| |
| ▲ | junon 4 days ago | parent | next [-] | | I use a password manager. I was mobile, the autofill stuff isn't installed as I don't use it often on my phone. In 15 years of maintaining OSS, I've never been pwned, phished, or anything of the sort. Thank you for your input :) | | |
| ▲ | yawaramin 3 days ago | parent | next [-] | | I'm angry about this. Large megacorps with the budget of medium-sized countries allocate the minimum amount of budget to maintain their auth systems and still allow the use of phishable auth methods. If npm disabled passwords and forced people to use passkeys, this huge problem just disappears tomorrow. But instead, we're left with this mess where ordinary developers are forced to deal with the consequences of getting phished. | | |
| ▲ | hdjrudni 3 days ago | parent [-] | | Passkeys can be a pain in the ass too. Evidentially I set up my Yubikey with Github as some point, which is fine if I'm at my desktop where my key is plugged in, but if I want to sign in on mobile.... now what? I just couldn't log in on mobile for months until I realized I think there's a button on there somewhere that's like "use different 2fa" but then what was even the point of having a key registered if it can be bypassed. | | |
| ▲ | sneak 3 days ago | parent | next [-] | | You can use software u2f (iCloud supports this), you don’t need Yubikeys. Also, Yubikeys work on phones just fine, via both NFC and USB. | |
| ▲ | dchest 3 days ago | parent | prev | next [-] | | While you can setup passkeys with YubiKey, the most common intended use case is key pairs that are synchable via your Apple/Google/password manager account. So, once you add a passkey, you'll be able to sign in on mobile with it automatically. | |
| ▲ | nialv7 3 days ago | parent | prev | next [-] | | you can use yubikeys for both passkey and password+2fa. this way you aren't bypassing anything. and btw, you can get USB-C yubikeys so you can plug it into your phone. if even that's not an option, you can get a USB-C to USB-A adapter. | |
| ▲ | yawaramin 3 days ago | parent | prev [-] | | > but if I want to sign in on mobile.... now what? Just set up a new passkey on the mobile device. |
|
| |
| ▲ | sneak 3 days ago | parent | prev | next [-] | | I never copy and paste passwords. Any time you find yourself wanting to do that, alarm bells should be ringing. Password managers can’t help you if you don’t use them properly. Spotify steals (and presumably uploads) your clipboard, as well as other apps. Autofill is your primary defense against phishing, as you (and hopefully some others) learned this week. | | |
| ▲ | johnisgood 3 days ago | parent | next [-] | | Do not give them permission to your clipboard. It is possible today. I copy and paste passwords and I clear the clipboard afterwards, and I do not use junk like Spotify, and were I to use Spotify, it would be through the browser, not the application. Were it the application, it would be firejailed to oblivion. It is possible to restrict clipboard access when running applications inside Firejail, i.e. Firejail allows you to restrict access to X11 and Wayland sockets, which prevents the sandboxed application from reading or writing to the system clipboard. See: "--x11=none", "--private=...", "--private-tmp", and so forth. You can run a GUI app with isolated clipboard via "firejail --x11=xvfb app". For Wayland, you should block access to the Wayland socket by adding "--blacklist=/run/user/*/wayland-*". I do not use autofill on desktop at all. I use it on Android, however. | |
| ▲ | jasode 3 days ago | parent | prev [-] | | >Autofill is your primary defense against phishing, The autofill feature is not 100% reliable for various reasons: (1) some companies use different domains that are legitimate but don't exactly match the url in the password manager. Troy Hunt, the security expert who runs https://haveibeenpwned.com/ got tricked because he knew autofill is often blank because of legit different domains[1]. His sophisticated knowledge and heuristics of how autofill is implemented -- actually worked against him. (2) autofill doesn't work because of technical bugs in the plugin, HTML elements detection, interaction/incompatibility with new browser versions, etc. It's a common complaint with all password plugins: https://www.google.com/search?q=1password+autofill+doesn%27t... https://www.1password.community/discussions/1password/1passw... https://github.com/bitwarden/clients/issues?q=is%3Aissue%20a... ... so in the meantime while the autofill is broken, people have to manually copy-paste the password! The real-world experience of flaky and glitchy autofill distorts the mental decision tree. Instead of, "hey, the password manager didn't autofill my username/password?!? What's going on--OH SHIT--I'm being phished!" ... it becomes "it didn't autofill in the password (again) so I assume the Rube-Goldberg contraption of pw manager browser plugin + browser version is broken again." Consider the irony of how password managers not being perfectly reliable causes sophisticated technical minds to become susceptible to social engineering. In other words, password managers inadvertently create a "Normalization of Deviance" : https://en.wikipedia.org/wiki/Normalization_of_deviance [1] >Thirdly, the thing that should have saved my bacon was the credentials not auto-filling from 1Password, so why didn't I stop there? Because that's not unusual. There are so many services where you've registered on one domain (and that address is stored in 1Password), then you legitimately log on to a different domain. -- from: https://www.troyhunt.com/a-sneaky-phish-just-grabbed-my-mail... | | |
| ▲ | mdaniel 3 days ago | parent [-] | | I want to live in a world where the 1Password CEO makes a formal apology for this failure, and applies the necessary internal pressure to treat any "autofill does not work" as a P0 The number of cases in this thread, about a malware attack basically because of 1Password, where people mention their bad experience with 1Password is really stretching the "no such thing as bad publicity" theory |
|
| |
| ▲ | ants_everywhere 4 days ago | parent | prev | next [-] | | sounds like you should use it on your phone then | |
| ▲ | bingabingabinga 4 days ago | parent | prev | next [-] | | > In 15 years of maintaining OSS, I've never been pwned, phished, or anything of the sort. Well, until now. | |
| ▲ | typpilol 4 days ago | parent | prev [-] | | I just don't get how you didn't look for an announcement about npm resetting 2fa. Especially when you get a random reset | | |
| ▲ | acdha 4 days ago | parent [-] | | Because you’re one person with a job which isn’t security, and the world is full of legitimate warnings from companies telling you that you must do something by an arbitrary deadline? They screwed up, but we have thousands of years of evidence that people make mistakes even when they really know better and the best way to prevent that is to remove places where a single person making a mistake causes a disaster. On that note, how many of the organizations at risk do you think have contributed a single dollar or developer-hour supporting the projects they trust? Maybe that’s where we should start looking for changes. |
|
| |
| ▲ | grumple 3 days ago | parent | prev | next [-] | | You can use password manager autofill and hardware 2fa and still get phished. All it takes is you rushing, not paying attention, clicking on a link, and logging in (been caught by my own security team doing this). Yes, in an ideal world you're going to be 100% perfect. The world is not ideal, unfortunately. I don't have a solution, but demanding humans behave perfectly in order to remain secure is not a reasonable ask. | |
| ▲ | acdha 4 days ago | parent | prev | next [-] | | I also use WebAuthn where possible but wouldn’t be so cocky. The most likely reason why we haven’t been phished because we haven’t been targeted by a sophisticated attacker. One side note: most systems make it hard to completely rely on WebAuthn. As long as other options are available, you are likely vulnerable to an attack. It’s often easier than it should be to get a vendor to reset MFA, even for security companies. | | |
| ▲ | typpilol 3 days ago | parent | next [-] | | But this wasn't even really a spear fishing attack. It was a generic Phish email you were in every single Corp 101 security course | | |
| ▲ | acdha 3 days ago | parent [-] | | The attacker did have a great domain name choice, didn’t overuse it to the point where it got on spam block lists, and got them at a moment of distraction, so it worked. It’s really easy to look at something in a training exercise and say “who’d fall for that” without thinking about what happens when you’re not at your best in a calm, focused state. My main point was simply that the better response isn’t to mock them but to build systems which can’t fail this badly. WebAuthn is great, but you have to go all in if you want to prevent phishing. NPM would also benefit immensely from putting speed bumps and things like code signing requirements in place, but that’s a big usability hit if it’s not carefully implemented. | | |
| ▲ | typpilol 3 days ago | parent [-] | | I wouldn't consider a .help domain to be a great choice. Ive literally never for a support email or any email from a .help domain. I'm not mocking them, just trying to understand how so many red flags slipped past. Domain name
No auto-fill
Unannounced MFA resets
Etc... My point is that nothing could have saved this person except extreme security measures. There's literally no conclusion here besides: 1. Lock everything down so extremely that it's extremely inconvenient to prevent mistakes 99% of people don't make. (How many npm packages vs the total have been hijacked, less than 1%) 2. This person was always going to be a victim eventually... And that's a hard pill to swallow. For me and the maintainer. Being in network security it's my actual nightmare scenario. The only lesson to be learned is you need extreme security measures for even the most experienced of internet users. This wasn't your grandma clicking a link, it's a guy who's been around for decades in the online / coding world. It also makes me suspicious but that's a road I'd rather keep myself |
|
| |
| ▲ | sneak 3 days ago | parent | prev [-] | | The failure here was that his password manager was not configured and he manually copied and pasted the credentials into the wrong webpage. A password manager can’t manage passwords if you don’t configure it and use it. | | |
| ▲ | acdha 3 days ago | parent [-] | | Yes, and we know that’s a thing which people are trained to do by all of the sites which are sloppy about their login forms or host names so we should assume that attackers can trick people into doing it, even many people who think they are too smart for it. Hubris is quite a boon for attackers. |
|
| |
| ▲ | gajgajendra a day ago | parent | prev | next [-] | | > I have never been phished because I follow best practices. Most people don’t. You forgot to mention that you are both highly skilled and practiced at phishing yourself... don't you think that helps too? | |
| ▲ | a day ago | parent | prev [-] | | [deleted] |
|
