Security isn't black and white. If i leave a post-it note of my logins on my monitor, that's definitely less safe than in a unlocked drawer, and so on.

▲

stouset 6 hours ago | parent | next [-]

If I leave a post-it note of passwords on my monitor inside a vault to which only I have access, it’s not a big deal. That’s the point of the “airtight hatch” metaphor.

▲

solidasparagus 4 hours ago | parent | next [-]

I think we've moved away from the secure perimeter thinking and towards defense in depth - if that list of passwords helps you get somewhere other than the vault, removing the post-it improves security. Vaults get infiltrated all the time - and often in partial ways like being able to see into the vault but not reach in.

	▲	dwattttt 2 hours ago \| parent [-]
		Defence in depth matters, but an analysis here shows that the same mechanism used to breach the outer layers (getting administrative access) can be used to breach the next layer (more thoroughly prodding Edge or Chrome to give up passwords).

▲

Someone1234 6 hours ago | parent | prev [-]

Right; but in the scenario of this Tweek, you've invited someone untrustworthy into the vault and are then freaking out because they can see the post-it note of passwords. It is inherently irrational.

This issue is inherently unfixable by ANY password manager, because the process model of the underlying OS isn't itself secure. No obfuscation will work, because the password manager itself needs to de-obfuscation it before use (and that memory too is dump-able).

All adding in-memory obfuscation does it make ignorant people feel better, while not moving the security needle even an inch.

▲

stouset 5 hours ago | parent | next [-]

I think we’re largely in agreement. I do think there’s some benefit in reducing the amount of time that a password is in cleartext in memory. But it’s pretty far down the list.

▲

ignoramous 5 hours ago | parent | prev [-]

> This issue is inherently unfixable by ANY password manager, because the process model of the underlying OS isn't itself secure

Usually the confidential bits are hardware isolated away from the supervisor (host kernel/OS) in Enclaves/TEEs, Realms, Secure Elements, Security chips, etc.

▲

jazzyjackson 5 hours ago | parent [-]

One more reason to use hardware-bound passkeys and not passwords.

▲

Someone1234 5 hours ago | parent [-]

True. But then your hardware dies, and you're locked out of every account you own. It is objectively good security, but has a ton of usability headaches yet to be really solved.

I've seen orgs move to passkeys only, then offer reset-questions (e.g. city of first job, etc); because the Customer Service volume/workflow wasn't figured out.

▲

jazzyjackson 5 hours ago | parent | next [-]

oh lawd, yes it does come down to 'who has the power to reset your account', and very few people want to take the path of 'no one has the power' in the case of lost credentials.

▲

themaninthedark 3 hours ago | parent | prev | next [-]

At my work we required a complex password <15 characters lower + cap, number and symbols.

Updated to Windows Hello and passkey.

Now I can use a 4 digit pin to login.

▲

alterom 5 hours ago | parent | prev | next [-]

>your hardware dies

Or your backpack gets stolen.

Oops.

I swear, people who idolize passkey security must never travel anywhere.

PS: "just have more devices with passkeys", they invariably say.

Yeah right because people are made of money, everyone has the forethought, and a 2nd laptop in the US is a great asset when you're in Poland and can't login anywhere.

▲

StilesCrisis 5 hours ago | parent | next [-]

I've been avoiding passkeys but more and more websites are trying to push them, and one website I use now requires them. I've already got a password manager! I don't need to change everything again!

▲

stouset 4 hours ago | parent [-]

Your password manager almost certainly already has baked-in passkey support.

▲

StilesCrisis 3 hours ago | parent [-]

It does, but what's your point? Why should I redo everything?

▲

stouset 3 hours ago | parent [-]

Nobody is asking you to?

▲

crazygringo 3 hours ago | parent [-]

The subject here is literally websites trying to push passkeys on users. That is who is asking us to.

About every week now Amazon tries to trick me into creating a passkey. It doesn't even ask, it just goes ahead and triggers my browser passkey creation mechanism without my consent. PayPal recently tried to force me to create one too and I had to kill and restart the app because that was the only way to skip it. I'll stick to my password with 2FA, thanks.

	▲	Marsymars 38 minutes ago \| parent [-]
		It's wildly obnoxious that browsers don't let you generally suppress these prompts. And if you take the nuclear option and strip your browser of WebAuthn support, then you obviously can't use any passkeys, which doesn't work for me - I have two sites where I do want to use passkeys (because it's the only way to avoid SMS-based MFA on every login), but I never want to see passkey prompts for any other sites.

▲

Barbing 3 hours ago | parent | prev | next [-]

>"just have more devices with passkeys"

Confirms that strategy then

For people who only use passwords having an extra device can help too. Google does not necessarily permit a login with a backup code, so to me it seems ideal to grab a spare phone, log into important accounts, and store it with a trusted party/friend.

It could be very difficult to login to an account like Gmail from overseas in the event of PC+phone[+hardware key] theft. Maybe no big deal if you can port your number to a new phone right away. Or maybe the trusted friend can help (unless Google still finds the login suspicious after all, no idea there)

▲

slau 4 hours ago | parent | prev [-]

I travel a lot. By train, plane, and car. I also use passkeys when possible. I have multiple Yubikeys, stored in different locations. I also have a password manager, where I typically keep track of which logins aren’t yet backed up across physical tokens.

It takes a bit of effort, but it’s not impossible.

Yes, it means that in the event of catastrophic failure I might not be able to log in to some services until I get to one of the backups. I haven’t been able to imagine a scenario where that would be truly problematic.

▲

Barbing 4 hours ago | parent | prev [-]

>It is objectively good security, but has a ton of usability headaches yet to be really solved.

Thank you, then this is still true today?

Disappointing the rollout was botched (recall cross platform and password manager difficulties). Haven’t done research since but even with some new UIs and flows promoting passkeys in the past couple months, haven’t regained my trust either.

▲

gruez 6 hours ago | parent | prev | next [-]

> If i leave a post-it note of my logins on my monitor, that's definitely less safe than in a unlocked drawer, and so on.

Having passwords on post-it notes does make certain types of attacks much easier. For instance, coworkers hacking other coworkers, or people burglarizing the office. None of which really apply to the "If an attacker gains administrative access on a terminal server" scenario.

Continuing the analogy, what Edge is doing is like leaving cash in unlocked cabinets inside a vault, and what Chrome's doing is locking those cabinets with a padlock. Sure, having the padlocks makes the cash more secure, but if someone went through all the effort into breaking the vault (terminal server), a padlock probably isn't going to stop them. This is especially true nowadays with AI coding agents and ready-made stealers available for sale online.

	▲	forgotaccount3 5 hours ago \| parent [-]
		> Having passwords on post-it notes does make certain types of attacks much easier. It also makes other attacks much harder. Namely I don't need to worry about some zero-day in my password manager.

▲

RajT88 5 hours ago | parent | prev | next [-]

The way to think about security is as a system of layers, each of which filters out ever more sophisticated attackers.

We should care about all kinds of attackers, and not assume that the protections against the most sophisticated will obviate the protections against the least sophisticated.

▲

cachius 4 hours ago | parent [-]

The Swiss cheese model. Each single layer has holes, but when stacked the combined hole area is minimized https://en.wikipedia.org/wiki/Swiss_cheese_model

▲

slow_typist 4 hours ago | parent | next [-]

The Swiss cheese model is what people use to sell you more 'security' related software systems that inherently involve more problems. (Also cheese is not very durable, even the kind without holes.)

	▲	LorenPechtel 20 minutes ago \| parent \| next [-]
		Swiss cheese applies to more than just security systems. Hiking with two GPS-capable devices is Swiss cheese.
	▲	RajT88 3 hours ago \| parent \| prev [-]
		[dead]

▲

ButlerianJihad 4 hours ago | parent | prev [-]

That was an enlightening read, considering the colloquial meaning of "your firewall security is like Swiss cheese"

https://en.wiktionary.org/wiki/Swiss_cheese#Noun

What's next? A system so secure that you can drive a truck through it? A honeypot in the center of a wasp nest?

▲

yjftsjthsd-h 5 hours ago | parent | prev [-]

Okay. Can you describe an attack / threat model where it would matter in this particular case?

▲

keithnz 5 hours ago | parent | next [-]

isn't it at risk of any code pathway that somehow allows you exceed a buffer and read memory unbounded? Then a nefarious web page could capture that? That's a huge exposure surface.

	▲	Dylan16807 5 hours ago \| parent [-]
		I'm pretty sure a read exploit in a web page wouldn't be in the same process as the passwords. If you can cross over to the main Edge process, you can probably get it to remove any encryption it applied itself.

▲

wat10000 3 hours ago | parent | prev [-]

https://en.wikipedia.org/wiki/Spectre_(security_vulnerabilit...