>Private keys are NOT your property

>Private keys are NOT your property
>Do NOT attempt to export and view them - they are property of the issuing website, you have just been granted a temporary license to interact with them in a restricted environment
>Applications who refuse to comply WILL be blocked by our gracious corporate overlords at Okta
Friendly reminder that these are the "people" pushing passwordless authentication

Unattended Children Pitbull Club Shirt $21.68

UFOs Are A Psyop Shirt $21.68

Unattended Children Pitbull Club Shirt $21.68

  1. 3 weeks ago
    Anonymous

    Yup, that’s exactly what your screenshot implies. Normally I would call you a melodramatic homosexual for deliberately misinterpreting a post, but it’s right there in front of me word-for-word. You missed the part where they’re going to automatically download CP on your computer and then automatically ping FBI servers. It says it right there.

    • 3 weeks ago
      Anonymous

      Tucker recently exposed this as something glowBlack folk actually do to people they don't like. IQfy has long suspected it too.

      Best thing we can hope for is a large nuclear exchange where people like this will be roasted alive in their offices in the beltway.

      • 3 weeks ago
        Anonymous

        >Tucker recently exposed this as something glowBlack folk actually do to people they don't like
        Post proof

      • 3 weeks ago
        Anonymous

        >Tucker
        Stopped reading. moron.

  2. 3 weeks ago
    Anonymous

    They’re not property at all

  3. 3 weeks ago
    Anonymous

    Helps to understand they want keys tied to specific hardware so it's easier to track people. Won't be long before they can only be stored in TPM's / enclaves.

    • 3 weeks ago
      Anonymous

      > has no idea how tpm works
      Black folk like you really should not legally be allowed near anything that's powered by electricity or batteries that controls anything that has a cpu or microcontroller in it.

      • 3 weeks ago
        Anonymous

        It's funny how TPM only became the big bad boogeyman after it was in the news because of Windows 11. The TPM has been around since the early 2000s and it was perfectly fine, but now every schizo is suddenly a TPM expert.

        • 3 weeks ago
          Anonymous

          people have been shitting on TPM since its inception. just because you're a low-information moron who's only just now hearing about it doesn't mean others weren't debating it for decades before your moronic little ass wandered in.

      • 3 weeks ago
        Anonymous

        Tucker recently exposed this as something glowBlack folk actually do to people they don't like. IQfy has long suspected it too.

        Best thing we can hope for is a large nuclear exchange where people like this will be roasted alive in their offices in the beltway.

        It's funny how TPM only became the big bad boogeyman after it was in the news because of Windows 11. The TPM has been around since the early 2000s and it was perfectly fine, but now every schizo is suddenly a TPM expert.

        the problem is not TPM, I have no problem with TPM being on my system and might consider using it as systemd improes support for it
        the problem is remote attestation such that only systems they like are allowed.
        i'm not some schizo thinking there's a backdoor or whatnot in TPM but sometimes I'm fricking cynical and depressed at what the future holds.

        • 3 weeks ago
          Anonymous

          >i'm not some schizo thinking there's a backdoor or whatnot in TPM
          Backdooring crypto implementations is literally the NSA's job. The question is not "is there a backdoor in TPM modules" but "how secret must this backdoor remain / how important are you as a target" and "how easily can your security be defeated by parallel construction that had access to your TPM keys"

          • 3 weeks ago
            Anonymous

            >>i'm not some schizo thinking there's a backdoor or whatnot in TPM
            >Backdooring crypto implementations is literally the NSA's job. The question is not "is there a backdoor in TPM modules" but "how secret must this backdoor remain / how important are you as a target" and "how easily can your security be defeated by parallel construction that had access to your TPM keys"
            exactly this
            thank you for BTFOing the glowBlack person "use TMP trust us bro" gay

      • 3 weeks ago
        Anonymous

        My comment will age well. Won't be long before all adult content is gated behind a centralized service. Your browser will get passkeys from an enclave without any input or control on your part. The current versions are just test runs. The keys will also be tied to your streaming subscriptions and DRM content will only work if your browser has access to the right keys stored on your device.

        • 3 weeks ago
          Anonymous

          Good, normies will be confined to whatever safe spaces their name brand phones and computers corral them into. If you don't like and approve of this you're not white.

          Which you aren't, that's why you went right to porn as an exemplar of freedom. Pornographers should be executed by the state, all of them. No exceptions.

          • 3 weeks ago
            Anonymous

            You made me pee a little. I like it. keep doing it so it stays warm.

          • 3 weeks ago
            Anonymous

            Yeah the state surely won't ever call some wrong thinker a pornographer and execute them while simultaneously making porno of themselves raping and eating kids. Haha

          • 3 weeks ago
            Anonymous

            People dumb enough to want to expand the power of the state are also usually dumb enough to think they'll be the ones to call the shots.

    • 3 weeks ago
      Anonymous

      TPM isn't that secure, you can grab the keys off the bus with just a simple logic analyzer, fTPM on the other hand is a bit more tricky but they will end up in memory one way or another, it just takes one small kernel exploit to leak all kinds of data no matter how locked down the system is and we've seen this with consoles already.

      what are they referring to with "passkeys"?

      public-private key auth for the web, instead of login in with a passphrase the server encrypts something with your public key and you send the decrypted value, helps if your device is slightly compromised but it requires remote attestation to be useful.

      • 3 weeks ago
        Anonymous

        >public-private key auth for the web, instead of login in with a passphrase the server encrypts something with your public key and you send the decrypted value, helps if your device is slightly compromised but it requires remote attestation to be useful.
        are you talking about certificate logins?

        • 3 weeks ago
          Anonymous

          That's close but not the same, they are both asymmetric encryption but certs are issued by a centralized CA while keypass can be created locally, kinda like self-signed certs.

      • 3 weeks ago
        Anonymous

        >they will end up in memory one way or another
        that's not how it works, the tpm is a self-contained system, you could only get access to the challenge and the response
        by sniffing, not the key

        • 3 weeks ago
          Anonymous

          True but some systems actually store keys in the TPM that need to be exported like bitlocker keys which can be sniffed.

      • 3 weeks ago
        Anonymous

        I can understand using attestation in a private setting like for employee accounts in a business but it should not be used literally anywhere else.

  4. 3 weeks ago
    Anonymous

    > schizoshit unrelated to screenshot
    > *baboon noises*
    > no links
    https://github.com/keepassxreboot/keepassxc/issues/10407

    • 3 weeks ago
      Anonymous

      why include the link?
      its just some mundane issue, not related to OPs /misc/ rant

    • 3 weeks ago
      Anonymous

      someone explain the issue why does he want it encrypted and why does it sound like a bot? I read the issue still have no idea why its absolutely necessary to encrypt the passkey.

      • 3 weeks ago
        Anonymous

        Keepassxc encrypts passwords on your own device.
        Users have the ability to export the private key for keepassxc.
        Someone with malicious intent might trick users into giving them said private key.
        This dude's solution is to make it so there is no export feature.
        The general response he got from other developers was "no thanks, we prefer user freedom. Also, our users are generally less moronic than the average person".

        I don't know what the other thing linked in the thread here

        https://github.com/keepassxreboot/keepassxc/issues/10406#issuecomment-1994313373
        >Once certification and attestation goes live, there will be a minimum functional and security bar for providers.
        frick frick frick
        why does it have to be attestation

        https://news.ycombinator.com/item?id=39698502

        is all about though. Something about attestation.

      • 3 weeks ago
        Anonymous

        >I read the issue still have no idea why its absolutely necessary to encrypt the passkey.
        users are idiots, they will happen to view that file or even copy-paste it to someone or something like that

        still, users must be allowed to be idiots if they insist

        • 3 weeks ago
          Anonymous

          that's like saying users will accidentally copy and paste their current passwords to someone malicious and thus must not be allowed to view their passwords. it's frickin moronic

          • 3 weeks ago
            Anonymous

            But that's an actual concern. It's why FIDO started the FIDO2 project, which should remove passwords and rely solely on hardware attestation and biometircs.

          • 3 weeks ago
            Anonymous

            security of a user's account should be at the option of the user. just because there are moronic users out there doesn't mean that security minded individuals should be prevented from signing into their bank using fully FOSS software. this is a slippery slope that will make it so only large globohomosexual corps control your access to any site on the internet

  5. 3 weeks ago
    Anonymous

    https://github.com/keepassxreboot/keepassxc/issues/10406#issuecomment-1994313373
    >Once certification and attestation goes live, there will be a minimum functional and security bar for providers.
    frick frick frick
    why does it have to be attestation

    https://news.ycombinator.com/item?id=39698502

    • 3 weeks ago
      Anonymous

      Just stop patronizing companies that insist on using this garbage.

      • 3 weeks ago
        Anonymous

        It's funny how TPM only became the big bad boogeyman after it was in the news because of Windows 11. The TPM has been around since the early 2000s and it was perfectly fine, but now every schizo is suddenly a TPM expert.

        your webbrowser is already remembering your site visits and downloads by telling google about it who then checks the host and hash against their blacklist of known virus/malware. its how google-safe-browsing works. firefox does it too, specifically through google. Lots of local isps also contract similar services. you are constantly being spied on in this manner. This has been going on since like 2009. Since nobody noticed or cared, they are taking it to the next level, and as long as they get away with it, they will continue to esculate using whatever technology they can.

        • 3 weeks ago
          Anonymous

          Yes, and have you ever left your room or had a job? Google safebrowsing is a legitimately helpful service to prevent malware and scams. And if you don't want it you can simply disable it and use your own filtering.
          >b-but it's not a-actually disabled!!!1
          Use Wireshark on your 2007 Thinkpad with libreshit bios or whatever and capture all packets to verify. You can use this method to check everything morons claim can't be disabled.

          • 3 weeks ago
            Anonymous

            > Google safebrowsing is a legitimately helpful service to prevent malware and scams.

            That's a nice opinion bro, I'm happy you have it. But I don't recall making an arguement against it. Does it bother you that I called it spying? Because it is, even if you personally benefit from it sometimes.

  6. 3 weeks ago
    Anonymous

    The amount of schizo /misc/ roaches ITT is truly epic.

  7. 3 weeks ago
    Anonymous

    webauthn, remote attestation, just a way to centralize control of all authentication into the hands of a few small megacorps.

    its got globohomosexual written all over it.

  8. 3 weeks ago
    Anonymous

    >its all schizo
    >its all schizo
    >its all schizo

  9. 3 weeks ago
    Anonymous

    You can export you MS Authenicator tokens on a rooted phone. Presumably just log into the database on a rooted device if on Android.

  10. 3 weeks ago
    Anonymous

    I just type my password every time. Been doing that since I first used the internet in 2002.

    How hard is it for you lazy motherfrickers to remember and type a password?
    Would you like to log in automatically? NO
    Would you like the browser to save your password? NO
    Would you like to use our wallet connect services? NO
    Would you like to use a token? NO
    Would you like to use an encrypted keypass? NO
    Would you like to download our password manager software? NO

    You STUPID LAZY MOTHERFRICKERS are allowing this, I always knew password managers and wallet type services were a power creep.
    JUST. TYPE. YOUR. FRICKING. PASSWORD.

    • 3 weeks ago
      Anonymous

      as opposed to what? i use keepassxc but i'm not sure what this thread is about, it's an offline password db

      • 3 weeks ago
        Anonymous

        >i'm not sure what this thread is about, it's an offline password db
        A globohomosexual attestation shill is SEETHING that KeepAssXC lets you access passkeys, because it's le insecure (as if anyone dumb enough to share their passkeys would be using an offline password manager in the first place.)

        • 3 weeks ago
          Anonymous

          what are they referring to with "passkeys"?

          • 3 weeks ago
            Anonymous

            When you set up 2FA on a website like github, it will ask you to either scan a QR code with your phone, or to copy-paste a secret code into an authenticator app. That's the passkey; it lets the authenticator app generate a sign-in code (TOTP.)

          • 3 weeks ago
            Anonymous

            ohh i see, i had to do something like that recently for arch linux's gitlab-based bug tracker, where i have freeotp+ (f-droid) set up with a shared secret and can generate one time use pins for logging into the site
            i didn't realise keepassxc supported these, otherwise i would have just use that. i'd never used this before so i just followed some instructions

          • 3 weeks ago
            Anonymous

            >TOTP
            TOTP isn't """passkeys""", WebAuthn shill.

    • 3 weeks ago
      Anonymous

      The idea is this:
      1. You need to use a different password for every website, or when that website becomes compromised, it allows attackers to compromise your accounts on other websites
      2. Remembering a different password on every website is difficult. It's easy to remember one password, so you only need to remember the password to your password manager. Doing so allows you to use a completely random string for your password on every other website.

      Trying to remember 20+ randomly generated passwords is difficult, even for someone who is not lazy.

      • 3 weeks ago
        Anonymous

        >Trying to remember 20+ randomly generated passwords is difficult, even for someone who is not lazy.
        It's not. I have a selection of 15 or so different passwords. They are all stored in my brain, and only in my brain.

        A few of them do repeat, it's 15 passwords for like 20 something different accounts, but it's unlikely that if one of them is compromised, the attacker will figure out the exact account where the password repeats.

        Additionally, the only passwords that repeat, are the ones that are 'low priority', ie. I don't give a frick if the password to my throwaway email account gets leaked and compromises my Star Wars The Old Republic account .

        • 3 weeks ago
          Anonymous

          >only 20 different accounts
          Do you even use the internet? My KeePass currently has 500 entries.

          • 3 weeks ago
            Anonymous

            Account bloat is a problem when unchecked.
            I tend to close accounts I stop using to prevent this. More accounts = Bigger attack surface

          • 3 weeks ago
            Anonymous

            Moving the goalpost

          • 3 weeks ago
            Anonymous

            Which goalpost? I don't think you understand that turn of phrase, you are not using it properly.

            I'm not the moron with 500 accounts.

          • 3 weeks ago
            Anonymous

            Who you are matters very little in this conversation.

          • 3 weeks ago
            Anonymous

            What attack surface when each account has different password? It's only a problem if you're moronic and can't use manager

          • 3 weeks ago
            Anonymous

            >What attack surface when each account has different password?
            With 500 accounts you are almost begging to have your data leaked to the internet. I go out of the way to close my accounts when I stop using them. The shitty freeforums.com type shit I frequented as a teen, and so on and so forth. That's what the 'delete my account' button is for. I have closed everything down.

            I also bypass account creation when I can. And when I can't, I create throwaway single-use accounts with no data that can be linked back to me.

            If you are needing to keep track of 500 accounts you are doing something wrong. Or you are a corporation, in that case it would be more understandable. But if we are talking about a person then this is unsafe practice.

            >It's only a problem if you're moronic and can't use manager
            No, you have it backwards. Having to use a password manager is a sign of moronation. Having 500 accounts because you are too much of an ADHD freak that you need to sign up to everything is a sign of moronation.

            The less you have to rely on third parties the more secure you are, as a general principle ofc. You can always be unlucky, or be moronic in other ways.

            This anon

            security of a user's account should be at the option of the user. just because there are moronic users out there doesn't mean that security minded individuals should be prevented from signing into their bank using fully FOSS software. this is a slippery slope that will make it so only large globohomosexual corps control your access to any site on the internet

            is 100% correct in his take. If they deem that most people use password managers and hate inputting their password, then they will remove user agency on this. And it's a terrible thing. They'd love to have you use biometric data for everything, one must not give them the excuse.

    • 3 weeks ago
      Anonymous

      i finally decided to get a password db when my steam account got stolen the second time (i got it back both times thankfully)

      >Trying to remember 20+ randomly generated passwords is difficult, even for someone who is not lazy.
      It's not. I have a selection of 15 or so different passwords. They are all stored in my brain, and only in my brain.

      A few of them do repeat, it's 15 passwords for like 20 something different accounts, but it's unlikely that if one of them is compromised, the attacker will figure out the exact account where the password repeats.

      Additionally, the only passwords that repeat, are the ones that are 'low priority', ie. I don't give a frick if the password to my throwaway email account gets leaked and compromises my Star Wars The Old Republic account .

      well good for you that you can easily remember 15 long, secure passwords, it's not an easy thing for most people
      using a password manager is an inconvenience, but it's also much more secure

    • 3 weeks ago
      Anonymous

      >I just type my password every time
      moron
      at least save in firefox, you dumb TWAT

      • 3 weeks ago
        Anonymous

        Why would you save your password anywhere? Where it can be stolen, leaked, compromised, or just used without your consent? You are giving Firefox power and control over your shit because you are too much of a smoothbrain to remember an alphanumeric string, and I'm the "twat"?

        KYS, moron, thanks to idiots like you we will have passwordless logins in the future and every last trace of privacy will continue to be destroyed.

  11. 3 weeks ago
    Anonymous

    are security troons all glow Black folk?

  12. 3 weeks ago
    Anonymous

    It's all good until malware gets on the computer creating these keys, then everyone who had one issued is compromised.

  13. 3 weeks ago
    Anonymous

    he's right, your schizo babble notwithstanding

  14. 3 weeks ago
    Anonymous

    I use Keepassxc and SSH keys. ffs I thought I was doing it right...

  15. 3 weeks ago
    Anonymous

    The amount of passkey shilling ITT is off the charts.

  16. 3 weeks ago
    Anonymous

    This guy seems like a mega c**t

    • 3 weeks ago
      Anonymous

      >likely to be featured in a few industry presentations
      Looking forward to hearing the presentation given by Tim Cappalli about the thing Tim Cappalli takes issue with that Tim Cappalli heard rumblings about.

  17. 3 weeks ago
    Anonymous

    The FIDO homosexuals are incredibly salty about passkeys to begin with.

    That said, software passkey systems are moronic. Unfortunately TPM is too basic b***h to implement them in a secure domain.

  18. 3 weeks ago
    Anonymous

    So uh I have passwords that are 28 characters memorised. To be fair that's two. Three are more than 22. Six are 14 or more long. The rest are just family names jumbled up because yolo who cares about le epic games account from five years ago?

  19. 3 weeks ago
    Anonymous

    Which one of you was this?
    https://github.com/keepassxreboot/keepassxc/issues/10406

    • 3 weeks ago
      Anonymous

      >impossiable
      >idiiots
      >convince
      holy oyteen
      embarrassing

    • 3 weeks ago
      Anonymous

      >gemming up the 'ssue on the 'hub
      Dare I say, based?

    • 3 weeks ago
      Sage

      moronic take. I'm tired of finding my passwords and accounts on every database leak especially when the moronic devs were saving that in plain text. 2FA OTP at least solved that.

  20. 3 weeks ago
    Anonymous

    >https://keepass.info/
    does not have this problem
    xc supported blm btw

  21. 3 weeks ago
    Anonymous

    A website would only give you a public key

  22. 3 weeks ago
    Anonymous

    >passkeys
    Another shitty, overcomplicated and bloated standard looking to solve non-existing problems.

  23. 3 weeks ago
    Anonymous

    sad to think c**ts like this are writing specs that people have to adhere to
    when did tech start going downhill so fast?

  24. 3 weeks ago
    Anonymous

    >You will NOT reuse the database password to verify user presence.
    >You WILL use biometrics or PINs instead.
    What's his problem?

    • 3 weeks ago
      Anonymous

      My device does not have any biometric readers. It also does not have a pin. I can remember a password.

    • 3 weeks ago
      Anonymous

      I wouldn't want the user to enter the master password more frequently than necessary. If you assume the phone's biometric authentication system to be safe (as safe as that can be anyway), it's probably better to use that.
      The more people see your password, the easier it is to steal. If you use the fingerprint reader, nobody sees you enter the password.

      • 3 weeks ago
        Anonymous

        >reusing the master password is le unsafe
        In that case, why not just a quick secondary password for verifying presence? Two completely random English words are more secure than a 6-digit PIN, and are easier to remember as well.
        Biometrics can be stolen. If you use the fingerprint reader, that's like leaving your PIN on everything you touch.

        • 3 weeks ago
          Anonymous

          Using your phone's PIN or fingerprint reader is exactly a quick seconday password.
          >Biometrics can be stolen
          This is very unlikely to happen. If you keep entering your password over and over, there's a much higher likelihood that someone sees is. You entered your PIN hundreds of times in public, which was seen by a lot of people, including security cameras. If they see your PIN, they can't really do much with it without your phone. But if they see your master password, you may be fricked.
          Nobody's realistically going to steal your biometrics anyway. If the glowies want you, they will make you use them to unlock the phone, of course.

          • 3 weeks ago
            Anonymous

            >Using your phone's PIN or fingerprint reader is exactly a quick seconday password.
            Device PINs and fingerprint readers require hardware support, which makes the mandated use of them an anti-feature.

          • 3 weeks ago
            Anonymous

            I don't want my biometric data stored on my phone.
            I don't want my biometric data stored on a website.
            I don't want the potential of my biometric data being linked to a website via my phone, either.
            I like using passwords. I would like to have user agency in determining how I log in.
            I will simply stop using services that require biometric data from me.

  25. 3 weeks ago
    Anonymous

    OK which one of you Black folk is this?

    Why the frick do you do this?
    You'll just force the maintainer to close the issue and prevent further discussion.

    God I hate IQfytards.

    • 3 weeks ago
      Anonymous

      Fact: you can't spell glowBlack person without g.

    • 3 weeks ago
      Anonymous

      that sounds like some chud.

Your email address will not be published. Required fields are marked *