Wikipedia:Reference desk/Archives/Computing/2022 February 14

= February 14 =

passwords and fingerprints
I recently started a new job and am going through the process of having to come up with multiple login names and passwords. Even though I write things down (cause who can honestly remember so many different passwords for both work and personal things??), trying to find each login info (especially if it is not something you use often) is a pain and terribly inefficient. My IT dept can't adequately explain this so I am hoping that someone here can help this technotwit understand: what can't we use fingerprints or some other biometric instead of so many different login/passwords? — Preceding unsigned comment added by 142.51.209.126 (talk) 02:42, 14 February 2022 (UTC)
 * Fingerprints aren't very secure, even for physical security. They aren't at all useful for network security (what prevents someone from just sending a stored picture of your fingerprint over the network?). You can get hardware keys that you would plugin through USB, but in general these are used to increase security, so they would be used in addition to a password. There are "Single sign-on" solutions, but then you come to the big problem: Every application you use would need to use that system, and most applications aren't programmed to use that system. As a solution, maybe you can ask your IT manager if you are allowed to use a password manager, which is easier and more secure than a physical notebook. El sjaako (talk) 10:19, 14 February 2022 (UTC)
 * In addition to technical issues, there could be people who don't want to be fingerprinted. --←Baseball Bugs What's up, Doc? carrots→ 03:51, 16 February 2022 (UTC)
 * The most important problem of biometrics credentials (fingerprint, face recognition etc.), IMO, is that they cannot be revoked. If your password leaks, you can change it. If an image of your fingerprints leaks, you cannot use fingerprints for ID anymore, ever. Tigraan Click here for my talk page ("private" contact) 13:24, 18 February 2022 (UTC)


 * Remembering passwords, or writing them down, are both nowadays impractical. You really have to use a password manager of some sort.  I use the one built into my web browser (firefox) and that is good enough for my purposes.  There are fancier add-on ones that let you share passwords between your computer and your phone, but I haven't found the need for that, so I prefer to keep it simple.  I have a very small number of passwords that I use on both devices, so I just transfer those manually.  The others are in just one device which is fine.  2602:24A:DE47:B8E0:1B43:29FD:A863:33CA (talk) 05:47, 15 February 2022 (UTC)
 * Password managers are a good idea, much better than reusing passwords. However, the build-in password manager in your browser is not one I'd advise to use. They often do not store the passwords in a well-encrypted vault. If someone gains access to your devices, all your logins are public knowledge. At the very least, set a master password on your browser but preferably use a dedicated password manager. Well known names are Lastpass, 1Password, Bitwarden, Keepass etc. Rmvandijk (talk) 15:06, 15 February 2022 (UTC)
 * The in-browser password manager does use some kind of encrypted local store, I thought. Even if it's not the greatest, it still has to beat storing the passwords on someone else's server!  On the internet, even!  I think most of the ones you mention have been cracked and spilled passwords at least once.  2602:24A:DE47:B8E0:1B43:29FD:A863:33CA (talk) 03:40, 16 February 2022 (UTC)
 * Without a master password, the passwords in (for example) Firefox are encrypted, but the key is located in the same folder, making it fairly useless. I have not checked for other browser, but I assume similar practices for them. With a master password, I assume that either the key or the database have an additional encryption available.
 * From their Wiki-pages, only Lastpass has suffered from (known) security breaches. I also mentioned Keepass, specifically because it is a local password storage (with plugins to store this database on servers available). The online password managers also allow for 2FA if I recall, for added security. Rmvandijk (talk) 08:06, 16 February 2022 (UTC)
 * By default, the passwords in Firefox are not encrypted in any practical way; if Windows is already running, you can just open Firefox and ask it to show you all the passwords (or export to a CSV, for that matter). Matt Deres (talk) 03:34, 17 February 2022 (UTC)
 * This is true of any kind of encrypted information. You're describing an evil maid attack. If a sophisticated attacker has unfettered physical access to the system, and the data is unencrypted in memory anywhere, they can get it. For that matter they could install a hardware keylogger, and software to snoop on everything you do with the computer. But this is not the kind of threat model the average person needs to be very concerned about, while having a low-quality password that leads to accounts being compromised by a bot that tries dictionary attacks is. --47.155.96.47 (talk) 09:00, 20 February 2022 (UTC)

Understanding web frameworks
Are there some resources (real books preferred) for understanding in a general way web frameworks like Django, Kubernetes, Dockers, ... how they relate, what they cover. I don't need any link to learn development in any of them, just want to understand the landscape. --Bumptump (talk) 17:50, 14 February 2022 (UTC)