Thread 105921010

I WONT DO IT, I REFUSE!

>>105921010 (OP)
Not my problem. I don't use microshit products.

What if you don't have a phone?

>>105921010 (OP)
I don't have a microsoft account. My windows is pirated, my office is pirated, my games are pirated.

>>105921010 (OP)
It still uses passwords.
They just hide them.

>>105921010 (OP)
Nonsense. Never going to happen.
IT guy’s phone dies and all servers go off line.
LOL.

!remindme in two more weeks when jeets fuck up passwordless logins and microsofts entire userbase is logged out of their accounts

>>105921010 (OP)
This is gonna break my tens-of-thousands of seats employer's SSO if true. Something tells me this is fake news.
>>105921094
That's not how passkeys work, the hidden data is a string in a TPM or similar secure enclave, it's not a password because it's never sent to another party, it's closer to public key crypto.

>>105921105
as long as they offer 2fa via phone authenticator instead of doing the passwordless thing it's fine. But yeah, I dont want to use the passkeys feature, I dont trust it.

I disabled TPM 2.0 and switched to 1.2 in my bios to prevent Windows 11 updates. Am I retarded or a genius? I own 2 Yubikeys and could have just left one plugged in 24/7 to solve this problem btw.

i don't mind clicking the link the email to log in
i'd rather use a regular password though

>>105921252
You're retarded for not using IoT LTSC where disabling automatic updates and having a pick-and-choose Windows 7 style interface is literally 1 group policy edit away.

>>105921010 (OP)
Ok. I don't use that shit anyway.

>>105921010 (OP)
Btw this doesn't improve account security at all, it's the opposite.

>>105921206
> the hidden data is a string in a TPM or similar secure enclave
Yes, that’s what I was referring to.
And no, the definition of a password does not exclude “things stored in a secure enclave”.
It’s a password.
> “Maybe it’s a hash… that’s not a password”
It’s a password equivalent.
How long has it been since /etc/shadow was invented? It’s the same as the SAM database.
Passwords are also fundamental to the way kerberos works.
Same with smart cards: when you set up a smart card, it sets your password in AD to a random string, and the AD uses that to make kerberos work.
Then you use another password to decrypt the contents of your smart card. Or “pin”
I think the terminology is just to get around specifically worded legal or regulatory guidelines.
It’s passwords all the way down.
Without passwords, no existing programs or infrastructure would work.
> biometrics?
Your biometric identifiers unlock a password (usually in the TPM) and use that.
It’s the password you set up windows with.
Passwords are ancient, eternal, and essential.
Call it a “key” or a “pin” or a “code” if you will. Passwords will never go away, and definitely not on any rigorously mathematically proven system for some time.
The current schemes are just marketing trickery.
Remember microsoft’s syskey debacle?

>>105921010 (OP)
This is so goddamned annoying.
I'm still not sure how I'm supposed to track my phone if it gets stolen if I can't login to fucking Google

>>105921311
You're basically fucked. That's why this is a retarded unsafe idea. This passwordless login is "safer" based in assuming users are stupid and are always going to use the same tiny basic password. It's just not safer. Much easier to crack.

>>105921293
thanks for the zero information comment, next time please dont post anything

>>105921080
based. based. based. based

>>105921137
>!remindme
bait from reddit

Police can't force you to provide a password to your phone without a court order, they CAN with biometrics and passkey tied to device.

>>105921467
Wut u finna fixing to hide, boy?

>>105921409
> I'm an hypocrite
Yes I know you are you didn't have to tell me. It's less safe because PINs are inherently less safe than passwords. They're much easier to brute force attack. This passwordless crap is relying on account lock, but what makes Microsoft think I can't somehow disable the lock? If all the code is local it's possible. Stupid idea by stupid people but they'll learn once this PIN or biometric idea is cracked. Btw it was already cracked once. Happy? Maybe you should stop posting comments are read a fucking book you stupid faggot.

>>105921010 (OP)
Gee, I can't wait to approve myself 100 times in a row on Windows like when I try to login to xbox.com!

>>105921010 (OP)
how is being ((passwordless)) supposed to stop phishing attacks?

>>105921625
The idea is that you don't send your potentially unencrypted password to a malicious clone site. The PIN unlocks your keys that are used for authentication, it's not the PIN that authenticates. It's the same when you ssh but instead of protecting your keys with a password, they want you to use a PIN or biometrics.

>>105921311
Buy new phone. Better yet, buy two.
Or buy a phone subscription, every year get a phone in the mail pre-configured with your biometrics that they got somehow… don’t question it.

>>105921311
>>105921398

I've now asked AI to explain this to me, don't worry. I got you bro.

Scenario 1:
1. You lose device A.
2. You don't have another device.
3. You did not enable sync of passkeys to your master Google/Microsoft/Apple/Bitwarden account.
4. You are effed.

Scenario 2:
1. You lose device A.
2. You have another device B and you logged into the master account once with a passkey
3. You DID enable passkey sync to this master account
4. You now have "credential records" stored in your master account for everything from device A.
5. These credential records can be used to generate new passkeys to access everything on device B.

So basically: you always need a second device that can access your password manager. To be fair to the inventors of passkeys: Frankly that's how I already treat my password manager, I always try to have bitwarden somewhere on some device. I'd be very concerned if I had to access bitwarden fresh from zero because what if it asks me for email confirmation on my gmail because my bitwarden account is using the gmail address but my gmail account is obviously using a long pw stored in bitwarden which I cant access before I can access bitwarden? ...so... yeah...

>>105921625
It doesn’t.
>>105921724
> pin
Password
> keys
password

How do you get from entering your password on the SAS desktop to sending that password out automatically to web sites?

>>105921778
it does stop phishing attacks, you can't enter the passkey for domain A while surfing on a faked url that in reality is domain B. That's one of the main benefits of passkeys and it's a real benefit.

>>105921206
yeah too bad OP thinks this is /pol/ and didn't give the link to his article like a massive queer

apparently another huge benefit of passkeys could be that you can simply invalidate a DEVICE if your device gets stolen. Meaning that you no longer have to change the password inside every single service you ever used when your phone gets stolen.. you just invalidate that device in your password manager and no passkey from that device will be able to access your accounts anymore. That would be a huge benefit if it's really true.

>>105921768
will you AI retards fuck off already? your post is complete horse shit and you clearly dont actually know the answer. why did you feel the need to post?

>>105921845
You are wrong and being anti-AI is retarded so you are a retard

>Attacker lures your phone pin key
>Attacker yoinks your phone
>Attacker now has access to all your devices, users, banking and shit

>>105921926
same thing happens when someone yoinks your phone and you had bitwarden unlocked. Yet everyone recommends the use of a password manager instead of remembering 350 individual long passwords

>>105921768
Cool, what if your Google/Microsoft/Apple/Bitwarden account gets hacked?

Centralisation in all forms is the ultimate evil.

>>105921972
Shut up, nerd

>>105921967
>same thing happens when someone yoinks your phone and you had bitwarden unlocked.

1. No one using a password manager has it unlocked by default.

2. To actually find someone using a password manager must be extremely targetted. Doing it to someone at random the statistical probability of them having a password manager is slim to none.

3. If this becomes the default mode "i.e. no normal passwords just phone button press" then the statistical likelihood of gaining access to someones entire life from just yoinking their phone converges towards 100% meaning the attacks will become very frequent as the attackers can do it to anyone at random.

>>105921972
what do you think happens? they have access to everything in your account. Duh. If your brain can remember all the complex, long passwords for all services without storing them online in some way or form then please do that. All the actual humans on this planet are going to need to use a form of helper memory however that can be hacked.

>>105922004
I have memorized the important passwords and never save them on a device. Library card and my nexus mods account will never be lost

>>105921998
>1. No one using a password manager has it unlocked by default.

they very likely have unlockable via PIN or fingerprint which ends up being the same scenario. I personally don't use PIN or biometrics to unlock bitwarden on my phone but that's because I hardly ever use my phone.. however it's super annoying everytime I have to enter my long master password manually and then get locked out again every X minutes or whatever your setting is. There is no way on earth that most people aren't using biometrics or PIN for bitwarden.

>2. To actually find someone using a password manager must be extremely targetted. Doing it to someone at random the statistical probability of them having a password manager is slim to none.

ok and? that supports use of a password manager then which also manages passkeys.

> 3. If this becomes the default mode "i.e. no normal passwords just phone button press" then the statistical likelihood of gaining access to someones entire life from just yoinking their phone converges towards 100% meaning the attacks will become very frequent as the attackers can do it to anyone at random.

well I agree that allowing PIN to be used to access passkeys is a bit insane if passkeys are used for everything in the future. However let's be real here, how do ppl currently use passwords? They just autocomplete them via Google or Apple account right? So if someone has your PIN aka access to your phone then they will very likely get into all your accounts either way. It's just how people use their phones. The only locations where your PIN or biometrics is even asked for again is usually to access device settings or do purchases in the app store. Which of course in this scenario is also not helping you, given how you have the PIN.
The reality is that PIN shouldn't be allowed as an access method. Fingerprint and faceid is hopefully pretty good, idk. The point is to be unbiased about passkeys and not losing your device is very important either way.

>>105922071
The point is the next step will be to move from phone to chip implant in arm and then the point after that will be to move it to drilled chip in the brain with a government live connection.

Fuck that shit let me keep my passwords. I'm not getting the fucking brain chip drilled in we all know you're pastoring the normies in that direction with password convenience.

>>105921829
Sure, but what if that is the only device you have validated? Or all your validated devices get stolen at once (luggage at an airport or something)?

>>105922123
Skill issue

>>105922147
Sounds more like design flaw to me.

>>105922186
Skill. Issue. Don't argue with the beard, he's sensitive and might get upset

>>105921625
it literally doesnt, especially now with cookie hijacking becoming more prevalent. this is just retarded

>>105922225
His beard isn't wrong.

the problem i have with this is to use passwordless, your phone needs to have a lock screen set either pin or biometrics.

>>105922226
>>105921778
So what is the conspiracy theory is they why they are enforcing this?

>>105921137
>guaranteed week off work
I wish lmao

>>105922393
because you wont know or control your own passwords...Microsoft will control them for you.

>>105921080
Ring, ring, badabing… is this the head of based department?

>>105922393
They can lock you out of any and all accounts by locking you out of devices.

>>105921967
You can set bitwarden to require entering your master password again even if your vault is unlocked. It's literally a non-issue.

>>105922505
please carefully read the whole thread. Nobody on earth uses bitwarden this way because it's too annoying

I don't get it. Aren't you completely fucked if your PC gets hacked then? They have access to your "passwordless" passkeys and every account you have is instantly compromised.
With passwords, that can't happen, unless you store them inside your computer.

Also hardware passkeys are fucking stupid too. Your YubiKey or whatever is lost, breaks or anything and you are done. No access at all. With passwords, that can't happen, unless you lost your memory and then you probably have bigger problems.

>>105922521
Yeah true! I'm posting from Uranus!

Hahahahah!

>>105922471
>>105922421
Can't they just do that regardless of these “asskeys”

>>105922393
We can positively link your windows account to your phone(s) cell providers, bills, credit cards paying those bills and gps/biometrics removing any anonymity provided by user accounts.
t. iworkintheindustry

Get out of s-mode, make local password accounts.
Must be done before laptop boots for the first time.
First thing you have to do is remove/disable the hard drive in case you miss the bios keystrokes.
Then try. Once windows boots it copies s mode into windows and can’t be undone. Easily.
Don’t buy any device without removable storage.
We patched everything else, so don't bother watching youtube videos about it.

>>105922534
> unless you lost your memory and then you probably have bigger problems
Hahaha… truer words have never been spoken.
The police can physically manipulate your body to force biometric authentication… legally! But they cannot force you to reveal/enter your password. Again, legally. Not sure about other countries outside the US.
Let that sink in.

>>105922534
getting your secure enclave hacked is probably pretty hard, that thing is supposed to be secure. What you are talking about here is a level of hack where you ran a random .exe and they installed whatever they wanted with admin level privileges. Then yes, they can probably in fact get to your passkeys although secure enclaves aren't supposed to be accessible by normie user admin rights either afaik. To be fair every game installation is the equivalent of running a random .exe but then again, that thing was already able to install a keylogger and get all your passwords that way. It's less likely that it can access and intercept your passkeys from your enclave.

>>105922589
laws change all the time and this kind of a quirk is US specific and shouldn't matter. Just use a PIN then if you dont want to use biometrics because a PIN is like a password.

>>105921080
>windows

>>105922607
>install a keylogger and get all your passwords that way
To get a persistent hack and record everything on the target for weeks or months is so much more harder than quickly infiltrating and doing your business in few seconds/minutes.

>>105922620
The pin, say a 4 digit code, is about the stupidest replacement for a 27 character passphrase I’ve ever heard.
I’m gonna fail every company using that in the security audit.
They’ve literally made shoulder surfing and keyboard monitoring trivial.
> “it’s a pin, now a password, so it’s secure because blah blah…. Tpm … blah blah”
LOL.
It’s meth. That’s what did it. Too much meth.

>>105921222
>I dont trust it
you shouldn't because it's not a replacement to 2fa, like at all

>>105921311
keepass supports passkeys, just use that and make a proper backup
>>105921768
>bitwarden password loop
retarded

>>105922666
> persistent hack and record everything
Your model of how this works is a bit too north korea spy like.
We hook into the USB driver, and notice you’re on the SAS desktop and grab those.
Microsoft hooks into that driver to bring up the accessibility dialog, and some other things. They showed us how to do it.

By the way, PSA… in windows, the camera “on” led doesn’t mean shit. I can flash it in morse code if I want.
Meaning, I record your face and play it back.

What you need to do is poison the login screen with gigabytes of shit. I’ll leave the “how” up to you, then look at where it got stored on the disc sectors. Btw we NEVER bother to clean anything up or use a ring buffer because why??

>>105921010 (OP)
Authenticator, not windows account.

>>105921010 (OP)
*types password*
*logs in*
i dont get it, whats the problem? im on linux if that matters

>>105921768
Who the fuck cares?

>>105922997
Ok piratesofware

>>105922589
in yurop there is no 5th amendment so you get jailed until you tell your forgotten password

>>105921094
The new passkey concept basically uses private and public keys, the service your using only has your public key so it's actually superior to passwords in that when your gay porn site is comprised they only got your public key instead of the hashed password.

Then to use the pass key this usally also requiring a second factor of authentication on your device like biometric etc so users don't need to fuck around with OTP 2fa codes.

Still windows is gay and retarded pajeet ware so their implementation of passkeys is probably retarded pajeet shit.

>>105922725
hey I also think it's insane to allow a 4 digit PIN to unlock passkey usage. I'm merely saying that PINs are in fact like passwords... really really bad passwords.

I need to get rid of my Microshit outlook account and Minecraft accounts

Can someone please explain how a 4-integer PIN is more secure than a much more complex password? Is Microsoft gaslighting us or is there some magic double-encryption somewhere in the back?

>>105922997
so what if you know where it's stored, surely it's encrypted with a key that you will never find either. Do you also plan to spam wherever you think the keys for the passkey descrption is stored and then somehow decrypt and decipher the proprietary way that windows uses to actually read these things out? I don't think you will get anywhere, the decryption key is probably etched in hardware if they have a brain. Now yes: eventually it has to arrive in software to do the de/encryption but maybe not. Maybe the decryption also gets done directly in hardware.

>>105924458
>Can someone please explain how a 4-integer PIN is more secure than a much more complex password?

the idea is that the PIN is irrelevant because the attacker doesn't have your device. If he does have your device then that's an attack vector that passkeys were not meant to handle. They are literally device keys, it's natural to assume that if someone has the device then he has the key.
I'm sorry. Your phone is the key to your bank account, that's just how it is already. Or is it not? My bank login requires 2fa via banking app.. which is on my phone. So it's not a 2fa at all because I'll be logging in on my phone in the first place. Passkeys were created to defeat phishing attacks online. It is your own fault for merely securing your device with a 4 integer PIN.

>>105921010 (OP)
will this affect me if I don't have a microsoft account?

>>105924524
My only encounter with this stuff is that my work laptop (Windows 11) makes me unlock it using a PIN instead of my password.
I get the logic if this is about connecting to online services but if you're going to make this depend on a single (light, mobile) device, why would your default protection for that device be so lax?

Thankfully I've never had to deal with this in my private life, I just use a local password manager and rsync the database to my different devices. For my bank I can use some TAN device that scans flashing bars on my monitor if I stick my card into it, and my credit card has 2FA by sending a text message with a code to my dumbphone.

>>105924555
this thread is likely bait, the image only talks about forcing this on ppl who use the microsoft authenticator which is a special app to do 2fa

>>105924583
ok ty

How will I get into my Minecraft account?

>>105921010 (OP)
>muh security
everything sensitive should be stored and encrypted locally, without using any globohomo services.

>>105921206
>hidden data is a string in a TPM or similar secure enclave
>device lost or stolen
>lose access to every single internet account
bravo microsoft, bravo infosec influencers, I wish this passkey fad died yesterday