On Fri, Nov 22, 2024 at 11:53 PM Tim via users <users@xxxxxxxxxxxxxxxxxxxxxxx> wrote: > > Tim: > > > Don't give XYZ your Gmail password when it asks you to log-on with > > > an email address and password. Argh..... > > Patrick O'Callaghan: > > Very easy to misunderstand. The site should be clear that they want > > *their* password, not your Gmail (or MS, or Facebook, or Apple, ...) > > password. Unfortunately, almost none of them explain that properly. > > There's a mix of crapily done websites that do that, which will > probably get hacked and your credentials stolen, and sites which > deliberately set out to capture them. > > Whenever I hear about friend's having their Facebook account taken over > (and I do mean actually taken over, rather than the clones), I make > three assumptions which are probably *all* correct: > > They've logged into something else using their Facebook credentials. > They use the same credentials in multiple places. > They have a really dumb password. > > People may think "so what, it's only Facebook" (or whatever else), but > it can do you harm. They can commit fraud, or worse, in your name. Folks should be using YubiKeys or other FIDO compliant gadgets nowadays. They provide the following security properties: * high entropy * phishing resistant * replay resistant Each origin (domain) uses a different authenticator, so cross-origin attacks (like reusing passwords) is difficult. If someone is willing to buy a $1000 phone and pay $75 a month for service, they should be able to afford a $50 YubiKey. It looks like Facebook supports them: <https://www.yubico.com/works-with-yubikey/catalog/facebook/>. Jeff -- _______________________________________________ users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue