Need to let loose a primal scream without collecting footnotes first? Have a sneer percolating in your system but not enough time/energy to make a whole post about it? Go forth and be mid: Welcome to the Stubsack, your first port of call for learning fresh Awful youāll near-instantly regret.
Any awful.systems sub may be subsneered in this subthread, techtakes or no.
If your sneer seems higher quality than you thought, feel free to cutānāpaste it into its own post ā thereās no quota for posting and the bar really isnāt that high.
The post Xitter web has spawned soo many āesotericā right wing freaks, but thereās no appropriate sneer-space for them. Iām talking redscare-ish, reality challenged āculture criticsā who write about everything but understand nothing. Iām talking about reply-guys who make the same 6 tweets about the same 3 subjects. Theyāre inescapable at this point, yet I donāt see them mocked (as much as they should be)
Like, there was one dude a while back who insisted that women couldnāt be surgeons because they didnāt believe in the moon or in stars? I think each and every one of these guys is uniquely fucked up and if I canāt escape them, I would love to sneer at them.
(Semi-obligatory thanks to @dgerard for starting this.)
Last time I tried it, ungoogled chromium had some issues with yubikeys (see https://ungoogled-software.github.io/ungoogled-chromium-wiki/faq#how-to-get-fido-u2f-security-keys-to-work-in-google-sign-in) which I donāt think have been fixed yet. That was enough to be a deal breaker for me.
Without knowing why you think they suck, itās hard to say. I like having unphishable uncopyable credentials, and it irritates me that they arenāt more widely supported. On my desktop or laptop, theyāre less irritating than TOTP, for example, which is neither unphishable nor uncopyable but much more widely used.
Whilst there isnāt really such a thing as ātoo secureā, it is the case that things like passwords are not infinitely scaleable. Something like yescrypt produces 256-bit hashes (iirc) so thereās simply no space to squish all that extra entropy youāre providing into the outputā¦ it might not be any more secure than a password a quarter of its length (or less!).
128 bits of entropy is already impractical to brute force, even if you ignore the fact that modern password hashes like yescrypt and argon2 are particularly challenging to attack even if your password has low entropy.
Iāve come around a bit since posting yesterday (after looking into the various hardware key options, like OnlyKey). The biggest issue I have is that the firmware cannot be updated (which I realize is somewhat a matter of taste regarding your threat model). Other than that, itās the added complexity of āuse this physical deviceā and the concern I had about recovering accounts if I lost the Yubikey. Their page on spare devices does not inspire confidence.
Fair point! I chose 128 because itās the maximum allowed in Bitwarden (if itās going to be copy-pasted anyway, who cares). Assuming I didnāt fuck up basic math, the entropy of a passphrase of length
nselected uniformly at random from characters inAis given bynlog|A|, so to reach 128 bits of entropy with 70 chars (lower + upper + digits + special) requires a passphrase of length 21.The solokey v2 and the nitrokey v3 (I think) have some firmware upgradability, but theyāre not as capable as a yubikey (the last time I checked I couldnāt use either of them to unlock a keepassxc password vault, for example). Whilst it would be a right hassle to deal with a lost device, I generally lock my accounts with a main key and two spares that get stored safely and make a note in my password database of which accounts can use which keys so thereās little risk of locking myself out of anything, and I can get a list of sites to visit to revoke credentials from. In any case, the minor inconvenience is a good tradeoff for me, given the significant security guarantees the keys offer over other authentication mechanisms.
But also, āadded complexityā is just a thing with two factor authentication, and most of my use of U2F keys involves less effort than unlocking my phone, then unlocking my TOTP application, then searching for the account and site Iām trying to unlock, then waiting for the timer to reset because I canāt authenticate before the current code expires, etc.
Beats me! I just use off-the-shelf entropy calculators and hope theyāre right. They mostly seem to agree that ~128 bits of entropy from a 10-word (70-85-ish characters) passphrase from the EFF large wordlist, or ~24 characters from uppercase/lowercase/numeric. Both might be reasonably considered overkill, if you can be sure that the thing thatās hashing the password is using a modern algorithm (which often you canāt, sadly).
I also dislike unreasonably long passwords because more modestly-sized ones can be typed out manually when needs be, or even read over the phone in an emergency. I wouldnāt fancy doing that with 128 character passwords! You may of course never need to do those things, but Iāve needed to do both, at work and otherwise.