Does adding MFA not protect you against this? If you are secured by a TOTP on top of your password, it should not matter if they manage to reset your password.
Somewhat, but imho the Microsoft MFA is also full of similar flaws.
As an example: I've disabled the email and sms MFA methods because I have two hardware keys registered.
However, as soon as my account is added to an azure admin group (e.g. through PIM) an admin policy in azure forces those to 'enabled'.
It took me a long time debugging why the hell these methods got re-enabled every so often, it boils down to "because the azure admin controls for 'require MFA for admins' don't know about TOTP/U2F yet"
I've tried using Jules for a side project, and the code quality it emits is much worse than GH Copilot (using Claude Sonnet), Gemini CLI, and Claude Code (which is odd, since it should have the same model as Gemini CLi). It also had a tendency to get confused in a monorepo -- it would keep trying to `cd backend && $DO_STUFF` even when it was already in backend, and iterate by trying to change `$DO_STUFF` rather than figure out that it's already in the backend directory.
I just tried Jules for the first time and it did a fantastic job on reworking a whole data layer. Probably better than I would have expected from Copilot. So.. I'm initially impressed. We'll see how it holds up. I was really impressed with Copilot, but after a lot of use there are times when it gets really bogged down and confused and you waste all the time you would have saved. Which is the story of AI right now.
I used it to make a small change (adding colorful terminal output) to a side project. The PR was great. I am seeing that LLM coding agents excel at various things and suck at others quite randomly. I do appreciate the ease of simply writing a prompt and then sitting back while it generates a PR. That takes very little effort and so the pain of a failure isn't significant. You can always re-prompt.
That is the way whack is using it. whack is correct that if there is a negative effect on the average user, a test will show that negative effect. That's what "average" means.
To perceive an effect in new users without getting the same effect in existing users, you'd need to show different content to those two groups.
Hmm, I think the authors point is more towards attention addiction, rather than specific average types of people. It’s more a matter of setting a low bar to encourage more people to be distracted by your app when they really shouldn’t be using it. Basically increasing the number of apps that people check in on, especially when those users are in their marginal time (before bed, while cooking, etc.).
3 bedroom flat. I use Ubiquiti equipment since sourcing Ubiquiti is much easier than Mikrotik here in the Philippines, and I've had bad experience with TP-Link, DLink, etc. randomly requiring restarts or outright failing after a few years.
* Unifi Security Gateway Pro (for the 2 WAN ports with failover)
Freecad and openscad are basically your only choices for FOSS CAD work
Freecad has pretty bad UX compared to Onshape and Fusion 360 (have to keep switching between lots of modes rather than a single unified UI), while openscad is more of a CAD DSL (that IIRC doesn't actually model solids as solids).
You're probably confused by "SHA-512/256", which does not mean SHA-512 or 256, but rather a truncated version of SHA-512: https://en.wikipedia.org/wiki/SHA-2 in the third paragraph.
Truncated hash functions are not vulnerable to length-extension attacks.
Length-extension attacks are relevant when you design a MAC by passing a secret and then a message to a hash function, where only the message is known.
Truncating the hash (which is what SHA-512/256 and SHA-384 do to SHA-512) removes the ability to grab an existing hash H(k || m) (where k is unknown and m might be known) and append junk because a truncated hash does not contain sufficient information to recover the full state of the hash function in order to append new blocks.
Because 224 bits is considered the minimum safe output length for a general purpose hash function. So they'd be drop-in replacements but still wouldn't be safe. Safer than MD5/SHA1, but not actually safe.
So rather than push off getting people to make things actually safe by providing a footgun NIST just didn't do that.
Truncating a hash function to 224 bits put it at the 112-bit security level, which is roughly equivalent to 2048-bit RSA under today's understanding of the costs of distributed cracking attacks.
There are a lot of standards organizations all over the world with various recommendations. https://www.keylength.com collates quite a few of them. Pick the one most closely relevant for your jurisdiction.
Most of them recommend 2048-bit RSA as their minimum for asymmetric security, and AES-128 / SHA-256 as their minimum for symmetric security. This is a [112, 128]-bit security lower bound.
Truncating a hash to 160 bits yields 80-bit security, which is insufficient. 128 bits (64-bit security) is out of the question.
"Cryptographic hash functions with output size of n bits usually have a collision resistance security level n/2 and preimage resistance level n."
Depending on what you're doing, "SHA-512/128" could have a 128-bit security level. But I guess it's safer to assume n/2 when making a general recommendation.
My issue with bitwarden (which is why I ended up choosing 1password) is that it doesn't provide an Android keyboard to insert passwords into apps that block clipboard access. (Keepass has this, but I wanted a simpler synchronization story.)
Does it work with variables that are local to a function? I don't mean inspecting global variables after having executed a cell, but local variables in the middle of a function execution.
