edwardr (u/edwardr) - Readit News

edwardr commented on WeChat permanently closes account after user sets offensive password twitter.com/BethanyAllenE... · Posted by u/drevil-v2

jialutu · 6 years ago

Wow, it's quite disheartening to read some of the comments here. Let's try something shall we:

- open up private browsing

- press F12 (or however you get the developer console on a mac) and go to the networking tab

- go to gmail.com say

- enter your gmail credentials

- look at the post request generated, and at the request tab, it will contain your password in plain text

So passwords don't get hashed on transit, this is why having HTTPS is so crucial, which is to prevent someone in the middle (say when you connect to an open Starbucks wifi) from sniffing out your unencrypted password. The password on the server side initially can be unencrypted before it gets hashed to be stored into the database. So in this instance, the password in the database is hashed, but there is a small period where the password is plain text in memory.

For a site called hacker news, it's really sad how little people here know about hacking.

edwardr · 6 years ago

As an alternative to this checkout TozID. The premise of their authentication model is to avoid sending the password all together and use public key crypto to sign and verify requests between the client and the auth server.

https://tozny.com/tozid/

edwardr commented on Ask HN: What's the best corporate password manager? · Posted by u/flippyhead

bpicolo · 6 years ago

> manage access to probably ~100 services our employees use everyday

Is single sign-on an option, instead? Something like Okta is a much better experience for less technical users (and, well, engineers too) where possible, and also lets you trivially manage credentials access as people on/off board (no need to rotate credentials if you're worried folk may have written them down on paper somewhere with malicious intent). That said, it doesn't help folk with personal credentials management, which can be useful for good security policy in addition.

1password is my favorite to have around for services that don't support SSO. I like it so much I pay for a family account, even.

edwardr · 6 years ago

I'd agree that SSO is a good option. Check out our SSO solution and ping me with any questions!

https://tozny.com/tozid

edwardr commented on Show HN: Identity management with end-to-end encryption tozny.com/tozid... · Posted by u/edwardr

johnmarcus · 6 years ago

I can't tell what the offering is here. Is this an sso platform? Or alternative to saml for my app?

edwardr · 6 years ago

It is an SSO platform with authentication based on client side cryptography that enables end-to-end encryption for applications. It supports SAML clients like other SSO platforms.

edwardr commented on GitLab Is Down · Posted by u/nathanaldensr

edwardr · 6 years ago

Yes - happening here as well.

edwardr commented on FileKit: An open source end-to-end encrypted cloud storage service in JavaScript github.com/TankerHQ/sdk-j... · Posted by u/tux3

wglb · 7 years ago

Doing cryptography in the browser is a bad idea: https://tonyarcieri.com/whats-wrong-with-webcrypto

Also https://www.nccgroup.trust/us/about-us/newsroom-and-events/b...

edwardr · 7 years ago

Browser crypto has come a long way. With libraries like libsodium and proper implementation I think it’s drastically better than at the time of those articles (2013 and 2011).

Source: we also write encryption libraries and have a free implementation of our browser sdk at https://share.labs.tozny.com

edwardr commented on Show HN: Encrypted One Time Secret Sharing share.labs.tozny.com/... · Posted by u/edwardr

edwardr · 7 years ago

We made this using sodium for end to end encryption - let me know what you think!

If you're interested in reading more about it check out this blog post https://tozny.com/blog/encrypted-one-time-secret-sharing-app...