this post was submitted on 03 Nov 2023
303 points (87.0% liked)

Technology

55748 readers
2700 users here now

This is a most excellent place for technology news and articles.

Our Rules

  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots

founded 1 year ago
MODERATORS
L3s
[email protected]
[email protected]
[email protected]
enu
[email protected]
L4s
303
Security expert reveals surprising way to make your password stronger: use emojis (nypost.com)
submitted 8 months ago by Salamendacious to c/technology
275 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 3 points 8 months ago (1 children)

There are different ways.

One way is to use an encryption module on the device that, rather than storing the keys just encrypts the keys and holds an encryption key that you can't extract, and can do various crypto operations.
Now you ask the module to do a secure key exchange algorithm with the new device, meditated by a party the module trusts, like apple or something.
Now both devices share a secret key, and they trust that the other is owned by the same user because the owner verified with apple who then signed the exchange messages.
Old device decrypts with the old key, and encrypts with the new key, never letting the data leave the secure module. Send the data to the new device which can do the reverse, and both devices forget the shared password.

Overall, minor weaknesses like storing keys in the cloud encrypted by a key derived from a password that the cloud never sees, while objective weaknesses, are still significant net improvements to security over passwords.

[–] [email protected] 2 points 8 months ago (1 children)

Thank you for explaining. That's a thing most sites leave out: tell people how the keys cannot be stolen while still working on a different device.

[–] [email protected] 2 points 8 months ago

Big reason for that is the spec for how this all works being around for a while, giving people a lot of time to write about the core of how it works, but the viable popular implementations are far newer, so articles still haven't been updated, and doing the key transfers is still one of the newest parts that the big vendors don't want to talk about yet, because they still have to get their patents fully approved and everything.

What I described above is one way to move data between two devices in a secure way with a trusted intermediary to verify identity, but I have no idea if it's how any major vendor actually does it, because they haven't made that data public. It's just what's obvious to a sufficiently informed subject matter expert.