←back to thread

NPM debug and chalk packages compromised

(www.aikido.dev)
1369 points universesquid | 2 comments | 08 Sep 25 15:37 UTC | HN request time: 0s | source
Show context
anticristi ◴[08 Sep 25 16:39 UTC] No.45170464[source]
This is really scary. It could have totally happened to me too. How can we design security which works even when people are tired or stressed?

Once upon a time, I used a software called passwordmaker. Essentially, it computed a password like hash(domain+username+master password). Genius idea, but it was a nightmare to use. Why? Because amazon.se and amazon.com share the same username/password database. Similarly, the "domain" for Amazon's app was "com.amazon.something".

Perhaps it's time for browser vendors to strongly bind credentials to the domain, the whole domain and nothing but the domain, so help me Codd.

replies(1): >>45171879 #
samhh ◴[08 Sep 25 18:21 UTC] No.45171879[source]
Passkeys already solve for this, we just have to get past the FUD.
replies(1): >>45176794 #
1. odie5533 ◴[09 Sep 25 02:44 UTC] No.45176794[source]
In this case, how is the Passkey safer than 2FA?
replies(1): >>45178108 #
2. samhh ◴[09 Sep 25 06:21 UTC] No.45178108[source]
It’s cryptographically bound to the domain.