What do people think of “Magic Links” or emailing a one time authentication session starter
I havent really seen it discussed from a security perspective, but see it more and more. On phones its an alright UX because the push notification shows you the email. On desktop experience I find it arduous.
Do you trust your email server? Do you trust your email client? Do you trust that you signed up with the right email address? If the answer to any of those is no, then it's not a good solution for you.
The answer to those questions are all yes if you allow password resets to that email address. If you don’t trust email, username and secure authenticator are your last resort.
(Magic links are a good shim until passkeys are provided as a secure authenticator. Avoids needing to store a password, prevents credential stuffing. Not a substitute for MFA/2FA imho.)
You typically don’t. The service simply allows it at all times. If you don’t trust your email auth story, that is a challenging threat model for sure. Big fan of passkeys all around for this very reason (at the moment, they are unphishable), but the story around recovery in the event of a lost passkey needs improvement to close that gap (can’t just lose your account due to edge cases, need gov ID or something similar to elevate identity assurance back up for account recovery and rebind to digital identity).
Google is upgrading everyone to passkeys [1], for example, which should help the Gmail email identity situation (which is material, as Gmail is one of the largest email providers [2]). Otherwise we end up with breaches like 23andme, where trivial credential spraying leads to data leakage [3]. This is entirely preventable, and the engineering time is not onerous to implement. Passwords must be left behind as quickly as possible.
You have piqued my interest though; which service doesn't allow you to reset your password via your email on file (besides an account auth system like Mullvad)?
[2] https://www.demandsage.com/gmail-statistics/ ("Gmail has over 1.8 billion active users as of 2023, which means 22.22% of the world’s population uses Google’s mail service.")
> With the help of machine learning, the pair could see the consistency of length requirements and restrictions for numbers, upper- and lower-case letters, special symbols, combinations, and starting letters. They could also see if sites permitted dictionary words or known breached passwords
Baffling they'd use machine learning to answer basic statistical questions.
In my understanding they used machine learning to extract the password requirements from site registration forms. They didn't use it for statistical analysis.
I'm not well versed in security so excuse my ignorance.
Before I started using Bitwarden I re-used one single strong password across hundreds and hundreds of sites (only my banking used individual different passwords) and I have entirely lost track of which sites now have my re-used password.
I have now used haveibeenpwned and similar sites, and I at least now have a huge long list of sites where I re-used that password. But there are far too many for me to go through and change every password, it would take days.
Maybe I'm just being lazy, but I honestly can't see myself getting around to it. Is there no way to automate the process of password resetting with individually generated Bitwarden passwords?
If this process could be automated then it would be a game changer for security.
Honestly, so what? Most websites aren't that important, so this "impressively large" study is mostly useless stats. I use the same weak password / spam email address for any website that idgaf about. Is that a problem? Oh no my reddit account is compromised what ever will I do??
The real security depends not only on the length and complexity of the password but also strongly on the used hashing algorithm and other measures like rate limits. Strongly focussing only on the password requirements is a bit short-eyed. Other factors like usability needs to be considered, too. I hope the still to published article consider this.
If modern algorithms like from the argon2 family are used with high workload settings, even shorter passwords could be safe if done properly.
Nevertheless, it is probably true that only very few follows current best practices.
I havent really seen it discussed from a security perspective, but see it more and more. On phones its an alright UX because the push notification shows you the email. On desktop experience I find it arduous.
reply