**** BEGIN LOGGING AT Thu Jun 11 02:59:59 2020
Jun 11 06:31:37 <brolin_empey> I love these lame applications that tell the user that their password has expired and needs to be changed but happily accept the expired password as the “new” password, such as the Web site for my current (since 2018 June) credit card provider who just expired my original password.
Jun 11 06:34:36 <brolin_empey> Even Windows 2000 originally did this but Microsoft may have fixed it in one of the service packs.
Jun 11 07:30:34 <luke-jr> brolin_empey: is there a legit use case for expiring passwords?
Jun 11 08:47:37 <sixwheeledbeast> I fail to see the point in expiring passwords. Some companies have it as a policy. People are lazy you make it harder for people that use password management and the ones that dont care generally use the same password but change the last character.
Jun 11 08:49:56 <sixwheeledbeast> As much as I hate biometrics it works for people that aren't interested.
Jun 11 09:40:55 <Maxdamantus> I hate that most things even use passwords.
Jun 11 09:42:54 <Maxdamantus> If a system is relyping on something like email as its actual authority (eg, systems where you can reset a password as long as you have access to an email address), a password is only really a convenience feature that makes it quicker to authorise (enter a memorised password instead of go through an email validation cycle).
Jun 11 09:45:07 <Maxdamantus> Most sites should either just use email validation to log in. If it's something that someone is using frequently, then allow their broswser to remember the a long-lived session cookie, otherwise if they're using it infrequently, they're going to forget their password and go through an email validation cycle anyway.
Jun 11 09:45:44 <Maxdamantus> s/either //
Jun 11 09:45:44 <infobot> Maxdamantus meant: Most sites should just use email validation to log in. If it's something that someone is using frequently, then allow their broswser to remember the a long-lived session cookie, otherwise if they're using it infrequently, they're going to forget their pas...
Jun 11 10:05:56 <sixwheeledbeast> Your requiring the need for email and browser which maybe inconvenient. i don't want my browser to remember any cookies between sessions.
Jun 11 10:08:27 <sixwheeledbeast> A password is providing a weak form of 2FA. If your email is compromised then you validate all sessions from there its a single point failure.
Jun 11 10:10:24 <sixwheeledbeast> Also i believe we where referring to security more generally so logging into the system in the first place for example.
Jun 11 10:25:27 <Maxdamantus> No. Allowing a password is a weakening of the system. 2FA is about requiring an *extra* requirement for authentication. Most password systems are about providing an *alternative* requirement for authentication.
Jun 11 10:25:57 <Maxdamantus> Since most password systems allow you to authenticate if you've forgotten the password.
Jun 11 10:26:14 <Maxdamantus> So the password is not actually required, it's just a way of access the system quicker.
Jun 11 10:29:00 <Maxdamantus> 2FA requires 2 factors when authenticating. Password systems usually allow you to authenticate using only one factor (the password). Those systems also usually allow you to authenticate using the email, but they don't require you to authenticate using both.
Jun 11 10:29:23 <Maxdamantus> So again, you've got two alternative ways of accessing the system, therefore it's strictly weaker.
Jun 11 10:29:50 <Maxdamantus> and passwords seem like a very weak system.
Jun 11 10:29:58 <Maxdamantus> Since people reuse passwords all the time.
Jun 11 10:31:41 <Maxdamantus> > If your email is compromised then you validate all sessions from there its a single point failure.
Jun 11 10:32:00 <Maxdamantus> Most password systems allow you to recover if you have access to email.
Jun 11 10:32:38 <Maxdamantus> So by having a password, they're not protecting against that.
Jun 11 10:37:40 <Maxdamantus> It's like allowing your friend into your house by opening the door for them (you are the primary authority), and then for convenience you can give them a door key.
Jun 11 10:38:29 <Maxdamantus> Giving them a key is a weakening of security.
Jun 11 10:38:43 <sixwheeledbeast> Not protecting no, but not providing access to everywhere else. If you have forgotten a password you would have to validate in the same way as registering the account in the first place and this would clear the password.
Jun 11 10:39:46 <Maxdamantus> Right, so why not just require them to validate the same way each time they log in?
Jun 11 10:40:04 <Maxdamantus> Instead of giving out extra keys that can be used to bypass the primary authority mechanism?
Jun 11 10:40:33 <sixwheeledbeast> Well because it inconvenient just like never leaving your house so you can let your friend in.
Jun 11 10:40:53 <sixwheeledbeast> to use your analogy 
Jun 11 10:40:59 <Maxdamantus> Right, so it's a convenience feature. It's a weakening of security.
Jun 11 10:42:17 <sixwheeledbeast> I don't agree. It's systematically not compatible with people but itself it isn't a weakness IMO.
Jun 11 10:42:34 <Maxdamantus> If it's a site that's used once every month or two, you might as well just have that initial validation as the way people log in, because it's likely that at that length of time, it's going to be more annoying trying to memorise a password than checking an email.
Jun 11 10:43:49 <Maxdamantus> It's clearly a weakness. You still have the alternative way of authenticating (using email or whatever). Like the door analogy, you can still ask your friend to let you in.
Jun 11 10:44:08 <Maxdamantus> But having a password/key is an extra vulnerability that can be exploited by others.
Jun 11 10:44:56 <Maxdamantus> You could accidentally leave your key somewhere, or you could reuse a password, or you could enter your password into another website as you're trying to remember their password.
Jun 11 10:45:44 <Maxdamantus> the password/key is a way of bypassing that primary authority mechanism (asking the friend, or verifying an email address)
Jun 11 10:46:21 <sixwheeledbeast> As I say it not just about websites, you have security before you even get to a browser or email client. Using passwords incorrectly is down to the user not the method.
Jun 11 10:47:08 <Maxdamantus> I'm not opposed to passwords overall. I just think most of them are useless.
Jun 11 10:47:24 <Maxdamantus> There are relatively few things that should actually use passwords. That does not include most websites.
Jun 11 10:48:44 <Maxdamantus> Most websites ultimately authenticate using email validation. Obviously if you're talking about access to an email account, or access to some system using ssh, you're not ultimately using email validation, so a password might make sense in those situations.
Jun 11 10:49:14 <Maxdamantus> s/useless/useless and a security liability/
Jun 11 10:49:14 <infobot> Maxdamantus meant: Most websites ultimately authenticate using email validation. Obviously if you're talking about access to an email account, or access to some system using ssh, you're not ultimately using email validation, so a password might make sense in those situation...
Jun 11 10:52:38 <sixwheeledbeast> You can't expect to validate every session via email on every site everytime you start a new browsing session. 
Jun 11 10:55:53 <Maxdamantus> Then remember the session.
Jun 11 10:55:57 <sixwheeledbeast> The overhead created both ways would be ridiculous, also your email would not be protected via HTTPS. Leaving your browsing session open would be like leaving your front door open.
Jun 11 10:56:07 <Maxdamantus> You mentioned password managers before. Where is the password being saved?
Jun 11 10:56:25 <sixwheeledbeast> encypted somewhere else
Jun 11 10:56:43 <Maxdamantus> Encrypted using what?
Jun 11 10:57:08 <Maxdamantus> To the extent that most people use password management, it's just making the password accessible to the browser.
Jun 11 10:57:37 <Maxdamantus> Might as well just store cookies instead. At least cookies are essentially forced to be randomly generated instead of potentially reused across different websites.
Jun 11 10:58:13 <sixwheeledbeast> Encrypted with whatever the latest standard is an stored away from the session.
Jun 11 10:58:45 <Maxdamantus> It would be fine if passwords were also required to be randomly generated (as often happens when people use more advanced password managers), but the point of a password is generally that the user is able to choose a common phrase that they can remember. There's nothing preventing them from reusing that phrase across different sites.
Jun 11 10:59:04 <Maxdamantus> What's the difference between encrypting the password and encrypting the cookies?
Jun 11 11:01:37 <Maxdamantus> (When I said "encrypted using what?" I meant: what is the source of the encryption key. You can't just encrypt something and then claim you've added security. If you store the encryption key next to the encrypted data, there's no added security.)
Jun 11 11:02:03 <sixwheeledbeast> I am not saying the are perfect and that the system systematically helps people use them correctly.
Jun 11 11:04:34 <Maxdamantus> If passwords are being encrypted using, eg, the user's OS password (so the actual key is encrypted using the user's OS password), browsers might as well just be doing the same thing with their cookie stores. If you forget your OS password, you lose access to your cookies.
Jun 11 11:04:43 <sixwheeledbeast> Well you could be flexible the key can be anything:- psychical hardware, a piece of data, a "strong master password" that is only knowledge and not used elsewhere. 
Jun 11 11:04:44 <Maxdamantus> imo that's a pretty decent system.
Jun 11 11:11:58 <sixwheeledbeast> Ultimately my ideal solution is a device combined with a password. (something I have and something I know). Which is pretty much what i have now, the random passwords that the manager makes up mean nothing to me or anyone.
Jun 11 11:13:37 <Maxdamantus> Sure, so that's not really a password. It's still probably a weakening of the system, but it's not as weak as a typical password setup.
Jun 11 11:13:55 <Maxdamantus> (typical password setup as in where the user remembers a password and types it in each time)
Jun 11 11:14:25 <sixwheeledbeast> the issue with cookies is being tracked, you have no easy control over saving just the password and not the rest of the session to login quickly.
Jun 11 11:16:21 <sixwheeledbeast> Yer i see what you mean from the POV of I am using the "Password" box as a "Key" so it's not really a "password" 
Jun 11 11:19:32 <sixwheeledbeast> I have never considered a password to be a "password" it's just a string of memorable characters.
Jun 11 11:20:16 <Maxdamantus> also, in cases where websites do legitimately need to use actual passwords, I want there to be some sort of augmented PAKE system (eg, SRP or OPAQUE). It requires support from the web browser or OS, but it means it's not unsafe to, eg, reuse a password across multiple sites.
Jun 11 11:21:34 <Maxdamantus> I imagine the main issue with PAKE is getting a UX that people learn to use properly, so they're informed that the browser/OS is asking for the password instead of the website.
Jun 11 11:25:41 <Maxdamantus> imo SRP would also be suitable in place of ssh password authentication.
Jun 11 11:25:48 <sixwheeledbeast> They are not going away, as other options all have equal flaws or implementation issues.
**** ENDING LOGGING AT Fri Jun 12 02:59:58 2020