WingNews logo WingNews
top | item 45170202

(no title)

winwang | 5 months ago

Just want to agree with everyone who is thanking you for owning up (and so quickly). Got phished once while drunk in college (a long time ago), could have been anyone. NPM being slowish to get back to you is a bit surprising, though. Seems like that would only make attacks more lucrative.

discuss

order

sneak|5 months ago

Can happen to anyone… who doesn’t use password manager autofill and unphishable 2FA like passkeys.

Most people who get phished aren’t using password managers, or they would notice that the autofill doesn’t work because the domain is wrong.

Additionally, TOTP 2FA (numeric codes) are phishable; stop using them when U2F/WebAuthn/passkeys are available.

I have never been phished because I follow best practices. Most people don’t.

junon|5 months ago

I use a password manager. I was mobile, the autofill stuff isn't installed as I don't use it often on my phone.

In 15 years of maintaining OSS, I've never been pwned, phished, or anything of the sort.

Thank you for your input :)

grumple|5 months ago

You can use password manager autofill and hardware 2fa and still get phished. All it takes is you rushing, not paying attention, clicking on a link, and logging in (been caught by my own security team doing this). Yes, in an ideal world you're going to be 100% perfect. The world is not ideal, unfortunately. I don't have a solution, but demanding humans behave perfectly in order to remain secure is not a reasonable ask.

acdha|5 months ago

I also use WebAuthn where possible but wouldn’t be so cocky. The most likely reason why we haven’t been phished because we haven’t been targeted by a sophisticated attacker.

One side note: most systems make it hard to completely rely on WebAuthn. As long as other options are available, you are likely vulnerable to an attack. It’s often easier than it should be to get a vendor to reset MFA, even for security companies.

_1awx|5 months ago

> I have never been phished because I follow best practices. Most people don’t.

You forgot to mention that you are both highly skilled and practiced at phishing yourself... don't you think that helps too?

internetter|5 months ago

in general npm does a not-too-great job with these things

tripplyons|5 months ago

Remember, NPM stands for Now Part of Microsoft!

(Microsoft owns GitHub, which owns NPM.)