Hacker News new | comments | show | ask | jobs | submit login

> that anyone on the internet could just curl/postman/httpie to change someone's password.

But that's my point. Keep it simple, let my password manager (be it on my mobile, laptop or whereever i want) change my password! Yes, i'd like that.

You don't even need that CSRF token, i don't know why. To prove your identity you'll only need to prove that you know you your password. That's possible, securely. See https://en.wikipedia.org/wiki/Secure_Remote_Password_protoco... and https://en.wikipedia.org/wiki/Zero-knowledge_password_proof

Why do you need an application whitelist?! The website i am visiting isn't whitelisting my browser, so why would it need to whitelist my password manager?






How lucky for you in 2018 that you don't seem to have any trouble with botnets trying to crack your passwords, hack your accounts, or even just break your accounts so that you cannot use them.

Exactly. Most password leaks seem to come from hacked websites and thus badly implemented security. And that's another point i was making: Keep it simple but secure, so that implementors have it simple and don't mess it up.

Can you point me to some source for botnets which crack passwords? I would be surprised. It's not feasible to brute-force a password over HTTP.


My Steam account has had high entropy, sole use passwords cracked in the timeframe of months, which would seem to indicate (if Valve is not leaking [1]) a botnet using their "simple" HTTPS login endpoints to brute force passwords. So far Steam Guard (2FA) has stopped the attacks, but that doesn't make me feel that much better given the speed in which the passwords seem to be cracking.

That's just one account I see as currently most at risk. There are plenty of others I'm concerned about as well.

Passwords are fragile, brittle things. "Simple" security is no longer an answer when dealing with passwords. FULL STOP. It's time we moved past passwords altogether, but even where we can't, we absolutely have to be serious about password security from top to bottom.

You can victim blame "hacked websites" for "badly implemented security" all you want, but that's part of the point, too. Password infrastructure will always be lowest common denominator, because it is "easy", because it is "simple". Everyone thinks they can implement password security, and everyone is wrong. There are still people that don't hash, much less salt, their passwords in 2018. There are still people that don't realize "Security Questions" are Plaintext Passwords and a giant security risk. In the age of bitcoin mining there is no such thing as a hashed or salted password that cannot be brute forced. Bitcoin mining is password brute force at massive scale, and dropped rainbow table hardware to the price floor.

I'm sorry that you still have any illusions left that passwords are and/or can be "simple". Passwords are dead and yet we're all going to be fighting that forest fire for decades to come.

[1] Which admittedly, is a possibility, but it would be a surprising shock for an application as big as Steam.




Guidelines | FAQ | Support | API | Security | Lists | Bookmarklet | Legal | Apply to YC | Contact

Search: