For years, the internet has been shrinking. Not in size, not in data, but in ownership. A vast, decentralized network of personal blogs, forums, and independent communities has been corralled into a handful of paved prison yards controlled by a few massive corporations. Every post, every “friend,” every creative work—
  • @xylogx@lemmy.worldEnglish
    5622 days ago

    I love Lemmy and Voyager and the Fediverse. That said, if it were to become mainstream I forsee some problems. The fact that the login relies on only passwords is pretty terrible. Also, this makes the service vulnerable to bots, sock puppet accounts, brigading, etc.

    • CubitOomEnglish
      1922 days ago

      What would you propose replace passwords to not be susceptible to those things?

      I personally like how secure and non intrusive passwords are, especially when using a self hosted password manager synced with git.

      • @4am@lemm.eeEnglish
        2422 days ago

        Passkeys are much better. Unlike what FAANG companies want you to believe, they do not have to be tied to a device. Use a password manager that supports them (BitWarden) and pretty much never get hacked again because of a password. Website doesn’t need to store anything that an attacker can use. No downside.

        • 032 Mendicant BiasEnglish
          622 days ago

          Any recommended reading for pass keys to get me up to speed? I use Bitwarden and have been happy enough with just passwords via that for a long time now. Only time I’ve seen pass keys mentioned really was Google trying to push it on me but I don’t use their password manager.

          • @4am@lemm.eeEnglish
            421 days ago

            A passkey is a public/private key pair used instead of a password. You store the private key, and the website stores the public key. Data encrypted with the public key can only be decrypted by the private key, and vice-versa.

            This means you can share the public key freely with the website, and even if they get hacked and the public keys are stolen, they’re useless.

            When you log in, they send you a challenge encrypted with the public key, and since you hold the private key, you can decrypt it, create a response to it, re-encrypt it with the private key, and send the response to the website; which then decrypts it with the public key to verify it.

            The initial spec was that each device would have its own passkey and store it in a TPM (that thing Microsoft requires your computer to have for Windows 11), which is a secure memory storage location that only the kernel can access.

            However BitWarden is also able to store them and make them portable. (I think the standard was loosened to allow for this? But don’t quote me on that.) So, now you can have one passkey for the site and it works anywhere you can use BitWarden’a browser extension.

            TLDR: more secure than a password, nothing to forget, stops passwords being stolen.

        • @pulsewidth@lemmy.worldEnglish
          120 days ago

          I’d much rather use a password and a two-factor auth via TOTP code. It’s fast, portable, I can store them on a variety of open source apps, and it’s very hard to hack. I don’t need to use a specific provider, or browser. Flexible and free.

          Passkeys in their current implementation are comparatively a mess. Here’s an article that runs through many reasons why:

          https://arstechnica.com/security/2024/12/passkey-technology-is-elegant-but-its-most-definitely-not-usable-security/

      • @xylogx@lemmy.worldEnglish
        822 days ago

        It is hard to do well which is why I worry. Google probably has the best overall account security, you could fo worse than modeling after them.

        The short answer to your question is Passkeys. But you need a whole system of account recovery around them.

        • CubitOomEnglish
          122 days ago

          Oh, you can easily bypass passkeys with automation. Don’t even need an image recognition model, just a QR-code scanner like zbarimg.

          But i never tried googles passkey feature since it never seemed as secure as a 48 char computer generated password. So I’m not sure exactly how it works.