5
We replaced passwords with something worse (blog.danielh.cc)
submitted 1 day ago by lemmydev2@infosec.pub to c/pulse_of_truth@infosec.pub
6 comments fedilink hide all child comments

Comments

top 6 comments
sorted by: hot top controversial new old
[-] Canconda@lemmy.ca 3 points 1 day ago

An attacker can simply send your email address to a legitimate service, and prompt for a 6-digit code. You can't know for sure if the code is supposed to be entered in the right place. Password managers (a usual defense against phishing) can't help you either.

I don't understand. Is the email already compromised? Gmail requires 2 factor authentication via android to log into your email on new devices so there's that.

[-] melmi 6 points 1 day ago

No, this is a phishing attack. Attackers create a fake website that asks for your email. You give your email, then they relay that address to the legitimate service. The legitimate service sends you an email with a code. The fake service asks for that code. If you give it, they then own your account.

[-] Canconda@lemmy.ca 2 points 1 day ago

Ah thank you. Makes much more sense.

[-] originalucifer@moist.catsweat.com 3 points 1 day ago

ha, yeah lets replace passwords with codes sent via fuckin email. a service with security as a patchwork of bolt-on crap that barely works and is itself dependent on other services where security was an afterthought... like DNS.

awesome!

[-] Successful_Try543@feddit.org 1 points 17 hours ago* (last edited 17 hours ago)

If I get the reply from @melmi@lemmy.blahaj.zone right, the medium doesn't matter. As in this scenario, you are telling the fake service yourself the secret code.

[-] vzqq 1 points 1 day ago

That’s how password recovery works on most services. So if it’s any consolation, it’s not a new security vulnerability. We are just skipping the charade where I pretend to remember a password.

this post was submitted on 07 Aug 2025
5 points (100.0% liked)

Pulse of Truth

1446 readers
151 users here now

Cyber Security news and links to cyber security stories that could make you go hmmm. The content is exactly as it is consumed through RSS feeds and wont be edited (except for the occasional encoding errors).

This community is automagically fed by an instance of Dittybopper.

founded 2 years ago
MODERATORS
krogoth@infosec.pub