Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
timmyc123 5 days ago

You're quoting the first post of a long discussion, where the importance of protecting your data on disk was highlighted, and a proposal was made that at minimum, the default should be encrypting the backup with a user selected secret or key.

> But I want to use Apple Passwords.

You're choosing to use an app that doesn't meet your needs, when there are numerous apps out there that do meet your needs. I'm not sure how anyone is supposed to solve that for you.

lapcat 5 days ago | parent [-]

> You're quoting the first post of a long discussion

"You absolutely should be preventing users from being able to copy a private key!" is the 8th post in the discussion.

Do you stand by these words, or are you now repudiating them?

> You're choosing to use an app that doesn't meet your needs

I am using an app that meets my needs. I don't need passkeys. It's just other people telling me that I need passkeys.

timmyc123 5 days ago | parent [-]

Copy and paste in clear text? Yes, I don't think that's a good idea. Download to disk in clear text? Yes, I don't think that's a good idea.

Years and years of security incidents with consumer data show that this is a really bad idea.

At minimum, a credential manager distributed for wide use should encrypt exported/copied keys with a user selected secret or user generated key.

lapcat 5 days ago | parent | next [-]

> At minimum, a credential manager distributed for wide use should encrypt exported/copied keys with a user selected secret or user generated key.

It feels like this stated minimum is not your actual minimum.

Consider for example a macOS user keychain. The keychain is encrypted on disk with a user-selected password. But once you unlock the keychain with the password, you can copy and paste passwords in clear text. The keychain is not a black hole where nothing ever escapes. And I have no objection to this setup; in fact it's my current setup.

So when you say copy and paste of passkeys in clear text is not a good idea, there's nothing inherent to encrypting credentials with a user key that prevents such copy and paste. There would have to be some additional restriction.

pseudalopex 5 days ago | parent | prev [-]

> At minimum, a credential manager distributed for wide use should encrypt exported/copied keys with a user selected secret or user generated key.

What should happen if the developers refuse to enforce this?