Create accountLogin

Recent searches

No recent searches

Search options

Only available when logged in.
techhub.social is one of the many independent Mastodon servers you can use to participate in the fediverse.
A hub primarily for passionate technologists, but everyone is welcome

Administered by:

Server stats:

5.4K
active users

techhub.social: AboutStatusProfiles directoryPrivacy policy

Mastodon: AboutGet the appKeyboard shortcutsView source codev4.3.7

#credentials

4 posts4 participants0 posts today
Public
Third spruce tree on the left

There are lots of #plugins/services that allow you to sync your #browser saved website #credentials across multiple devices; even #sync between ecosystems (chrome/google account <--> Microsoft acc).

But - leaving aside "password sharing is Baaaad" and "probably violates a TOS somewhere" issues - does anyone know of a plugin/service that allows you to share a saved login with a trusted other?

e.g. share an newspaper #subscription account with a partner _without_ a shared google account.

Public
Christoffer S.

(sophos.com) Evilginx: How Attackers Bypass MFA Through Adversary-in-the-Middle Attacks news.sophos.com/en-us/2025/03/

A short descriptive article about Evilginx and how stealing credentials work, a few suggested ways of detecting etc.

Summary:
This article examines Evilginx, a tool that leverages the legitimate nginx web server to conduct Adversary-in-the-Middle (AitM) attacks that can bypass multifactor authentication (MFA). The tool works by proxying web traffic through malicious sites that mimic legitimate services like Microsoft 365, capturing not only usernames and passwords but also session tokens. The article demonstrates how Evilginx operates, showing how attackers can gain full access to a user's account even when protected by MFA. It provides detection methods through Azure/Microsoft 365 logs and suggests both preemptive and reactive mitigations, emphasizing the need to move toward phishing-resistant FIDO2-based authentication methods.

Sophos News · Stealing user credentials with evilginxA malevolent mutation of the widely used nginx web server facilitates Adversary-in-the-Middle action, but there’s hope
#Cybersecurity#ThreatIntel#Evilginx
Public
Benjamin Carr, Ph.D. 👨🏻‍💻🧬

#PasswordReuse is rampant: nearly half of observed user #logins are compromised
Many users recycle #passwords, creating a ripple effect of risk when #credentials are leaked.
Based on Cloudflare's observed traffic between Sep-Nov 2024, 41% of successful logins across websites protected by Cloudflare involve compromised passwords.
When including bots 52% of all authentication requests contain leaked passwords found in our 15B record database, including Have I Been Pwned.
blog.cloudflare.com/password-r

The Cloudflare Blog · Password reuse is rampant: nearly half of observed user logins are compromisedNearly half of observed login attempts across websites protected by Cloudflare involved leaked credentials. The pervasive issue of password reuse is enabling automated bot attacks and account takeovers on a massive scale.
Replied in thread
Public *
Erik van Straten

@zak @zenbrowser : a still unfixed vulnerability: if NOT using Touch ID, on some websites you may be able to sign in using a passkey WITHOUT authenticating locally - using biometrics or your passcode (screen unlock code).

⛓️💥 This vulnerability also exists WITH Touch ID set up, provided that "Password Autofill" is disabled.

BTW this vulnerability also permits access to:
icloud.com
account.apple.com
(When asked to provide your fingerprint, tap the X at the top right and tap in the "Email" field one more time).

This is a HUGE risk for people who do not want to use biometrics: if a thief grabs their iPhone when unlocked, or watches them enter their passcode and later steals their iPhone, the thief can use ALL of the owner's passwords and some of their passkeys stored in the "Passwords" app (formerly known as iCloud Keychain).

🎬 This increases the risks of theft as shown by WSJ's Joanna Stern in youtube.com/watch?v=QUYODQB_2wQ.

👶 In addition, a (grand) child or anyone else who (shortly) borrows your iPhone/iPad may have access to more of your cloud-accounts than you're aware of.

🔧 Workaround if you don't want to use biometrics to unlock your iPhone/iPad (this does not fix any problem if a thief learns (or successfully guesses) your passcode (screen unlock PIN or password):

• Set up a Touch ID anyway, for example for your left pinky finger (if you're righthanded)

• Disable "iPhone Unlock" in "Touch ID and Passcode" (visible in the first screenshot).

• Use a safer password manager (such as KeePassium) than the Apple "Passwords" app (iCloud KeyChain).

🚨 In any case:

• Make sure that "Password Autofill" (in settings -> "Touch ID and Passcode") is set to ENABLED;

• When you enter your passcode in a public place (such as a bar, bus or train), make very sure that nobody gets to see you enter it.

No fingerprint comfigured. However, even WITH a fingerprint configured, the vulnerability also exists if "Password Autofil"l is off.
Assuming that you already created a passkey for passkeys.io, tap in the "Email" field.
Tap "Use Passkey"
Tadaa... logged in WITHOUT local authentication.
#iPhone#iPad#Vulnerability
Public
W3C Developers

The @w3c Federated Identity #WorkingGroup aims to create specs for secure, #privacy friendly, and user-controlled #authentication and credential presentation
▶️ w3.org/groups/wg/fedid/

Their updated charter introduces the Digital Credentials #API, which facilitates user agents in managing access to and presenting digital #credentials, such as a driver's license, government-issued ID, or other forms of digital credentials.

🎬 Find out more about this work by @sphcow: youtu.be/GI3UTZJ0Ue4

Snapshot of Heather Flanagan's presentation at the W3C member meeting in April 2024. Slide title: Identity & the W3C Slide body: The W3C oversees best practices, concerning user experience, safeguarding both users and the websites they engage with by facilitating the alignment of appropriate user identities with the requirements of each website.
Public
N-gated Hacker News

Ah, yes, the timeless art of #B&E, now with a ✨ #tech #twist! ✨ Our hero, Eric, wields his phone like a magic wand, 🪄 casting the spell of "#default #credentials" to waltz into #apartment buildings. Who needs a life of crime when you have expired credentials and missed ferry rides? 🚢 In 2025, breaking and entering is just a casual #Sunday #hobby, right after brunch. 🥞
ericdaigle.ca/posts/breaking-i #hacking #HackerNews #ngated

ExploreLive feeds
About