Stop using email as a trusted authentication source.
This is a case where using it was super convenient because you could have a personal identifier, an easy way to contact the user, and be reasonably sure that password resets would only reach the intended user all in one convenient plaintext string.
However it's also a single point of failure and if a malicious actor can get access to your email account, they can get access to most of your other accounts that use that same address
Edit: MFA being available in more places has reduced the risk of this happening, assuming that you use it and it's also deployed correctly. ie: it can't be reset from the same email address that your password resets go to.
I'm kinda glad this happened because I was assuming bad actors were fucking with open source stuff before the XZ stuff came out and now it's on the radar.
Though I wonder if there's any way to automate watching for stuff like this. Like the XZ backdoor involved changing what was supposed to be a bad test file, it would be nice to have a system that treats all input files as immutable and if anything needs to be processed, it goes into a separate output folder plus has a reasoning included as to why the input file needs more processing, especially something that doesn't change from system to system.
Top down design of protocols by a security- and privacy-conscious organization rather than leaving security to corporations as a side item or PR campaign topic when their primary focuses are marketing, advertising, data collection, and intellectual property.
What?? That’s a month away. That feels really unprofessional and doesn’t foster trust in the company, which is really important when you’re in the security field.
When I heard the news about killing the desktop apps in August I immediately started transitioning my accounts to use the TOTP authenticator built into Bitwarden. Now I’m really glad I did.
Long-time Bitwarden customer, and I did the exact same thing. Prior to that I hadn't even been aware of the OTP functionality in the BW desktop app. Glad I made the move early and don't have to scramble now. This new deadline is going to be a real pain for a lot of Authy desktop users. Weird that the company didn't even feel the need to explain to users the reason for the drastic EOL change. I've used some of their voice/sms services in the past but if I need that kind of thing in the future I'm going to have a good look around at the competitors before I write a line of code or open my wallet again.
Security
Top