this post was submitted on 01 Dec 2023
98 points (72.1% liked)

Privacy

32003 readers
1185 users here now

A place to discuss privacy and freedom in the digital world.

Privacy has become a very important issue in modern society, with companies and governments constantly abusing their power, more and more people are waking up to the importance of digital privacy.

In this community everyone is welcome to post links and discuss topics related to privacy.

Some Rules

Related communities

Chat rooms

much thanks to @gary_host_laptop for the logo design :)

founded 5 years ago
MODERATORS
all 37 comments
sorted by: hot top controversial new old
[–] Brkdncr@sh.itjust.works 94 points 11 months ago (3 children)

This is bad advice. Federated identity and oauth are great tools. You need to use the right identity provider.

When some random website gets hacked and has its authentication database dumped your credentials won’t be in there.

You can see what a website has access too from your identity provider.

It’s federation. It’s a trust model. Like the fediverse.

[–] thesmokingman@programming.dev 48 points 11 months ago (1 children)

The biggest reason not to use a single account like this is that you lose everything if you lose the owning account. It’s bad advice to say you should absolutely do one or the other. It’s good advice to consider the risks.

[–] ShortN0te@lemmy.ml 2 points 11 months ago (1 children)

So you create a new email for every account you make?

[–] thesmokingman@programming.dev 10 points 11 months ago (1 children)

Do I use an aliasing service that allows me to change the account emails point to? Yes. Can I access those accounts with access to my email? Yes.

The issue here is that if you lose access to social network that logs you into those things, you lose the account. If you have an actual account, not delegated access, you can still access the account with the social account.

I’m struggling to find some good article examples because Google is rolling out inactive account deletion and that’s polluting my search results. So go test this out yourself: go try to change the account name/email, password, or MFA for any of those accounts you use social auth for. Try figure out how you would log into without that social account. Next do the same thing with an account you don’t use social auth for.

[–] Pantherina@feddit.de 5 points 11 months ago (3 children)

Same but this basically puts all the trust in your mail provider which also sucks.

We should have logins with security keys and/or local biometric unlocking. I think that would already increase security and ease of use a lot. But these things are so expensive and not well supported yet

[–] thesmokingman@programming.dev 2 points 11 months ago

In theory, my email only serves as a way to verify me and spam me. A good account may require an email for communication and should allow that email to be changed without losing the account, in the same way the good account will let me change the password, the MFA, and ideally even the username (looking at you Steam). Same as a phone number. We’re beginning to see a move toward that flexibility. Most accounts with MFA allow it.

[–] EngineerGaming@feddit.nl 1 points 11 months ago

First - mail server might literally be on a box in your home under your full control. Second - if it's not the case, you don't need to stick to a single provider. I have mailboxes tied to different platforms on different providers, so I cannot lose all at once.

[–] soulfirethewolf@lemdro.id 1 points 11 months ago

If you're worried about losing access to your email, consider switching to one with custom domain and a provider that supports it.

[–] LWD@lemm.ee 10 points 11 months ago* (last edited 11 months ago) (1 children)
[–] Brkdncr@sh.itjust.works 0 points 11 months ago

They handle it better and your options to respond are better.

You can immediately invalidate all associations for instance. You can revalidate them too once your identity provider is back up and running. Okta is going through this right now I believe, but I haven’t been paying a whole lot of attention to it.

There’s no password with federated sites. It’s certificates to prove the connection is valid, and tokens.

The federated website could chose to save nothing about you. It would make it a lot easier for them to do so, as it means less resources to manage, and less PII to be concerned about storing.

[–] capital@lemmy.world 5 points 11 months ago (2 children)

What’s considered a good id provider?

[–] Brkdncr@sh.itjust.works 1 points 11 months ago (1 children)

One you have a business relationship with. You can sign up for a paid account with google or Microsoft. Use your own domain. Disable what ever adware options you’d like, and use that as your identity provider.

While you can roll your own, many services if they even support custom saml federation only do so for enterprise customers. You’re much more likely to find useful federated services with google or MS.

I would never recommend Facebook.

[–] Grunt4019@lemm.ee 4 points 11 months ago (1 children)

Advocating for using some of the biggest privacy violators to log in to all your accounts! Business relationship or not this is not good advice for your privacy.

[–] LWD@lemm.ee 4 points 11 months ago* (last edited 11 months ago)
[–] skysurfer@lemmy.world 46 points 11 months ago (2 children)

Seems someone doesn't understand how OAuth works. It does not automatically give full access to your social media accounts, location history, and device cameras as the video says.

Using the Google button for instance will tell you exactly what permissions are being requested every time you login. Generally, it will be name, email, language, and sometimes profile picture. Aside from the profile picture you would give all the same information anyway to create an account. At least with OAuth there is no worry about passwords, especially for people who don't have good password practices and reuse passwords between different sites.

[–] LostXOR@kbin.social 19 points 11 months ago

What caught me most off guard was him saying that OAuth somehow grants sites access to your camera. That's a permission controlled by the browser and not at all related to OAuth.

[–] reboot6675@sopuli.xyz 6 points 11 months ago

I've always had this question. When I login with Google, I know what data the website will get from my Google account. But what data can Google get from the website and my usage of it, if any? (besides, of course, that I have an account on said website).

[–] ____@infosec.pub 31 points 11 months ago (2 children)

How about a headline that’s not pure clickbait.

[–] Synthead@lemmy.world 8 points 11 months ago

NEVER CLICK THESE ↪️

[–] GeneralEmergency@lemmy.world 3 points 11 months ago

How else would you attract the paranoid weirdos.

[–] TCB13@lemmy.world 21 points 11 months ago (2 children)

What to do instead - be a normal human and create an account at the website.

[–] capital@lemmy.world 21 points 11 months ago (2 children)

After generating a unique email and password combination for said website.

[–] Bonehead@kbin.social 14 points 11 months ago (2 children)

...then storing that information in Chrome's auto-fill because that's way too much to remember. And the circle is complete.

[–] Masimatutu@mander.xyz 36 points 11 months ago* (last edited 11 months ago) (1 children)

Bitwarden, everybody!

Edit: and F I R E F O X

[–] winterayars@sh.itjust.works 1 points 11 months ago

This is the way.

[–] OhmsLawn@lemmy.world 6 points 11 months ago (1 children)

Password manager. Now if I could just get Google to purge all my old passwords, that would be great.

[–] Samsy@lemmy.ml 2 points 11 months ago (1 children)

No problem, just use new passwords.

[–] OhmsLawn@lemmy.world 2 points 11 months ago
[–] BradleyUffner@lemmy.world 2 points 11 months ago (1 children)

And get your login details stolen because they didn't hah and salt passwords correctly when the site is almost immediately hacked.

[–] wincing_nucleus073@lemm.ee 2 points 11 months ago (1 children)

random password, email alias

[–] BradleyUffner@lemmy.world 1 points 11 months ago

Pancakes, bumblebee, gazpacho soup

[–] Samsy@lemmy.ml 3 points 11 months ago (1 children)
[–] Karlos_Cantana@kbin.social 2 points 11 months ago
[–] OhmsLawn@lemmy.world 3 points 11 months ago

I just went through yesterday and killed a couple of these. Unfortunately, Airbnb retained my photo after I pulled the permission.