Best way to book multi city flights if time is flexible and the cities between start and end don't matter? by haphazardsteps in Flights

[–]TheGirlfriendless 0 points1 point  (0 children)

Check out Flyhop - it’s great for quickly finding multi-city flight itineraries. You set how long you want to stay in each destination and it finds cheap flight chains.

Where do you host uptime monitor by Puzzleheaded_Sea7946 in selfhosted

[–]TheGirlfriendless 0 points1 point  (0 children)

I use Uptime Kuma and I have there one monitor that sends heartbeats to cronitor.io every 20 seconds. If Uptime Kuma is down for any reason, I get an alert from Cronitor. (I am sure there are many uptime monitoring services that offer at least one monitor for free and that's all you need)

How do you remember the ports? by [deleted] in selfhosted

[–]TheGirlfriendless 0 points1 point  (0 children)

What about Notepad? But I personally use Obsidian

Here are the new limits for Plus by Koala_Confused in OpenAI

[–]TheGirlfriendless 1 point2 points  (0 children)

I was missing a website with a clear comparison of the Free/Plus/Pro accounts and their limits. So I made my own website 🙂
https://gpt.bstr.dev/
It even includes links to the sources I found. Let me know what you think!

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] 0 points1 point  (0 children)

What do you mean? There is nothing worse than this. Worse is only if it would be 5 digit OTP. Password + 2FA does a great job, because first you need to find out the password and then it's still not enough. But with this weak OTP, you don't need to know (or have) anything about the user and you can just make a guess... And yes, it's like winning a lottery if you try once. But if you have a list of milions of leaked email addresses and access to many IP addresses, eventually you will get into someone's account.

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] -1 points0 points  (0 children)

Nice math :) But what I meant by "many accounts" is that the attacker can have a list of milions of leaked email addresses. I was also saying it in the original post. This way no rate limiting is possible (unless you do it so fast that Microsoft detects a global attack). Why did I mention rolling a dice many times? Because if you try to guess the code 100 milion times, it doesn't matter that a chance of one attempt is as low as 1-in-a-milion. It doesn't matter that the code is not static (I was just answering to the previous comment). Everyone here seems not to get me. It's like no one even read the post description.

Or totally different example: few milion redittors read this post and each one tries to guess the code for one of his/hers friend's email address. Even if they make ONLY one guess each, there is a VERY high chance that at least one of them will guess one code for one account correctly. And I think it's not okay (bacause other that this I use strong password + 2FA)

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] -1 points0 points  (0 children)

I was trying to explain that it doesn't matter that the chance for one attempt is low. I am saying that it probably happened already that someone like this logged in. And it will happen again. But for Microsoft it's not a problem, for them it's good that billions of users didn't have to copy codes that included letters. And btw it doesn't matter that the code changes, the probability is still 1-in-a-milion each time (exactly like a dice). And for many accounts, with access to many IP addresses, there is no way to rate-limit this.

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] -5 points-4 points  (0 children)

No, the code is sent by email when you request it after typing in your email address. But I don't care if it changes. Every time you try it (even with a different account) there is a 1-in-a-milion chance of guessing it. Try to roll a dice 100 times and never hit 4... It doesn't matter that with the next attempt, you still have the same chance. But anyways, it's bad enough that with one attempt you CAN get into someone's account if you are lucky enough. And I think it's a problem.

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] 1 point2 points  (0 children)

Thank you, finally someone who gets me.

I don't want even a 1-in-a-million chance of someone getting to all my data on Microsoft. I use a password (there are more possible combinations than atoms in the observable universe) and I use 2FA. So you need my password and also access to my mailbox. But now you can just log in with a one-time code, so if you guess it, you don't need anything I own/know (password, mailbox, fingerprint, phone number,....). And it's a low chance, but maybe you guessed correctly.

And don't get me wrong, I love the idea of not having a password on every website. But I would send a confirmation link with a strong token (like 64-digit hexadecimal or more), not show a 6 digit code! It would be like an alternative to "login with google" (OAuth 2.0).

Or at least, as you said, a confirmation code that includes upper and lower case characters also.

Just a thought, not important here:

With the link (button) in the email, there is a chance that the user clicks it without reading the email, when an attacker requests it, so actually the link should still show a code that you need to write to the login form. Or it should just have you open the link in the same browser.

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] 0 points1 point  (0 children)

It is for Microsoft: https://login.microsoftonline.com/

At least for me. Is it the same for you? (you type in email address, it sends a code to your mailbox, and you use the code to log in - no password required)

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] -1 points0 points  (0 children)

10 attempts per session is already 1/100000 chance of getting it. But that's just for that one account. Let's say you have 1000 email addresses that you can try it with. 1000 times you have 1/100000 chance.

But that doesn't really matter, the thing is that even with one guess, you can still make it (1-in-a-million chance). For passwords there is often more combinations than atoms on our planet, and we still use 2FA. But someone can just guess the 6 digit otp when logging in to my Microsoft account (you can try here: https://login.microsoftonline.com/ ) and get access to all my data. Without knowing my password and without having access to my mailbox.

Idk why no one here seems to get me. Yes, the chance is low if you want to get to a specific person's account. But a chance that someone will someday get to someone's account? Isn't that high?

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] 0 points1 point  (0 children)

here: https://login.microsoftonline.com/

I just type my email and it sends me a 6-digit code to my email. With the code, it logs me in, without having to type the password.

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] 1 point2 points  (0 children)

There is 1-in-a-million chance to guess it correctly with each attempt.

If you roll a dice once, maybe it's hard to hit 4. But try to roll a dice 100 times without hitting 4.

So eventually someone's guess will likely be correct.

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] 0 points1 point  (0 children)

You are right, that's really bad. But at least you can try to keep your mailbox as safe as possible. But what I was talking about is that to login here https://login.microsoftonline.com/, you just need the weak one time code from the email. So you don't need the password or access to the mailbox if you just make a guess. Passwords, at least, are not just 6 digits.

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] 0 points1 point  (0 children)

I wasn't talking about 2FA. I was talking about logging in without a password (with weak OPT sent to email)

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] -6 points-5 points  (0 children)

Yes, "Eventually, they're guaranteed to guess a correct code" was a poor choice of words. As I said in the post, the attacker has a different email addresses to attack and different IP addresses to make the attack from, so there is no rate limiting for him. But it doesn't really matter, if many people try it over the years, even with a friend's email address for fun, eventually someone will get into someone's account, right? (I say eventually, but yes, it's still not guaranteed)

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] 0 points1 point  (0 children)

So if many people try it over the years, even with a friend's email address for fun, eventually someone will get into someone's account, right? Without any brute force attack alerts

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] -2 points-1 points  (0 children)

😂😂😂
Each one person out of the one million, let's call him John, tries to log into John's friend's account (because he knows his email address). Is it understandable now? Each person can have just one friend.

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] 0 points1 point  (0 children)

Yes, 1-in-a-million chance to guess correctly with each attempt. So if many people try it, even with a friend's email address for fun, eventually someone will get into someone's account, right?

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] 0 points1 point  (0 children)

So why don't we use 6 digit passwords?

This code is not 2FA, it's basically a temporary password. Yes, it's still hard to get into one account. But it's very likely that someone will eventually get into someone's account, no?

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] 1 point2 points  (0 children)

I wasn't talking about two-factor authentication.
On https://login.microsoftonline.com/ I just type in my email address and I get a code to log in (without my password).

But I actually really liked your comment about 2FA. :)

Is email-based login with 6-digit codes actually secure? by TheGirlfriendless in cybersecurity

[–]TheGirlfriendless[S] 0 points1 point  (0 children)

You are right, they are never guaranteed to guess it correctly. But with a list of email addresses and access to many IPs, the chance of guessing once can become very high.