Over 5,300 internet-exposed GitLab instances are vulnerable to CVE-2023-7028, a zero-click account takeover flaw GitLab warned about earlier this month.
I see a lot of people around me resetting passwords of services they rarely use because they forgot what password they used and don’t have a password manager (or not synced one). And I don’t understand why all services don’t propose to generate a one time link to log in instead of changing passwords (a few services do propose it already)
Passwords are useless for all users using the same password for every account they have, and i’m sure it’s a majority of users.
I see a lot of people around me resetting passwords of services they rarely use because they forgot what password they used and don’t have a password manager (or not synced one). And I don’t understand why all services don’t propose to generate a one time link to log in instead of changing passwords (a few services do propose it already)
Passwords are useless for all users using the same password for every account they have, and i’m sure it’s a majority of users.
Google is moving that way with passkeys. I think it’ll catch on with many people.
Just cut the passwords out and go straight to unlocking with a device.
That said not sure what happens if you lose your device.
don’t even have to lose the device
phone is the most common, plenty of ways in from mitm attacks (insecure wifi for example) to social eng the account phone provider
guess you could go the dongle route but if it was super common thieves would just target them
I think the question is less about getting hacked and more about getting permanently locked out of your account.
sure but it shouldn’t be, any good process will have some recovery method
course that can be a vulnerability as well
thank god recovery questions are dead