Hacker News new | ask | show | jobs
by ffsm8 76 days ago
Changing a password that's randomly generated is security theatre. It doesn't meaningfully improve security

Also it's entirely possible they only compromised a honeypot.

Considering their track record, that's actually more likely tbh
1 comments
mattbis 76 days ago
Honeypot sure I didn't think of that.. But I was under the impression the FBI confirmed it ? So we can rule it out.

Making the password impossible to guess - how could that not be?

Since then you know you have a breach, as its randomised gibberish, if you then get the 2nd device asking " is this you trying to login " you can definitely know you are compromised....

I can't see your logic here, that isn't " theatre " ????

If you think that is theatre what is better then? Words and numbers.. easily brute forced.. Sorry can't agree.

link
ffsm8 76 days ago
Why would they willingly destroy their successful honeypot if the other party announced they've access to it?

I haven't seen what's in it either though, but I would not rule it out yet, especially when the FBI is involved - which love those tactics

When you're compromised, changing the password is obviously not theatre - but changing a password which is randomly generated with enough entropy is what's pointless theatre. A secure password is secure, esp. If you're already using a password manager then the act of changing isn't meaningfully increasing your security (unless you're aware that your password was compromised) because the way to compromise it is what...? Having a keylogger on a device you logged in on? Then the changed password will be just as compromised

link
mattbis 76 days ago
That's why keepass is really useful since you aren't ever typing in the password.. its generated and then copied to the clipboard.. That clipboard is then wiped after X seconds.

So then you know that you have been rooted => If that fails to resolve it.

Reduce the number of vectors to know what you have to change asap. in this scenario you don't want to be guessing about how they did it.

The randomised gibberish just means you can rule out certain things. I can agree on part of what your saying but a string high entropy password, makes it harder to brute..

Many services don't really do that whole retries thing properly. So make it take as long as possible.

If you don't use a random gibberish your password can be cracked on any consumer device in a surprisingly short amount of time...

This way you can then focus on that a session token is probably how they got in.. It's the most common vector these days...

link