Cybersecurity - Memes

3225 readers

1 users here now

Only the hottest memes in Cybersecurity

founded 2 years ago

MODERATORS

Sam1232188@lemmy.world

neurohost@lemmy.world

Alphadef@programming.dev

CannaVet@lemmy.world

576

Uh oh, somebody's not following best practices, that's a paddlin (europe.pub)

submitted 2 months ago by cm0002@lemmy.world to c/cybersecuritymemes@lemmy.world

105 comments fedilink hide all child comments

you are viewing a single comment's thread
view the rest of the comments

[–] jol@discuss.tchncs.de 82 points 2 months ago (5 children)

The other day I used a website and they didn't let me pick a password.

They sent me a very secure random one via email 💀 in the year 2025, this still happens.

[–] AlecSadler@sh.itjust.works 22 points 2 months ago (1 children)

There's really nothing wrong with that, it's a sort of half-baked 1.5FA, I would hope/assume you had to immediately change your password after.

[–] mosiacmango@lemm.ee 45 points 2 months ago* (last edited 2 months ago) (3 children)

It's just 1 factor, as they are using "something you have," i.e. your email account, to authenticate you initially. Anyone with access to the account would have the password, so it can't count as a unique factor.

[–] azertyfun@sh.itjust.works 29 points 2 months ago (1 children)

99 % of websites even with "2FA" enabled allow to reset all login credentials with an email reset. Or worse, an SMS reset.

aka it's all just 1FA with the password+TOTP just being there for "convenience", and they trust gmail's actual 2FA not to get breached because if it does then the account is donzo.

Not that emailing passwords is good, because users won't change them and are likely to leak them. However login systems that are just an email with temporary credentials are superior to the standard system with the possibility to reset password by email, since they're basically that with less attack surface. The service provider never even has to process the user's password. Literally the only downside is usability, which can be a worthwhile tradeoff.

Alternatively one could do OIDC, but the downside is it only works with whichever authentication providers are setup whereas email registrations work without an intermediary such as google or Microsoft which is a big plus in my book, and might even be a hard requirement in B2B scenarios.

[–] Jarix@lemmy.world 4 points 2 months ago (2 children)

I'm not tech literate anymore, whats OIDC ? I figured out the other ones

[–] azertyfun@sh.itjust.works 4 points 2 months ago (1 children)

OpenID-Connect, the standardized form of oAuth for the sole purpose of authenticating users to third-party services (i.e. google says "yes I certify it is john.smith@gmail.com logging in to your service").

[–] Jarix@lemmy.world 4 points 2 months ago

Much love for responding

[–] Nikls94@lemmy.world 2 points 2 weeks ago (1 children)

I’m not tech literate anymore

That hit hard.

[–] Jarix@lemmy.world 1 points 2 weeks ago

The beat rolls on

[–] AlecSadler@sh.itjust.works 4 points 2 months ago

Hmm, yup, you're right, my bad.

I guess it'd help if it still required an MFA code added or something.

[–] Ptsf@lemmy.world 2 points 2 months ago* (last edited 2 months ago)

The 1.5 is them relying on your email provider to provide the 2factor 😂

[–] Agent641@lemmy.world 5 points 2 months ago

Australian Army still does this.

[–] whoisearth@lemmy.ca 4 points 2 months ago (1 children)

This is asinine and anyone responding that this is normal is asinine as well. You can email a link to reset the password but if you're sending a plaintext password, even with the intention of changing it immediately, you're a fucking idiot.

[–] jol@discuss.tchncs.de 3 points 2 months ago

Yeah, I'm shocked with the other responses to my comment...

[–] Jyek@sh.itjust.works 1 points 2 months ago

Some banks do this and then ask you to change it later.

[–] SchwertImStein@lemmy.dbzer0.com 1 points 2 months ago

it's ok if you need to immediately change it