Subtle changes, bugs and feedback

@Velocio One of the main criticisms of Persona from the security types is that it uses a pop up window for authentication. It gets users used to trusting and typing in their passwords into popup windows, which they shouldn't. I'm curious to know why you think that that is not only a positive, but a necessity.

The other issue is that it uses Javascript, cookies or local storage, none of which are that secure and all of which can be spoofed. I'm no expert on server and security matters, but I understand that it is not as secure as a form posting directly to a back-end API that performs it's own authentication with the server. What is your take on that?

Also, does the fact that Mozilla have abandoned Persona development concern you?

One of the main criticisms of Persona from the security types is that it uses a pop up window for authentication

Do you have citations of this from security experts?

A change;

For users of KBSSL and other "SSL everywhere" extensions, the microcosm.app/out links for the URL shortener now works on SSL as well as non-SSL.

So if you have such extensions installed, all URLs shall work fine.

One of the main criticisms of Persona...

Every site you log in to has a list of potential vulnerabilities as long as your arm. The only sensible thing to do, whether this site uses the irritating persona method or the lovely old 'form on every page', is to have a separate user name and password for every site. That way, if your LFGSS log in is hacked, you only have to suffer the mild embarrassment of being impersonated here.

And yet, the vast majority (meaning unbelievably high percentage) of people use the same password everywhere. Only a very small % use a password manager or have a non-trivial password for each site.

That is probably higher on LFGSS, because I've been banging that drum for years.

But still... when vBulletin and phpBB have been hacked in the past, and things have been leaked, I did compare password hashes with ours to see in general the strength of passwords on LFGSS. A very large number of people used the password password and all of the most popular passwords were well-represented.

So even on this site, where the cause has been argued for ages... the vast majority still used common passwords and dictionary words.

Passwords have long been broken, but no-one has a better solution that people seem willing to use. 2FA is damn good, and is the right thing, but again... virtually no-one really uses it widely.

And yet, the vast majority (meaning unbelievably high percentage) of people use the same password everywhere.

Of course they bloody do. The idea of creating and remembering a different password for every site is utterly ridiculous and completely misjudges the risk/hassle balance that any sane person is prepared to put up with.

yeah. my paypal got hacked recently because both my username and password were ncjlee. seems dumb now I suppose

i have since changed all my other passwords so you won't get me this time.

Apart from the things you forgot about, for which you've now published the password.

ncjlee123

How about bikepornauth: to authenticate you the site displays pictures of 4 bikes, and you have to click on the one you like best. It does this 10 times, so we get 20 bits of password entropy.

(this is not a serious suggestion)

Why are we even still using passwords? Every smartphone, laptop and desktop has, or can have, a camera attached to it. Facial recognition is a viable technology. My phone has a fingerprint sensor built into it. There are alternatives that do not require people to memorise bullshit strings of characters, is my point.

Edit: not a specific criticism of Microcosm, obviously. But online security needs to be less of a pain in the hole than it currently is.

Anyone who picks Pengy can be instantly banned forever!

Facial recognition or biometrics do not work like you think they do, @radar. Either microcosm would have to trust the remote device to be doing the authentication (in which case it can do whatever it likes and lie) or microcosm would have to request the facial/biometric information and do the comparison itself, in which case you can lie. And log in as Velocio by submitting one of the many pictures of him you can find on here.

Biometrics is a big fat waste of space which only idiot politicians (and the people who sell them the shit technology) are interested in.

@Bothwell

Anyone who picks Pengy can be instantly banned forever!

Won't somebody PLEASE think of the popcorn!?

Ok, let's take facial recognition. The device sends the data, the site reads the data and decides if you are who you say you are. In order to make it difficult to fake the data, the site asks you to make particular head/eye movements or facial expressions so that the data is specific to each login session. What am I missing?

Strong passwords aren't that hard to memorise, here's one I randomly generated just now: oo3zJmpRey

And the phrase I made up to learn:

Old Olly's 3 zones: Big Jism, my pink big ring, every year.

No, it doesn't make any sense, but it sounds a bit dirty so I'd be able to learn it without too much trouble. Maybe that's just me.

1. Hold a different photo up to the camera.
   
2. ???
   
3. Profit.
   

That's easy for a computer to crack.

You'd do better just using the phrase as the password, and on a mobile autocomplete would make that easy to enter too.

Not sure I follow. If the site is saying "Look up; Look left; Smile; Pick your nose", how is a photo of the user going to help our intrepid haxx0r?

That's easy for a computer to crack.

No, it isn't, because I generated the password randomly first (about 45 bits) and then made up the phrase to fit it.

45 bits is easier for a computer to crack than however many bits the memorable phrase is, I think is the point.

There are three comics that tell you all you need to know:

One) Are all methods computers have to determine randomness correct?

Two) What does random even mean, as a lot algorithms to get random numbers are badly implemented?

Three) What is entropy, or "Why are longer simpler passwords harder to crack than shorter more complex passwords"?

[@radar]unless the attacker knows you're using phrases.

Ever tried password cracking (I did, only last month when my accountants decided to start password protecting PDF payslips and I wanted to mock them)?

Length is the issue.

Even if someone told you their password was 50 chars long, figuring out how to make that from all dictionary words, names, place names, etc... just keeping to ASCII only... would take a long long time to crack.

My accounts used a short complex password, it took my GPU less than a day with no clue given, and less than an hour when I told it that it was only looking at 8 chars in length.

Long simple passwords FTW.

I started to use long passwords by simply prepending my old password with "my password is ". Though now I've gone full Catch-22 and have to repeat a loyalty oath every time I want to do something.