Kitz Forum

Chat => Tech Chat => Topic started by: Weaver on June 07, 2019, 02:27:28 AM

Title: Automatic website login
Post by: Weaver on June 07, 2019, 02:27:28 AM
I wish that web browsers could just optionally log you in to certain websites without any prompts of any sort, either by injecting a username and password into the required form and then just hitting go-for-it or else by using some other purpose-built streamlined authentication protocol that is meant for a machine-to-machine conversation.

I know some people would go mad about security, but if it was off by default, had a per website on/off override and where you could have the options of (i) normal username and password entry, or (ii) the browser asks the o/s to authenticate user locally somehow (for example I have fingerprint reading now for this in my iPad before the browser will release the saved username+password combination), or (iii) just go for it. And the system ought to make it very easy for the user to change the settings by showing you a relevant control and locating the correct specific, per-website setting and the overall default behaviour preference setting. Also it should be very easy to delete the saved credentials. And finally there needs to be a temporary lock where you can engage an override where the system goes back to old behaviour (i) - for situations where someone else is lurking around and might gain access to your machine but you donít want to have to lock it right now.

(This is only tolerable in a system that has a lock and identification of the user by the o/s and shell / UI login session manager, so that the browser can check and be assured that the user is identified and suitable locking practices are in force. If the user turns the overall ogin session lock off - no timeout, or has no password - or whatever then there should be a fail reported to the browser when it does a match against a minimum sane security policy level so the browser can then possibly warn the user and offer to switch to behaviour (i). It should be the userís choice ultimately because the machine might be physically secured with no other users ever present.)

Iím really fed up with the number of times I have to log in to different websites again and again throughout the day. iOS Safari has also had a mad phase of offering me the wrong username combined with some password or other when visiting a certain site. Sometimes its the wrong username but that user does exist in that website. Sometimes I think that the cause is something like user-A at vs user-A at or user-A at one level up, so a user that does exist but at the wrong website although it is a related one. And I think, Iím not sure, that you can persuade iOS Safari to pick a username+password forms completely irrelevant website and use that. It comes up with a nightmare long choice list because it shows you a list that contains all the websites in the world. This might be something to do with the browser having understandable difficulty when two URIs are in fact exactly the same website, especially vs, and you canít get any help by comparing IP addresses either. I wonder if there is a spec for declaring some kind of canonical uri for the top level of websites? There ought to be. Could put it in headers and/or in the head section of (x)html.
Title: Re: Automatic website login
Post by: CarlT on June 10, 2019, 06:32:00 PM
Use a browser extension like Last Pass?

Chrome already does this by the way. Uses your Google account to authorise you.
Title: Re: Automatic website login
Post by: Weaver on June 12, 2019, 02:51:59 AM
I have 1Password, but it seems to offer few advantages over the iOS built-in system in Safari. Also you then have to choose which subsystem to use which is yet another question to have to answer. I just wish Safari could be set up to bypass everything and let me get on with things.
Title: Re: Automatic website login
Post by: sevenlayermuddle on June 12, 2019, 09:09:53 AM
Iím no  expert in web design, let alone secure web pages that require login.   But isnít permanency (is that a word?) of login down to the website designer?  I would imagine authors of websites that host valued data might feel they have a responsibility to require fresh login from time to time, simply to mitigate the damage if a device gets stolen, or some kind of cookie theft exploit is found?

Per the half-way house, ease of login, as opposed to permanent login, Appleís Safari is the one I trust, login details being encrypted in iCloud keychain.   Like any other software, iCloud & keychain might one day be compromised but for all their faults, major OS vendors like Microsoft, Google, Apple, clearly employ good engineers, with management that have a strong incentive (reputation)  to provide funding to get these things right. 

Iíd be less inclined to put my trust in a here-today/gone-tomorrow startup, no matter how good their product.   No implication intended as to pedigree of aforementioned 1password, of which I hold no opinion whatsoever, either good or bad. :)

Not that long ago, before OS support for native user-level encryption, many browsers would have stored passwords in plain text that could be easily retrieved from a stolen disk without needing to break any encryption or to crack any passwords at all. I assume all OSís have moved on from that?
Title: Re: Automatic website login
Post by: Weaver on June 12, 2019, 11:14:30 AM
I think the answer is, it depends. The extreme is some corporate nazi sysadmin designer who imposes the will of the company in the users and to hell with what they want. Those users are not trusted to behave or be clued up about security.

The other extreme is where a designer wants to give users the best experience and users are trusted but defaults are wise in security terms. Also users who are not clued up are well catered for. Here users who make active choices are assumed to know what they are doing and are trusted and operating systems and the associated UI is assumed to be doing a good job in security terms in a well designed o/s where the userís session is locked down well by the oís and wheel reinvention by the browser is not required. Of course if the o/s is rubbish then the site designer or browser designer will feel they have to take additional measures.

Giving users control, convenience, trusting them and empowering them so that they get the best experience is a good thing. But obviously itís no good if the user cannot be trusted and there is more than one scenario here. Safe defaults and configurability, in the second picture it seems to me that thatís the right way to go.
Title: Re: Automatic website login
Post by: Chrysalis on June 15, 2019, 04:12:21 PM
This is already a thing via cookies, everytime e.g. you access kitz you auto logged in via your cookies.

But certian websites wont allow it, they will expire the session, and the view point of the browser developers is it should be in control of the website developer not the end user on security policies.  There is exceptions of course such as enforcing allowing passwords to be remembered but not on automatic login.

The best medium ground is to use a password manager, and thats a good thing in the long term anyway as it encourages the use of unique strong passwords for every individual website.
Title: Re: Automatic website login
Post by: Weaver on June 15, 2019, 09:57:51 PM
iOS Safariís think will generate strong passwords for you and save them. This removes the chore of having to record lots of strong passwords everywhere. It stores them safely, as far as I can tell, so that they wonít get lost.
Title: Re: Automatic website login
Post by: CarlT on June 17, 2019, 02:20:06 PM
I think the answer is, it depends. The extreme is some corporate nazi sysadmin designer who imposes the will of the company in the users and to hell with what they want. Those users are not trusted to behave or be clued up about security.

That's neither Nazi or extreme: it's required in many industries to remain compliant with laws and regulations.
Title: Re: Automatic website login
Post by: Weaver on June 17, 2019, 05:16:02 PM
Quite so as CarlT says. It was a joke, satirising myself, in particular, as an example of the authoritarian figure, sysadmin who used to go around telling users that they couldnít do certain things and so I myself was that ĎNazií.

Seriously though I did always explain to users very kindly and in detail why they were not allowed or were not able to do certain things and I would explain the horror of the consequences so that they would understand and I could win them over to be on the side of the responsible users. I donít think itís good enough to leave users still wanting to do the wrong thing behind your back as even though good security measures might mean that it is in fact not possible for them to successfully commit some evil act, on an unsecured system they will then still do evil and they will spread evil ideas and evil counsel to others so that plague will spread.

A neighbour who was also a customer received an evil email which was an hpv- a human hand-propagated Ďvirusí, no seriously it was a malicious hoax that told her to delete a critical part of Windowsí System software by hand because the file in question (which was an executable software module/component file (a DLL), in plain English it contained code) was supposedly evil and so deleting it would save your system from the evil. So the lazy author didnít have to go to the trouble of writing and testing any malicious code, she just got the users to destroy their own systems by hand. The email said this is very important- TELL EVERYONE YOU KNOW.

I told her that the email was evil and it was all a lie and explained in very simple terms the harm it would do. She replied but my friend xyz would never lie to me, SHEíS A NUN!

I have no idea exactly what I said in response to that. But after I had picked myself up off the floor, I exe,wined two things (i) emails are never from whom they claim to be from, so your nun friend probably knows nothing about this, but even if she did send it (ii) it is possible to fool a nun. Firstly they are not experts in software systems generally. Secondly they are of course incredibly gullible since they have all already been successfully conned once seeing as they have become nuns and must believe a whole load of other completely irrational and nonsensical codswallop too.

Most users are amazed when they find out that unprimed the phone system emails are Sodís law never from whom they claim to be. On occasion I have taught a user or small group how to send a bogus email and demonstrated the evil email being sent and received. That really ramís the point home and I then also ask them to tell everyone you know, although this time it is genuinely spreading clue, spreading the real good word on the side of the angels. I have also considered showing users how to set up an evil fake domain so you can impersonate your bank with a fake website, but it takes too long and I would have to do a fanny craddock and letís take out this one I prepared earlier.
Title: Re: Automatic website login
Post by: sevenlayermuddle on June 17, 2019, 07:05:11 PM
Interesting tactics, Weaver.  I have also sometimes resorted to demonstrating email spoofing, to show just how easy it is.  Sending an email ďtoĒ somebody in a room, ďfromĒ somebody else in the room, tends to make the point.

Iíd like to find a way, for phone calls, of demonstrating ďCalling numberĒ spoofing.  But thatís less easy, and Iím not sure it wouldnít break T&C, or possibly even criminal law.   But so many people are entirely convinced that it is (say) the bank calling them, just because they recognise the bankís CLI.

Mind you, if everybody knew that email could be so easily faked, CLI spoofed, and phishing sites could look so convincing, less people would switch to online banking.    And indeed I personally still refuse to use online banking, no matter how many rules they have for ďstrongĒ passwords, and ďcustomer protection algorithmsĒ.

Timely to say so, as one of my pensions does in fact have an online portal, useful just for checking fund valuations.     In order to login, I must supply my account number, a pin, and my date of birth.   Last week I logged in and noticed, just after entering dob, Iíd got it wrong.  I was a decade out.  Muscle command was already in the pipeline, and brain override was lagging, so I hit the connect button before correcting it and... it logged me in.   I then tried again and, sure enough, I can log in with incorrect dob.   Not that it worries me as dob is no security at all.   But slightly worrying that a financial institution should (a) think that dob adds anything to a secure login, and (b) screw up something that they (wrongly) think adds to security.  Still, it probably makes 99% of their users feel better about security, which is probably the Pension companyís intent. :-X

Title: Re: Automatic website login
Post by: CarlT on June 18, 2019, 01:27:38 AM
Online banking is fine as long as an end user pays attention and isn't root kitted. If they are of course most bets are off.

My online banking is accessed from one device only and authorised via biometrics so to get to it someone has to steal something I have and something I am. Pushes the difficulty level high enough that there are far easier targets.
Title: Re: Automatic website login
Post by: sevenlayermuddle on June 18, 2019, 07:33:02 PM
Online banking is fine as long as an end user pays attention and isn't root kitted. If they are of course most bets are off.

If banks were skilled in IT security, it might indeed be fine, with above provisos.

However, the fact that banks encourage customers to trust Calling Number Ids, and to trust incoming emails, and that they think date of birth is a useful secret, etc, etc....   all leads to me think that banks are totally unskilled in security.   For that reason, no matter how careful the end user, online banking is imho fraught with dangers. :(