punching in a username + password extremely inconvenient, and this is
why I never create new accounts from scratch."

Security is really never convenient. You need to have a good balance between
the two. A password manager is pretty convenient, even my non-tech savvy
parents can use one.

"So what I am hearing from you is "user authentication" is your greatest
security challenge?"

No. I was making a comment about the recent Ring hacks and how if you are a
startup and the exact situation happens, there isn't much you can do beyond
telling users to use different passwords or forcing a password change.

Even if you have the most secure encryption in place and all the best security
procedures, if your users pick terrible passwords (or another site gets hacked
and they use the same password), they will get their accounts hacked.

