this post was submitted on 26 May 2025
565 points (96.2% liked)

Cybersecurity - Memes

2678 readers
1 users here now

Only the hottest memes in Cybersecurity

founded 2 years ago
MODERATORS
Sam1232188@lemmy.world
neurohost@lemmy.world
Alphadef@programming.dev
CannaVet@lemmy.world
565
Uh oh, somebody's not following best practices, that's a paddlin (europe.pub)
submitted 1 week ago by cm0002@lemmy.world to c/cybersecuritymemes@lemmy.world
103 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[โ€“] jol@discuss.tchncs.de 80 points 1 week ago (5 children)

The other day I used a website and they didn't let me pick a password.

They sent me a very secure random one via email ๐Ÿ’€ in the year 2025, this still happens.

[โ€“] AlecSadler@sh.itjust.works 21 points 1 week ago (1 children)

There's really nothing wrong with that, it's a sort of half-baked 1.5FA, I would hope/assume you had to immediately change your password after.

[โ€“] mosiacmango@lemm.ee 45 points 1 week ago* (last edited 1 week ago) (3 children)

It's just 1 factor, as they are using "something you have," i.e. your email account, to authenticate you initially. Anyone with access to the account would have the password, so it can't count as a unique factor.

[โ€“] azertyfun@sh.itjust.works 29 points 1 week ago (1 children)

99 % of websites even with "2FA" enabled allow to reset all login credentials with an email reset. Or worse, an SMS reset.

aka it's all just 1FA with the password+TOTP just being there for "convenience", and they trust gmail's actual 2FA not to get breached because if it does then the account is donzo.

Not that emailing passwords is good, because users won't change them and are likely to leak them. However login systems that are just an email with temporary credentials are superior to the standard system with the possibility to reset password by email, since they're basically that with less attack surface. The service provider never even has to process the user's password. Literally the only downside is usability, which can be a worthwhile tradeoff.

Alternatively one could do OIDC, but the downside is it only works with whichever authentication providers are setup whereas email registrations work without an intermediary such as google or Microsoft which is a big plus in my book, and might even be a hard requirement in B2B scenarios.

[โ€“] Jarix@lemmy.world 2 points 1 week ago (1 children)

I'm not tech literate anymore, whats OIDC ? I figured out the other ones

[โ€“] azertyfun@sh.itjust.works 3 points 1 week ago (1 children)

OpenID-Connect, the standardized form of oAuth for the sole purpose of authenticating users to third-party services (i.e. google says "yes I certify it is john.smith@gmail.com logging in to your service").

[โ€“] Jarix@lemmy.world 3 points 1 week ago

Much love for responding

[โ€“] AlecSadler@sh.itjust.works 4 points 1 week ago

Hmm, yup, you're right, my bad.

I guess it'd help if it still required an MFA code added or something.

[โ€“] Ptsf@lemmy.world 2 points 1 week ago* (last edited 1 week ago)

The 1.5 is them relying on your email provider to provide the 2factor ๐Ÿ˜‚

[โ€“] Agent641@lemmy.world 4 points 1 week ago

Australian Army still does this.

[โ€“] whoisearth@lemmy.ca 3 points 1 week ago (1 children)

This is asinine and anyone responding that this is normal is asinine as well. You can email a link to reset the password but if you're sending a plaintext password, even with the intention of changing it immediately, you're a fucking idiot.

[โ€“] jol@discuss.tchncs.de 3 points 1 week ago

Yeah, I'm shocked with the other responses to my comment...

[โ€“] SchwertImStein@lemmy.dbzer0.com 1 points 1 week ago

it's ok if you need to immediately change it

[โ€“] Jyek@sh.itjust.works 1 points 1 week ago

Some banks do this and then ask you to change it later.