[dskrvk]

Lower in the same thread: https://twitter.com/chadloder/status/1577906942080598017?s=6...

> PS: Many unhoused people access their email rarely, intermittently; they don't stay logged in. They often have to guess several times to remember their password.

2FA doesn’t work, and remembering passwords doesn’t work either. Checkmate.

[xg15]

Having to guess several times != having forgotten your password.

I think what this actually calls for though is a way to prove your identity by talking to an actual human. Something that used to be the standard before tech companies declared that it was too inefficient.

[paledot]

Sadly, SIM cloning attacks start by social engineering a cell phone support person into sending the attacker a replacement for the SIM they "lost".

[simfree]

Your thinking of SIM swapping attacks. SIM cloning is much harder without breaching the SIM manufacturer (often Gemalto or another giant vendor).

Rerouting traffic with a malicious home location record (like what was done to Merkel for years), or changing the eSPID/NNID for a numbers texting enablement is much easier than doing a SIM swap and you can usually avoid detection too.

[samdcbu]

The irony of SIM cards being a cryptographically strong smart card and then carriers let their employees give out replacement SIMs left and right. Ah, humans.

fun fact: SIM cards can run applets based on Java. That’s how mobile payments are able to work in developing nations. I think there was a DEFCON talk about it a few years ago.

[logicalmonster]

> They often have to guess several times to remember their password.

I think pointless password rules are at the heart of this problem for many non-technical people who probably haven't been operating with a password storage solution and might not be used to that system or trust it.

Every platform has their own special requirements for passwords: some require a mix of capital and uppercase letters, some require numbers, some require a special symbol, some require a special symbol but no not that one, some restrict you from entering 3 of the same character in a row, some passwords have a short max character limit, some prevent certain characters like spaces, some require you to change it every so often, etc. Eventually, the password is forgotten or confused with another because of these pointless password rules.

I called them pointless password rules because they reduce the possible number of combinations required for an attacker to guess the password because any guessing program knows what can't possibly be valid combinations.