• 0 Posts
  • 50 Comments
Joined 3 years ago
cake
Cake day: July 15th, 2023

help-circle











  • Personally, I’m torn between wanting a National ID and hating the idea of National IDs.

    Currently, there is a cobbled together system that work to imitate the functions of a National ID in the US (Social Security Number + state IDs with crossing data bases + FBI Crime tracking, Credit Scores, Voter Rolls etc). A LOT of our systems would feel more cohesive if they were properly integrated into a single system, attached to a single ID card, ideally with a passport-like code on the back for easy scanning.

    That said, whichever government bureau maintains that database will have an INSANE amount of control over your life, not to mention it becomes a single point of failure (a mistyped digit in an arrest warrant and your whole life is done. Maybe its easy to recover…but that’s not how our government seems to operate) in a complex system.

    So on to a digital version of this. With my notions of a National ID, I see those risks becoming greater while maintaining the same level of benefits. Maybe there’s a bit of a benefit on convenience factor in the benefits category, but the additional cost is that it becomes attached to your device (and I just don’t see a way to implement this that doesn’t get “attached” to a device), a device that already collects AND BROADCASTS insane telemetry about you to everything near it / that you connect to (see here for a big spook).

    This is a broad overview of why I think going straight to a digital National ID system is a bad idea. Might be slow to do so, but I will eventually get back to you anyone wants to discuss more.



  • Probably not the best for this, but to make an attempt:

    So when you store a password you don’t (or at least shouldn’t) store the actual password.

    Because of some magic some math wizards cobbled together a good while ago, we have some algorithms that take a blob of information and chop it all up in unique (or at least close enough to be called unique) ways. These algorithms make it such that changing a tiny piece of input has a major change on output. This whole thing is called “Hashing”.

    So anyway, we don’t store the actual password (“in the clear”), instead we store “hashes” of passwords.

    One of the first adopted standards for hashing was Message Digest 5 (MD5). At the time (80’s if the memory serves), it was reasonably effective for all the things it was needed for.

    But over time, we’ve found weaknesses in it. On modern hardware, its not overly difficult to figure out all the password length things that could have been used as input to generate a given hash.

    Nowadays, there’s more secure hashing algorithms, but to support legacy software, MD5 is still used. TBH, I don’t think it’s as big of a deal as the article makes it seem for personal use gear. Its once you step up to small business stuff (where multiple people have access to the same hardware).

    Other commentors have brought up salting, which is a decent way to help with security. Its where you add known info to the password before hashing to make determining the “real” password more difficult.





  • Agreed, but I have shared passwords with family members…family members who aren’t tech savvy and aren’t necessarily in my immediate vicinity that I can offer tech support to in a timely manner.

    I’ve found Bitwarden to be a workable stop gap while I work in a self hosted Vaultwarden instance (taking a lot longer to spin up with recent career moves - been in the works for almost a year now).

    That said, how “high maintenance” do you think it would be to set up a keepass ish setup like you suggest?


  • Well github repo hasn’t been updated in 9 mo (yellow flag in my mind - I tend to find projects are either maintained w/i 3 month intervals or on their way to being abandoned).

    Paged through the repo briefly and didnt see the scripts it purports to run (I’m not sure if I just wasn’t looking in the right places - didn’t do a total search).

    Website takes forever to load, but does provide decent explanations with good sources on what it aims to do.

    My very unprofessional assessment: it doesn’t look like malware, but I wouldn’t trust it to be your full privacy guarantor.