How do you handle students that are not capable of showing up on the first day in-person?
- Live far away
- Have a job they can't just not show up for
- Having children to take care of
- Health issues
There's tons of reasons for people not to be able to attend in person, and not all of them are "because I didn't want to". And, for a _lot_ of those people, improving their education can have a huge impact on their quality of life.
Can’t show up for one day? That is such an incredibly low bar to also ask them to sit through a long series of courses and test. These college colleges are state funded, so if the person is overseas or on the opposite side of the US… then what are we really funding? That’s not the intent of a “community college”.
A single mother than works at Walmart and another job delivering food, trying to support her kid(s), and will get let go if she misses a day at work; who is desperately trying to better herself so she can provide a better future for her family?
Look, I get that it's a balance between stopping the cheaters and not putting undue burden on the good ones. But it's not a simple problem, and there's a lot of people out there that are under constraints that a lot of us wouldn't even consider when trying to work out the solution.
Funny you should choose Walmart as your hardship example, as they have a very generous educational benefit program for their employees. Many corporations do. All are contingent upon showing up for work! It’s ok to have obligations in exchange for benefits.
I would say, not have to show up for Day 1 but how about have to show up at the collage with a state issued ID in order to have funds released to their account?
It looks like the main issue is that the people committing the fraud are able to create student profiles and request student aid with these profiles. I am unsure of California's requirements but this generally requires a SSN. California is issuing Real ID so verification should be relatively easy.
Presumably we would handle that in the same way we did up until ~5 years ago or so.
Right now people can't enrol in "full" classes either, except the classes are "full" of bots.
And a single day of attendance is really not a very high bar to meet. For special cases where it's really a problem accommodations can be made on request.
This only adds a small amount of friction. Some more effective options off the top of my head:
1. free classes but no aid
2. pay covered costs directly
3. tie aid to participation (not performance)
You could argue someone could still scam the system by attending the class and submiting AI-generated content or just copying others, but this is much more involved. Some of the blame has to land on the distance programs of the institutions. They've become overly relient on charging full tuition for much cheaper online delivery, and don't care too much about the "community" part of college anymore.
That might not always work. There is a huge issue of Lyft and Uber drivers showing up the first day, passing all the background checks, etc. then selling their account to someone else to take their place. Maybe better is to show up first day, and to do random ID checks throughout the semester. It feels.. unfriendly and accusatory to do that but I'm not sure of the alternative...
.. but if we wanted to be a little Orwellian.. put cameras and facial recognition in the classrooms to take automatic attendance and to identify students who should not be there, or who may be missing for prolonged absences. That'll go over really well....
There are a lot of applications where the startup time of several seconds does not matter at all. More likely, for most applications it does not matter. Of course, if you are FAANG, it does, but you should not optimize for that in the beginning.
I have never worked for Faang and have seen this be an issue in every single company Ive worked for. Every one. You don’t need millions of pods. Even a fleet of a few hundred (which isn’t crazy for most small to medium businesses) will cause you much pain if you don’t handle this properly.
Mouse-over over the chart is broken (scrollbar shown and hidden again and again).
I believe you dont need to set x-overflow-auto on the div where the scrollbars appear.
Switzerland has no space for additional "simple roads". It would also be extremely difficult go get it approved, as it would pass through many municipalities. You would have hundreds of objections by residents and probably also a few referendums.
And what if the server is compromised in the future? It is trivially to then extract all the cookies and send them to a attacker-controlled server. The attacker then uses those password to try to login on different platforms.
After initially setting a password, the database/server should only store a salted hash.
Often, it is plaintext over the internal network. A TLS/SSL terminating load balancer decrypts the traffic, then your request is in clear text as it hits the internal web or app server. It can be sniffed and logged without modifying the application.
If you've got malware on your machine then you are already fucked. Desktops don't tend to have strong process isolation that keeps malware from reading a password in flight anyway.
Are you actually doing client-side hashing in addition to hashing on the server side? Otherwise, yes, the server does see the password. In most applications, a compromised server could just serve a login page that doesn't do the client-side hashing anymore if the malicious actor wanted to collect credentials, so I don't see how this added complexity is really adding any security.
The real way to add more security is to minimize dependence on passwords by implementing a better, second factor of authentication, such as TOTP, WebAuthn, SSO, or even SMS or email tokens. Unless a person is using a password manager to generate their passwords, then passwords are almost always terrible and weak, and usually reused across sites. More of my opinion is shared over here[0].
>In most applications, a compromised server could just serve a login page that doesn't do the client-side hashing anymore if the malicious actor wanted to collect credentials, so I don't see how this added complexity is really adding any security.
That takes much more time and requires the attacker to be able to, unnoticed, change the served data.
"Much" more time? Do you have any sources to back that up? Why is combining client-side and server-side hashing not commonly considered best practice if it's so great?
I don't agree at all. Login pages are static, since they don't need to be customized per user, because the users aren't logged in. Anyone could easily prepare a modified login page before compromising the underlying system, and swap it in immediately after compromise. The added implementation complexity for the original developer is simply security theater.
Client-side hashing of passwords is actually a dangerous thing to recommend, in my opinion, because a lot of developers would assume that it removes the need to also hash on the server-side. At which point, they would literally be storing the actual password in plaintext in their database, since the client-side hash is the password.
Client-side hashes also aren't going to have a per-user salt, which means that an attacker can just use a rainbow table to reverse the hash of most passwords... making it even less worthwhile. The attacker doesn't even need to change the served content, but they certainly can.
As I mentioned in my previous comment, and I will repeat it here, real benefit to authentication security only comes from adding 2FA or SSO. Don't waste your time on security theater.
> As I mentioned in my previous comment, and I will repeat it here, real benefit to authentication security only comes from adding 2FA or SSO. Don't waste your time on security theater.
In theory there's also convincing browsers to implement a zero-knowledge protocol like SRP.
How is SRP materially better than WebAuthn, which is intended to be able to be used as a single factor authentication mechanism? (Unlike U2F)
If SRP depends on a user to choose a password or to enter it only on the correct website, then it will be substantially less secure than WebAuthn, because users pick bad passwords and phishing can be very effective. WebAuthn sidesteps both of these issues entirely.
If you're using a different computer from normal, and don't have a hardware token or don't have it with you, you can't use WebAuthn.
When it comes to systems that have passwords, a zero knowledge protocol should be best at keeping it safe, and while moving password entry out of websites and into the browser isn't a great protection against phishing it's a lot better than nothing.
> If you're using a different computer from normal, and don't have a hardware token or don't have it with you, you can't use WebAuthn.
This applies to literally all authentication schemes that use something beyond a password, including TOTP and SMS codes. It’s also kinda the point. An attacker will have a much harder time impersonating you.
You can use WebAuthn with just the fingerprint reader on your laptop or smartphone, or FaceID on iPhone. You don’t need an external hardware token, but those do work as well. You might even be able to use WebAuthn with your computer’s TPM using just a PIN instead of biometrics, but I’ve never bothered to check, because I’ve never wanted to do it that way.
A password by itself isn’t good enough anymore, so your argument in favor of SRP isn’t convincing, and I’m sure this is why browsers have never bothered to implement it. Making passwords slightly better doesn’t even come close to fixing them.
> This applies to literally all authentication schemes that use something beyond a password, including TOTP and SMS codes.
Yes, and?
It's still a "real benefit" to passwords if they can't be stolen.
Even if you do have an independent second factor, that means you still have a password. Surely you want to protect that password better, on top of the second factor?
WebAuthn is designed to be able to be used as a strong single factor. You do not need a password. It cannot be MITMed or phished or leaked by server compromise. See an example here: https://webauthn.io/
> It's still a "real benefit" to passwords if they can't be stolen.
SRP does not mean passwords can’t be stolen. It just means that the backend of a particular website is no longer capable of stealing the password, as long as the user is careful to only use their browser’s (currently nonexistent) SRP dialog box.
The user’s computer can still have a keylogger on it.
The user can still be phished.
> Surely you want to protect that password better, on top of the second factor?
No, I want passwords to just go away. They add extremely little security on average. Power users like us might use strong, unique passwords, but almost no one does that in the real world. Protecting the password “better” doesn’t matter when the user also uses that same, weak password on a dozen other websites already.
SRP does not solve the actual problems people are facing, which is surely why browsers don’t support it. It’s a cool idea (honestly!), but it’s a solution in search of a problem now that we have WebAuthn.
If SRP is so beneficial even today, why don’t browsers implement it? They implement so much other stuff. You’re implying quite a conspiracy, which doesn’t make sense when it “compromises” the security of passwords going to Google and Apple just as much as it does everyone else. The “real benefit” appears to be lacking.
> SRP does not mean passwords can’t be stolen. It just means that the backend of a particular website is no longer capable of stealing the password, as long as the user is careful to only use their browser’s (currently nonexistent) SRP dialog box.
Yes, sorry. Less likely to be stolen, and can't be stolen by the server.
> No, I want passwords to just go away.
That's fine and dandy but it's moving the goalposts significantly.
I'm not going to disagree with your desire to get rid of passwords. But your initial premise was that second factors are good, and in that context it's also good to add more protection to passwords directly.
> If SRP is so beneficial even today, why don’t browsers implement it?
I said it was better, not that it's the most amazing idea in the realm of security.
Also when browsers implement optional security features they tend not to get website support.
I like how you completely ignored my statement about WebAuthn not needing a password. My original question to you said you didn’t need a password: “How is SRP materially better than WebAuthn, which is intended to be able to be used as a single factor authentication mechanism?”
WebAuthn as a single factor means there is no password or TOTP or anything else. Just WebAuthn.
You can go back to my very first comment where I said “The real way to add more security is to minimize dependence on passwords”. I tried to be clear from the beginning that passwords aren’t the answer, in my opinion. Yes, people are psychologically accustomed to having a password in addition to other things, but I don’t see the password as actually contributing much to the security.
My first comment also linked to another comment of mine from two months ago where I said “I would personally push away from passwords on the whole at this point.”
I definitely wasn’t moving the goal posts at any point, as I can point to multiple examples of holding this position the whole time, but I know that I’m not always the clearest communicator.
> I like how you completely ignored my statement about WebAuthn not needing a password. My original question to you said you didn’t need a password: “How is SRP materially better than WebAuthn, which is intended to be able to be used as a single factor authentication mechanism?”
I answered that immediately. You can use it in more places.
Otherwise, in places where you can use both, it's worse.
> I tried to be clear from the beginning that passwords aren’t the answer, in my opinion.
I agree with that idea, but then you said the only way to improve on things was 2FA or SSO which isn't right.
You were conveniently ignoring it in the context where you claimed I was moving the goal posts.
I did not move the goal posts.
> I agree with that idea, but then you said the only way to improve on things was 2FA or SSO which isn't right.
That's an oversimplification of things, at best. I specifically linked to an older comment of mine for those who wanted more detail, and that comment recommended moving away from passwords entirely. You saw what you wanted to see. My summary in this thread was focused on the thread itself, which was discussing how to make password authentication more secure... and the way to do that is to add a second factor. Not security theater like client-side hashing as people were trying to propose higher in the thread.
The context doesn't change your use of the word 'only'. It's not all or nothing. Passwords can be improved and we should use better things than passwords.
Re deauthing. This sort of attack isn't nearly as useful if the server is something like a bank where most users only log in once in a while and don't access the account at all in between.
China screwed by allowing the research. Not having enough safeguards in place to stop something like this from happening. They also covered it up for months and know the severity of it. They are clearly at fault.
I expect open source developers not to release projects or updates that they reasonably expect many others will choose to depend on unless they are willing and able to do extensive, thorough, sophisticated QA on them. Contributing to open source is a privilege, not a right
