they have a solid point, y'know.

Reply to they have a solid point, y'know. on Sun, 17 May 2026 18:35:11 GMT

tychotithonus@infosec.exchange — Sun, 17 May 2026 18:35:11 GMT

Each individual user may not consider a given credential as worth needing MFA, but since most users reuse passwords, it's arguably better move for the ecosystem and site operators to require some kind of MFA. Otherwise, if one site gets popped, a wave of user accounts could be abused in bulk and require operator intervention. Whether or not mass lockout/reset is inconvenient enough for the individual user to think MFA is a good trade-off may vary.

@munin

Reply to they have a solid point, y'know. on Sun, 17 May 2026 01:52:07 GMT

arclight@oldbytes.space — Sun, 17 May 2026 01:52:07 GMT

@munin I just posted about an attack on/using agentic finance bots that cost someone $200k. https://oldbytes.space/@arclight/116587393934910011

I still can't stop laughing at a Trojan NFT.

Reply to they have a solid point, y'know. on Sat, 16 May 2026 22:58:09 GMT

tindrasgrove@infosec.exchange — Sat, 16 May 2026 22:58:09 GMT

@munin
I can never use online banking, and my bank may still allow my account to be compromised.

I can never fill out a form online with my address, but my address is still online because “public record”

I can never buy anything online, never use a credit card, but the combination of ALPR and security cameras means my shopping habits are still known when I shop in-person using cash.

Yeah, consumers are not the problem here.

Reply to they have a solid point, y'know. on Sat, 16 May 2026 22:24:37 GMT

munin@infosec.exchange — Sat, 16 May 2026 22:24:37 GMT

if you want users to take security seriously?

gotta give them some reason to think it will matter.