Remix.run Logo
Remix clone Hacker News
new | show | ask | jobsGithub
TeMPOraL 6 hours ago

That's why full disk encryption was always a no-go for approximately all computer users, and recommending it to someone not highly versed in technology was borderline malicious.

"Tough luck, should have made a backup" is higher responsibility than securing anything in meatspace, including your passport or government ID. In the real world, there is always a recovery path. Security aficionados pushing non-recoverable traps on people are plain disconnected from reality.

Microsoft has the right approach here with Bitlocker defaults. It's not merely about UX - it's about not setting up traps and footguns that could easily cause harm to people.

morshu9001 3 hours ago | parent | next [-]

Google Authenticator used to be disconnected from reality like this. Users were asking how to copy the codes to another phone, and they said "you can't, WAI, should add the other phone as a second auth method on every site." Like how people say you shouldn't copy SSH privkeys. I figured out an undocumented way to do it on iPhone by taking an encrypted iTunes backup though.

Eventually they yielded on this, but their later updates had other usability traps. Because Google Auth was the household name for TOTP apps, this maybe ruined TOTP's reputation early-on.

Zak 3 hours ago | parent | prev | next [-]

I had hoped the average person would have a baseline understanding of how computers work by now. Baseline includes things like the difference between a web browser and a search engine, "the cloud" is someone else's computer, and encrypted means gone if you lose the password/key.

I am sad that this now appears unlikely. I suspect it may even be lower for people in their 20s today than a decade ago.

fc417fc802 4 hours ago | parent | prev | next [-]

> Security aficionados pushing non-recoverable traps on people are plain disconnected from reality.

To be fair, if you inadvertently get locked out of your Google account "tough luck, should have used a different provider" and Gmail is a household name so ...

Less snarky, I think that there's absolutely nothing wrong with key escrow (either as a recovery avenue or otherwise) so long as it's opt in and the tradeoffs are made abundantly clear up front. Unfortunately that doesn't seem to be the route MS went.

morshu9001 3 hours ago | parent [-]

Google has a pretty robust recovery process. Of course if you've given them absolutely nothing about them then forgotten your password, it's tough.

MereInterest 11 minutes ago | parent | next [-]

Google will lock you out of an account even if you remember your password. This happened to me, when Google decided to use the recovery email address for 2FA, locking me out of my primary account. And the exact same change was made to my recovery account, at the same time. As for the recovery email of my recovery emails address, it was with a company that hadn't existed for over a decade, and no longer existed.

fc417fc802 3 hours ago | parent | prev [-]

As long as the automated flow works everything is great. But if the music stops can you get in touch with a human to fix it? That applies not just to auth but pretty much all of their stuff. Plenty of horror stories have made it to the HN front page over the years.

morshu9001 2 hours ago | parent [-]

I've had to get in touch with a human before for account recovery, it worked. Horror stories, idk. I hear horror stories about every single business I interact with, but then don't experience it myself.

Citizen8396 4 hours ago | parent | prev [-]

"Disconnected from reality" ... tell that to the people who have had a lost or stolen device without encryotion. You'd need a backup and then some!

Apple manages a recovery path for users without storing the key in plain text. Must have something to do with those "security aficionados."