868
I will burn your servers to the ground, foul villain (startrek.website)
submitted 1 year ago by [email protected] to c/[email protected]
55 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[-] [email protected] 67 points 1 year ago

FWIW: these types of password rules are discouraged by NIST -

  1. Eliminate Periodic Resets

Many companies ask their users to reset their passwords every few months, thinking that any unauthorized person who obtained a user’s password will soon be locked out. However, frequent password changes can actually make security worse.

It’s difficult enough to remember one good password a year. And since users often have numerous passwords to remember already, they often resort to changing their passwords in predictable patterns, such as adding a single character to the end of their last password or replacing a letter with a symbol that looks like it (such as $ instead of S).

So if an attacker already knows a user’s previous password, it won’t be difficult to crack the new one. The NIST guidelines state that periodic password-change requirements should be removed for this reason.

[-] [email protected] 18 points 1 year ago

They also recommend implementing 2FA, but not OTP or TOTP as they are now considered not secure enough. Use 2FA that is FIDO2 compliant such as biometrics or fobs like Yubikey.

[-] [email protected] 3 points 1 year ago

How is a TOTP not secure? It's a random string that changes every 30 seconds. I mean shit, I am LOOKING at it, and sometimes fail a login because I run out of time.

[-] [email protected] 7 points 1 year ago* (last edited 1 year ago)

The attack vector is as follows:

  1. Evil.com phishes a user and asks for username and password for Good.com
  2. Evil.com immediately relays those credentials to Good.com
  3. Good.com asks Evil.com for TOTP
  4. Evil.com asks victim for TOTP
  5. Evil.com relays TOTP to Good.com and does a complete account takeover

The various physical dongles prevent this by using the asking domain as part of the hash. If you activated the dongle on Evil.com, it'll do nothing on Good.com (except hopefully alerting the SOC at Good.com about a compromised username and password pair).

load more comments (4 replies)
load more comments (5 replies)
this post was submitted on 23 Sep 2023
868 points (97.8% liked)

Memes

45243 readers
2023 users here now

Rules:

  1. Be civil and nice.
  2. Try not to excessively repost, as a rule of thumb, wait at least 2 months to do it if you have to.

founded 5 years ago
MODERATORS
[email protected]
[email protected]
[email protected]
[email protected]