![]() > Passwords used correctly aren't less secure than passwords + 2fa. Well at least we're agreed your entire argument is based on made up theoretical scenarios, rather than the real world, where people's accounts are breached because of poor password security, literally on a daily basis. It's not a good point, and it's what's known as a dick move, to everyone else that uses github slightly differently, but to hell with people different from you, right? But you do make a point, it is more common that people who use gh more, are the most common users. And I'd also argue you'd become better if you tried to fairly consider some of them, instead of being a douche. there are more scenarios than you can imagine. the benefit, inconvenient trade off is worth it to you. the target audience for GitHub needs to use Git on a regular basis, which is at least several orders of magnitude more complex than entering an OTP occasionally when you login via the web. > and the benefits far outweigh any slight inconvenience. Instead of what you're actually doing, which is trying to look cool on the Internet. But my advice to you, if you care about security, more than you care about being right, is to be less dismissive of people who think differently from you, maybe then you'll have a chance at convincing them of anything. Well at least you're being honest about not caring about others. It's not hard to use, and the benefits far outweigh any slight inconvenience. > I mean, I am pretty dismissive of anyone making such a fuss about 2FA. And given human nature, if used incorrectly they might decrease it. But they do increase the chance of lockout. Passwords used correctly aren't less secure than passwords + 2fa. > If your OSS project has meaningful users, and a bus factor of one, it's already under those same risks every day you wake up, but it has the added risk of a malicious actor taking control of your account. ![]() You'd convince a lot more people that you're right, if you even pretended like you believe that instead of acting like you're hot shit. You don't understand the world in which I live better than me, and you don't understand my threat model better than I do. While I'm pretty sure this will conflict with your world view. I used contrived, because I meant contrived. > Well at least you used the right word, even if you didn't intend that meaning. Feels very much like your omitted preamble is "just do what GH tells you and don't complain". Also, I assume you didn't mean this comment to sound so dismissive, but that's definitely how it reads. Which means this new requirement can *only* make things worse. And if I wont play along with GH 2fa security rules, GH doesn't gain any security benefit themselves. It's not anyone else responsibility to make security decisions for me. I've been locked out of my account for HOURS, multiple times because I'll fat finger one extra key, or the wrong number without realizing it, only to have GH "helpfully" submit the wrong number, i wouldn't have, as the last chance before a lockout timer. ![]() My users will be at risk! you'd better hope it's a short vacation.Īlso, as an existing user of 2fa on GH, GH's implemention can get fucked! It auto submits 2fa otps for you. If I cant login to fix or even remove a binary. Say I run a FOSS project and leave my 2fa at home when I leave for some vacation? And in that same time I get a report about a security bug. In fact there's plenty of contrived scenarios in where this will decrease security. If I'm not willing to participate in this security "upgrade", it will not meaningful increase my security. As a security geek, and someone who's written on how passwords should be considered harmful.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |