Passwords are a pain in the ass, I just wished that having a cryptographic key installed in your device (and linked to it) to login to stuff or having an external crypto-device to login was easier and more common.
For local access, biometrical is fine, and a "super-secure" password for if something happens that can only be used once would be the way.
Biometrics are really not fine. They're somehow supposed to be some permanent marker of who you are, but that's really not how it works in the real world. You physically change.
I've broken any biometrics recognising me in a dozen different ways, this year alone. Cut open my finger, changing my fingerprint. Head surgery for melanoma gave me a scar so facial recognition doesn't work anymore, blood vessel burst in my eye, so iris scan changed. And so on.
They're fine for a convenience, but that's it. They're nothing more than a pin, and you will have to fall back to password or authenticator or something else, sooner or later.
Also, even if they work as desired, if they're ever compromised [1], you're permanently unable to use that form of authentication, or permanently vulnerable to services that use and/or require it.
Again, biometrics are fine for local access. If you cut your finger or scar your face just use your backup method (maybe a pin, maybe a different finger) to get in and update the scan. And if someone steals your fingerprint they can't use it without having physical access to your device, because again, this is for local access.
For remote authentication you use a private key accessed via the local system (which you are already authenticated to using biometrics).
There's also this failure case: I know a pair of sisters who look and sound identical enough that they can unlock each other's phones with face and voiceprint recognition.
I knew a girl from Asia that had a sister that was six years younger and twenty pounds skinnier. They could both unlock each other's phones using facial recognition.
Considering the frequency with which facial recognition leads to arrests if you're black [0], it seems that if you've got the right non-white skintone, you can unlock someone else's phone.
You can store it in paper with your other important documents. It's not unstealable but if someone nicks your document folders you're spending two weeks redoing/reissuing everything anyway.
I've taken a liking to using a self-hosted Bitwarden instance via vaultwarden, and it's been a pretty good experience. The vaultwarden server is only accessible through my Tailscale network for extra security.
I use KeepassXC as well and it works well enough. Its still not as clean as just an SSH key login which we could have done on the web years ago and would make everyone’s life easier.
I want to be able to tie digital credentials to my identity so if they are compromised or I loose access I can recover them by providing my national ID documents. Similar how I do with my bank app, I go to the bank, show my ID, sign some forms and reset all the creds. I don't have to fear loosing access. On the other hand if I loose my google account I'm screwed, all my other services depend on either my email address or google 2fa keys to prove my identity.
We could have been using SSH key logins for decades at this point but no we had to go and use usernames and passwords everywhere.
I don't want a key limited to a single device I just want a strong key that can automatically login to a website. The technology has existed for longer than the internet it just needs to become the norm.
But why? I taught both my friends and family to use a password manager. Personally, I only remember 4 passwords that i use locally, the other 632 are stored in keepassxc db.
I have a rule that modifies a base password depending on the name of the site the password is for. That way I only have to remember the base password and the rule.
I have three of your passwords and the domain each is associated with. The pattern is obvious, so now I have all your other passwords too.
Also, you don’t need to remember only the base password and the rule. You also need to have an exceptions process for when your “generated” password is incompatible with the esoteric requirements of a new site (length, character restrictions, etc.). And you need to remember this at login time, when you aren’t presented with the same information about those requirements as you were when you registered.
When I used to do this (and I feel safe talking about it because I haven't done this in many years), I also kept a document that listed any such exceptions. Generally the document would just say something like "mixed case, number, symbol" which was enough to remind me what I did.
There is an improved version of this, basically a password generator based on a phrase + service name - https://getvau.lt
The issue is that once a password is compromised you need to change how you generate it and remember this exception in the future.
I used to do this but stopped a very long time ago. I use KeePassXC instead. It’s much more secure and much better at handling websites with special password requirements.
I have a standard password that I know has been leaked, and I don't care. I use it only for accounts with no value. Accounts that don't hurt me if they get hacked. Obviously my email, bank and primary social media use strong passwords.
Maybe someone should investigate how many sites require a password but really shouldn't.
What's more problematic is that Cloudflare is obviously reading and storing and analyzing passwords. So every service that uses Cloudflare on a login page is compromised. I bet that there are several Excel files with all scraped passwords circulating within Cloudflare.
A HTTP post request along the wire is unencrypted.
I'm talking about a submit button not HTTPS as that just encrypts the connection session and not the data sent from say a form.
If you're using or utilising CF for something where the data is being posted to an API unless you have client side encryption anything receiving that data will be received in plain text.
Someone only needs to compromise the service worker and syphon the data.
I highly doubt that this is true. HTTPS POST data is encrypted just like any other HTTPS data. But, if one is using CloudFlare or any other proxy, by nature, that data needs to be decrypted and then encrypted again on it's way to the destination server. So, yes, of course, each and every proxy can see the data. And, no, HTTPS POST data can't be snooped over the wire otherwise.
If CloudFlare, any "relay" were compromised, all traffic through that would be compromised. That's everything. All your bank details, full access, it's all right there.
The selling point of SSL is nobody can read what you do between you and the final destination, except when the developers of that destination enlist CloudFlare who have a root certificate that allows them to intercept everything whether you realise or not.
"As part of our Application Security offering, we offer a free feature that checks if a password has been leaked in a known data breach of another service or application on the Internet. When we perform these checks, Cloudflare does not access or store plaintext end user passwords."
A lot of software and services do this. Firefox, bitwarden. (I believe you have to opt in and or click a button each time) Just the other day bitwarden was helpfully telling me my bank password was compromised 8000 so times. It's a 4 digit pin by the way of which huge chunka are not allowed in the name of more security. 1900s and 2000s too much like a birth year, no way. No 2 same numbers consecutively. Nothing starting with zero. Etc etc.
For local access, biometrical is fine, and a "super-secure" password for if something happens that can only be used once would be the way.