urn:uuid:955ed151-8a26-5025-b75b-b761ec470949 Topic: Authentication and Passwords – Ctrl blog Daniel Aleksandersen https://www.daniel.priv.no/ Copyright © 2023 Daniel Aleksandersen. https://www.ctrl.blog/assets/logo/logo-square.svg 2023-08-08T12:56:00Z weekly 10 urn:uuid:d17dde9e-ee38-47d3-b639-41ed8f29bc71 2023-08-08T12:56:00Z 2023-08-08T12:56:00Z The trouble with decommissioning a used FIDO security key The trouble with decommissioning a used <abbr title='Fast IDentity Online'>FIDO</abbr> security key You can’t throw out your worn-out USB security keys when you can’t recall what locks they’re for. Physical security tokens come with their own problems. <p>Five years ago, I wrote about adopting security keys — small second-factor authentication token devices — to secure some of my most precious online accounts. In that article, I foresaw a future problem and detailed how I planned to mitigate it. The future is now, and I did not heed my own advice. 🤦‍♂️</p> <p><a href="https://www.ctrl.blog/entry/security-key-decommission.html">Read more …</a></p> urn:uuid:70607ead-1938-43b0-ba58-f4a0a34ef953 2023-02-05T21:38:00Z 2023-02-05T21:38:00Z Norway’s BankID undermines anti-phishing best practices An easily-spoofed iframe embedded onto every random online merchant’s websites is not a safe place to enter my bank password! Is it really BankID‽ <p>Imagine a privatized nationwide authentication system used to access government services, confirm contracts and online payments, and everything else. Now, imagine that the system was designed to be extra friendly to imitation and credential theft (“phishing”). Here’s everything wrong with Norway’s BankID authentication system.</p> <p><a href="https://www.ctrl.blog/entry/bankid-iframe-phishing.html">Read more …</a></p> urn:uuid:a4b9a7aa-ef70-4671-881b-a744ae0715a8 2021-05-24T10:34:00Z 2021-05-24T10:34:00Z Why KeePass instead of self-hosting Bitwarden You can control your password manager with KeePass or a self-hosted Bitwarden Server. One is a simple password vault file and the other a complex server. <p>Here’s why I decided to move my passwords to a KeePass database file instead of using Bitwarden with a self-hosted server. It comes down to keeping my passwords out of the browser, and my setup simple and manageable.</p> <p><a href="https://www.ctrl.blog/entry/keepass-vs-bitwarden-server.html">Read more …</a></p> urn:uuid:30538782-c9dd-44a6-9818-157aeeefcea4 2021-05-14T10:11:00Z 2021-05-14T10:11:00Z Your clipboard is only as secure as your device A review/critique of the complexity, security, and unpredictable user experience of modern feature-laden copy–paste clipboards in today’s operating systems. <p>The system clipboard is part of every modern operating system. It lets us copy and paste text, images, files, and data between different applications. Like everything else these days, it’s increasingly getting tied up with other people’s servers (“the cloud.”) So, what does that mean for your clipboard privacy?</p> <p><a href="https://www.ctrl.blog/entry/clipboard-security.html">Read more …</a></p> urn:uuid:9a53d927-a9c7-49f4-a79a-6b6e6f14a798 2021-02-23T19:42:00Z 2021-02-23T19:42:00Z Be wary of file sync conflicts with KeePass apps on Android An investigation and comparison into how KeePass-compatible password manager apps for Android handle external changes to an unlocked password vault database. <p>KeePass is a tried and tested open-source encrypted password manager available for Windows. You can also use one of the many forks for Android, iOS, Linux, MacOS, and other operating systems. KeePass has created the defacto standard for encrypted password vault/database files (<code>.kdbx</code>). Syncing the vault files between your computers and Android can cause problems with some KeePass apps, however.</p> <p><a href="https://www.ctrl.blog/entry/keepass-file-conflicts-android.html">Read more …</a></p>