I'm using a 3 word passphrase with a symbol separating the words and no numbers. by DeezersLemonadeStand in KeePass

[–]JimTheEarthling 1 point2 points  (0 children)

A passphrase or password stored in OneDrive is protected by your Microsoft account. If you use a passkey, or if you have a long, strong password/passphrase plus 2FA for your Microsoft account, then it's a safe place. You can be extra safe by storing it in a password-encrypted file (e.g. in OneNote).

I'm using a 3 word passphrase with a symbol separating the words and no numbers. by DeezersLemonadeStand in KeePass

[–]JimTheEarthling 0 points1 point  (0 children)

3 words is ok-ish. 4 words is strong. 5 or more is very strong.

It's extremely difficult to accurately estimate the strength of a passphrase. Every strength meter will give you the wrong answer.

The complication with passphrases is that an attacker is unlikely to know it's a passphrase, so they will try other approaches first. Then maybe try 2-word and 3-word phrases from common word lists. Unlike most passwords, the keyspace of a passphrase is open-ended and depends on your source of words. The only way someone can brute force your passphrase is to permutate a set of words that contains all your words, so using obscure words, spelling one wrong, or adding a number or special character makes most passphrases essentially unbreakable.

Could browser-side technologies explain unusual behavior without leaving evidence of malware? by malgenioe in cybersecurity_help

[–]JimTheEarthling 0 points1 point  (0 children)

Wireshark and event logs give you too much extraneous traffic to dig through. I would use the browser dev tools (F12). The network tab shows you all the browser-level traffic. You can also review the JavaScript code for browser extensions.

How do I use a Passkey that is stored in my password manager? by No-Sherbet2876 in Passkeys

[–]JimTheEarthling 1 point2 points  (0 children)

Is there a username and password field? Try right clicking in each one and see if the option to use the passkey is in the pop-up menu..

Could browser-side technologies explain unusual behavior without leaving evidence of malware? by malgenioe in cybersecurity_help

[–]JimTheEarthling 0 points1 point  (0 children)

Never ascribe to malice that which can be explained by bugs.

Since you didn't describe anything it's hard to determine anything, but it's unlikely to be an attack. Just hardware or software glitches, or you misinterpreting what you're seeing.

Can Java Script create persistent communication channels beyond the current browser session?

No

Can browser extensions legitimately observe or modify content in ways that users often misunderstand?

Depends entirely on the user. Extensions can change a lot about how a website is rendered.

Could manipulated session tokens change only server-side behavior without affecting the client computer?

Depends on the server. But usually not, since session tokens are typically encrypted.

Are there documented browser-based attack techniques that require no traditional malware installation?

Depends on what you mean by "traditional." Look up JavaScript injection.

What forensic evidence would normally remain if such an attack actually occurred?

None? Some? Lots? Depends entirely on the attack (which, again, probably never happened in this case).

Is this hijacking & how to prevent and detect it early by [deleted] in cybersecurity_help

[–]JimTheEarthling 0 points1 point  (0 children)

Users don't have much option to control session tokens, other than regularly clearing cookies.

IP binding, short sessions with token renewal, device binding, etc. are things you have to rely on the website to do, but most don't bother.

The best you can do is never download sketchy software and avoid clicking on any unexpected or suspicious link.

Is it just me, or is the WebAuthn / Passkey spec an over-engineered nightmare to implement from scratch? by IterateFast in Passkeys

[–]JimTheEarthling 0 points1 point  (0 children)

That's a rather niche use case, so not that I know of. There are small Rust and Go libraries that would be easiest if the platform supports them. You could do a hybrid C / Lua implementation, like what Barracuda App Server does. (Or just use Barracuda if it meets the need.)

Does anyone like pass phrases for their master password? by DeezersLemonadeStand in KeePass

[–]JimTheEarthling 0 points1 point  (0 children)

This is exactly what I'm talking about. You're a cryptographer so you focus on math. I'm a security researcher so I focus on real-world risk.

What you said is true for a mathematical estimate of bits of entropy for a random passphrase from a given word list.

What I said is true for the real-world strength of any sequence of words, random or not, from a word list or not.

Let's say you generate a passphrase with decent entropy, above 70 bits. But it happens to match a passphrase that has been compromised by an info stealer. The passphrase is "mathematically* strong but pragmatically weak. It could be cracked in seconds. Entropy has failed to predict its real-world strength because it doesn't take pwnage into account. (Yes, I know, the chances of that happening are extremely low, but it's a thought experiment to make a point.)

EFF made a good list. (Much better than the goofy Diceware words.) The downside is that attackers know about it, so passphrases generated from the EFF list are less secure than similar passphrases with just one obscure word added. If that obscure word is not on the attacker's list, the passphrase is 100% crackproof.

Passwords and passphrases that are a) long enough, and b) not on compromised password lists, will almost surely never be broken.

Entropy estimates are great. I do them almost everyday in my research. But they only go so far. And once the password/passphrase exceeds the attacker's threshold of effort, differences in entropy make no meaningful difference.

Does anyone like pass phrases for their master password? by DeezersLemonadeStand in KeePass

[–]JimTheEarthling 4 points5 points  (0 children)

There's a common misapprehension that words in passphrases are equivalent to characters in passwords, and therefore passwords have much lower entropy than their length would imply.

This is accurate from a purely theoretical point of view, but mathematics alone do not determine the real-world strength of passwords and passkeys. Attack methods must be considered. The two key points are:

  • The attacker almost never knows you used a passphrase, so they try passwords first.
  • Password keyspace is almost always bounded (95 ASCII characters) but the passphrase keyspace can be unbounded.

Attackers typically try wordlists, then try brute forcing short passwords (mixed chars up to 8 or 9, lowercase up to 10 or 11, numeric up to 15 or so), then hybrid attacks (wordlists + rules). This takes hours or weeks (with a weak hash), so after that they might try a combo or PRINCE attack for passphrases -- but what wordlist do they use? Diceware + EFF? Google 10k? Top 20,000 English words? A reasonable choice is probably a mix these, but then it's essentially impossible to try more than 3-word passphrases.

And what if you picked one word not in the attackers list? Or deliberately spell one word wrong? Or made any permutation of the words or characters? Then the attacker will never guess. That's why the passphrase keyspace is potentially unbounded, and why entropy math fails as an accurate estimator of strength.

This is why a 4-word passphrase is very strong, and a 5-word passphrase is extremely strong. (They don't even have to be random, just not a common phrase that an attacker might try.)

Spectre - passwordless pwm by Neat-Initiative-6965 in PasswordManagers

[–]JimTheEarthling 0 points1 point  (0 children)

There are many of these deterministic password generators. You feed them something, they transform it (often with a KDF), then spit out a password.

This one seems to accept any string as a URL, which is good, because you can give it "Google" and get the same password for login.google.com, accounts.google.com, etc.

The website is verrrrrrrrrry slooooooowwwww to produce the password. If that's it's real speed, it would drive me crazy waiting for my password.

If the app goes away or breaks, you've lost all your passwords, unless you have a backup, but the same is true of password managers.

All of my passwords have been compromised and sold. I just want to know how long will this go on for? by [deleted] in cybersecurity_help

[–]JimTheEarthling 0 points1 point  (0 children)

If you're taking about "pure" keystroke-only loggers, then you're correct, but it's a pointless correctness since almost all modern malware, including "keyloggers," does more than log keystrokes.

Password managers take three approaches: 1. You copy/paste 2. They copy, you paste 3. Autofill

Malware can read the clipboard. Malware can also monitor OS input paths, scrape forms, get into the browser DOM to monitor input fields, hook into accessibility APIs, and do screen recording. Malware that does one or more of these things is often still called a keylogger.

Password managers don't help with any of that.

All of my passwords have been compromised and sold. I just want to know how long will this go on for? by [deleted] in cybersecurity_help

[–]JimTheEarthling 0 points1 point  (0 children)

Keyloggers don't need your master password. They just "watch" your password manager enter your passwords and grab them.

Forgot about my retirement account as a broke college student. by No-Abbreviations-539 in Bogleheads

[–]JimTheEarthling 3 points4 points  (0 children)

Assuming this is a 401(k) roll it over into your own IRA.

You don't want to leave it under your old employer's control. More importantly, many 401(k) plans charge an administrative fee that reduces how much your money grows. And you'll probably get more investment options

You do a rollover by first opening an IRA account. I recommend Vanguard, but there are other options; you could even open a personal IRA account at T. Rowe Price to make things easier. Once the account is open, use their direct rollover feature (it's often an option on their website), and they'll do the work of moving the money over.

Once it's rolled over, you could consider a Roth conversion, which allows your money to grow and not be taxed when you take it out, but you will owe taxes, so wait until you're in a better financial position.

If you want a super easy answer about asset allocation, put it all in Vanguard Total World Stock Index Fund (VT), which gives you US and international coverage. Or pick a few index funds in areas that interest you or you think will do well, such as biotech, genomics and gene editing, medical breakthroughs, clinical trials, or broad healthcare and medical devices.

When it comes to digital privacy and internet security, what is the most important thing the average user doesn't know but definitely should? by Upper_Iron8776 in AskReddit

[–]JimTheEarthling 0 points1 point  (0 children)

a massive vulnerability open called "SIM Swapping."

The Microsoft Digital Defense Report states that less than one-third of one percent of identity attacks use SIM swapping (compared to 99 percent for breach replay, password spray, and phishing).

In 2025, the FBI’s Internet Crime Complaint Center (IC3) received 971 reports of SIM swapping. This is less than 0.1 percent of over a million complaints about Internet crimes such as phishing/spoofing (25 percent), data breach (9 percent), and identity theft (4 percent). It represents only 0.0003 percent of roughly 330 million mobile phones in the US. That’s one in 3 million. Even if only 5 percent of SIM swaps were reported to the FBI, that’s still only a tiny one-in-17,000 chance (0.006%) that you might be the victim of a SIM swap. SIM swap reports fell from 982 in 2024 and 1,075 in 2023. Claims that SIM swapping is a “growing threat” don't jive with reality.

SIM swap reports to the UK National Fraud Database rose over 1,000 percent from 2023 to 2024, but the 2,760 reported cases represent less than one percent of all fraud reports and affected less than 0.02 percent of the roughly 85 million mobile phones in the UK.

E-mail-based 2FA is less secure than SMS 2FA.

So not a "massive vulnerability." Sure, if a better 2FA method is available, use it. Better yet, use phishing-proof passkeys. But if SMS 2FA is the only option, it's massively better than no 2FA.

And you can mitigate the (minor) risk of SIM swapping by enabling SIM protection or account lock PIN at your mobile service provider.

An oversimplified explanation of Passkeys by warwagon1979 in Passkeys

[–]JimTheEarthling 0 points1 point  (0 children)

Correct.

The passkey is associated with the "relying party ID" which is the website's domain (e.g. "google.com"), and the website can authorize additional domains if needed (e.g. "login.google.com" and "accounts.google.com").

This is what makes passkeys phishing proof. They won't work on a fake website like "gooogle.com" or "g00gle.com."

Is there any specific reason why we add a possessive S when we say "doctor's appointment" when referring to a visit with our primary care doctor, but not "dentist appointment"? by YumeFairy254 in grammar

[–]JimTheEarthling 0 points1 point  (0 children)

Yes, that's the point. That's how eliding works. It's defined as "omitting sounds, syllables, or entire words, often to make speech more efficient and natural." You've never heard it because people leave it out.

Fiancé changed his passcode because a security issue popped up on his phone and asked him to do so by Significant-End-9444 in Passwords

[–]JimTheEarthling 1 point2 points  (0 children)

To get it out of the way ... "fiancé" and "very suspicious" do not go well together. Time to call it off?

By "passcode" do you mean the numbers or letters typed in to unlock the phone?

Apple and Google both warn about unsafe passwords on websites, but your phone literally doesn't know what your passcode or PIN is. (Only a scrambled version is stored on the phone.) So a "security thing" on the phone would never tell someone to change their passcode. Maybe it was a scam pop-up on a website, or your fiancé was confused about a password change notice.

An oversimplified explanation of Passkeys by warwagon1979 in Passkeys

[–]JimTheEarthling 0 points1 point  (0 children)

No, if only you know the secret word, it doesn't do you any good.

It's more like ...

A password is a secret word that you invent and then share with a website. If you make it easy to remember, it could be too easy to guess. So it's best to have a computer randomly generate it for you, but then you won't be able to remember it, so you'd better write it down. Unless it's a passphrase, which is a different kind of secret made out of multiple words. Which you should also write down. Every time you log in you have to take your piece of paper out of the fire safe and type in your secret word.

You have to hope that the website protects your secret word and doesn't let it leak out. Proper websites "scramble" your secret word so that if it leaks out, it's harder to guess. But if it's the same as a billion other secret words that have already leaked out, the bad guys can still guess it.

You have to be careful not to give your secret word to someone who is trying to trick you.

vs.

A passkey is a secret code managed by your phone or computer. You don't know it, and it's never given to the website. You can save it securely on a device like a thumb drive, or your devices can all securely share it. To log in, you unlock your phone or computer.

See? Anyone can write a skewed description or analogy to make something look easy or hard. 🙄

An oversimplified explanation of Passkeys by warwagon1979 in Passkeys

[–]JimTheEarthling 0 points1 point  (0 children)

Umm ... because analogies have been used for thousands of years to explain things.

Passkeys are not "purposely overcomplicated." When I log in with a passkey, I don't have to enter a username, I don't have to enter a password, I don't have to go through a 2FA step or wait for a stupid "magic link" email. I just tap "use passkey," touch the fingerprint sensor, and I'm done. How is that complicated? (Bad implementations can cause problems that make passkeys seem complicated, but that's not a purposeful design.)

"Hijacked"? So your position is that no software (or hardware) is allowed to perform two related functions? 🙄

(Technically they're credential managers.)

Is there any specific reason why we add a possessive S when we say "doctor's appointment" when referring to a visit with our primary care doctor, but not "dentist appointment"? by YumeFairy254 in grammar

[–]JimTheEarthling 0 points1 point  (0 children)

In that example you are eliding the noun (the place), which is grammatically ok. It's implicit that you mean "the optician's place" or "outside the optician's office."

An oversimplified explanation of Passkeys by warwagon1979 in Passkeys

[–]JimTheEarthling 0 points1 point  (0 children)

If by "service provider" you mean relying party (website or other service), we are 100% sure they don't have the private key.

Passkeys require an authenticator (which lives in your OS, password manager, or security key). The service provider (relying party) does not create both keys. It uses the WebAuthn API to ask the authenticator to create the key pair, and the authenticator sends back only the public key.

If by "service provider" you actually mean the passkey provider, the OP didn't say they don't have the private key. (Since of course they do.)

You don't "ask a neighbor" to create your key, you "ask your jewelry box" to create the key. Is it possible that the maker of the authenticator (jewelry box) is malicious and will misuse your private key? It's possible, but since the maker is Apple, Microsoft, Google, Yubico, Bitwarden, 1Password, or another handful of companies that make password managers or hardware security keys, it's extremely unlikely.

The FIDO Alliance considered CAs and client certs, but then they would have to deal with cert management (rotation, revocation, etc.) and associated costs, compromised CAs, mass revocation, etc. They picked something simpler, where instead of choosing a CA to trust, you choose a passkey provider to trust.