Slashdot Mirror
Google's Open YOLO Project Will Remove the Need For Passwords On Android (thenextweb.com)
An anonymous reader writes via a report on The Next Web: Google is partnering with password management service Dashlane to build what they're calling Open YOLO (You Only Login Once), a new API that will allow Android apps to securely access your login credentials to sign you in without any fuss. The project is open source, which means anyone can scrutinize the code used to build it and find bugs, or even contribute and improve the API. That also means that it'll be available for other password management services to implement in their tools. Dashlane will be the first to integrate it; the company noted in a blog post that other services are also collaborating on this project and will likely to follow soon. It also hopes that Open YOLO will eventually launch on other operating systems as well.
It's like, how about we just let everybody look at our shit, and fuck privacy already, right?\
Let's just try it and see what happens. Why not?
What could possibly go wrong?
Or security when someone runs off with your phone. But it's all good because YOLO.
Another terrible idea thought up by some bored ding-dong at Google.
Just cruising through this digital world at 33 1/3 rpm...
Now all my online accounts can have one point of hacking failure.
GREAT idea.
NO, GOOGLE. BAD GOOGLE.
God forbid they don't have all your passwords in one convenient spot in the cloud.
Didn't Douglas Adams write about this?
Liberty - Security - Laziness - Pick any two.
You don't use the same password for your email as you use for your bank account because you want to make sure that when one is compromised, the other is not.
Using a single login is just a slightly easier version of using the same password for all your accounts.
It is JUST as stupid as using the same password for your every account.
The only difference is that the people with your password are promising not to steal money from you outright.
They don't promise to respect your privacy in any way, because they are planning on abusing the crap out of it.
Trusting someone that's outright plan is to abuse your trust is not a smart thing to do.
excitingthingstodo.blogspot.com
Now they'll be able to track you all over the web from one convenient login. No thanks. Not using it.
People *really* need to start kicking back against all this crap now. It's almost too late. Soon the internet will be single log, in total tracking, no anonymity, no freedom of information etc. etc.
Forget about anything Google and security. It is purely US government surveillance, with a search engine (tracked), a fork of Linux (Android, tracked), a cross-platform browser (Chrome, tracked), and hardware to run their *tracked* stuff on.
The rest of Google is google-analytics, gstatic, and a bunch of other tracking sites that track you when you aren't even using Google.
Block those two with the NoScript Firefox add-on.
B-b-b-b-ut the homosexuals wonder why you would care. Their bootyhole is free to all men.
Faggots. Use your heads for more than a hat rack.
There is absolutely nothing that could possibly go wrong with this idea. Thanks Google! You guys are geniuses.
Lets reimplement OpenID! Now with 100% more YOLO.
Also add: googletagservices to your Adblock plus custom filters.
Save these as a text file and import them into Adblock plus with import custom filter option.
http://pasted.co/6aeed3e0
Add any you find that keep tracking you later manually, using the format demonstrated in the custom filter. You can unblock any of the or all of them with one check box as needed and check them again to re-block.
I hate single sign on there is no reason I shouldn't be able to login to a separate account for email and for youtube. Leave the apps separate please!
Minimum threshold fixed. Thanks!
So it's similar to the many different SSO products on the market for corporate use, but made for personal use. We implemented SSO at work earlier this year. Some of our apps are able to integrate directly into it (and it links back to Active Directory) like Google Apps and Salesforce. Other apps it just acts as a password manager and will paste in their login info for them once the user enters it once. Having the same concerns about having all this accessible if you break one account, we made it harder to break into that one account. We enforce 2 factor authentication, so you need a mobile device linked to your account that sends a confirmation in. All mobile devices connecting to our systems have to have PIN's on them and wipe after 10 bad tries. So for someone to break into a user account, even if they get the password, they still can't login online with it unless they physically also have the users phone, and have managed to unlock that as well. With the users password they could login to a workstation at the office, but they'd still get the 2FA prompt before they can get at e-mail or any other web based apps.
You save your bootyhole for your elder cocksuckers to deposit their esoteric wisdom, I presume? Go stuff Putin's dick, fuckface.
this will just encourage users to forget passwords. i had to keep passwords from getting saved for many applications and sites for users because it encouraged them to forget the passwords.
before i implemented this, i had users saving passwords for their mail, social networking sites, etc. when they needed to log in to their mail or whatever through a different context later for some reason, they couldn't, because they didn't think passwords were a big deal. that necessitated a call to the helpdesk or using the password reset forms everywhere to get everything straightened out.
this is a social or behavioral issue. the more computer-adapted users don't have as much of a problem with this. we should be encouraging better password management instead of trying to cater to the people with the wrong attitudes.
This is incredible... why in the world would I want to allow a single-point compromise (i.e., hacked phone) result in total control of all of my accounts? Creepy and stupid. I really think google developers are out of control. The company products are getting less and less attractive.
So tarnished that "YOLO" sounded like a better name?
Yeah I'll probably never use that app, but I find the idea of an open API super useful, because I'm sure someone will implement an open source app that I can trust, and thanks to the API, it will be supported everywhere.
It's be stupid to use this with your bank account. But I do have a dozen or so forums I occasionally post on and other sites which really shouldn't require an account, but they force you to make one to get access (e.g. they only let you read 3 forum posts a day anonymously). Those are basically throwaway accounts so I use the same password with them anyway. Something like this would be handy for that. Though as it's been pointed out, OpenID already tries to do that.
It's actually safer than re-using the same password on multiple sites as I've been doing. If you use the same password, if one site gets hacked, they have your password to all the other sites. With YOLO or OpenID, since the login confirmation is between the site and YOLO/OpenID, the damage is limited to the site which got hacked. They only get access to all your accounts if they hack YOLO/OpenID or your computer.
Because people don't log into ads, and advertisers want you to log in to view ads. Now shut up and accept what Google is going to do with their phone that they let you use.
YOLO - You Only Lose Once
the preceding comment is my own and in no way reflects the opinion of the Joint Chiefs of Staff
I'm really hoping SQRL takes off, it seems to be nearing a point where it could start being deployed.
https://www.grc.com/sqrl/sqrl.htm
This project is not about using the same password for every account. The idea is that it is an interface that is intended to be a front for a password manager. Whether you store the password manager's database locally, in the cloud, or on someone else's service (such as LastPast) you can access the stored passwords through this framework. It also has dreams of providing additional features, such as multi-factor authentication instead of just a password. Today, however, this framework is not accepted as standard and there is no universally accepted framework for using multi-factor authentication for access to anything on the Internet.
If the project continues, and Google uses it, and other password managers adopt it, and it gains acceptance by users... then this could be something.
Trusting someone that's outright plan is to abuse your trust is not a smart thing to do.
(Suppressing my inner grammar-nazi) So, who do you think is not going to abuse your trust? Of course, they'll be the next takeover target...
Oh, I'm sorry sir, I thought you were referring to me, Mr. Wensleydale.
For example, the native-code malware that makes my Android mobile to reject calls, (still have no idea how to get rid of that shit) , that one that isactivated by sms messages... has only been accpeting calls like a _normal_ phone does, BECAUSE I use restart my device constantly.
Clearly, this is a slippery slope to mandating that you use the same password for everything. /sarcasm
Obviously, it isn't .. for a bunch of low-importance websites, since normal people have dozens of logins at this point, you can at least share login details among similarly-ranked importance levels. And as somebody else pointed out, at least now when you regain control of a single login, you simultaneously regain control of all associated accounts rather than trusting that you're organized and have the time to go through and change them all.
So no, it is not JUST as stupid, and your entire point is predicated on the absurd notion that everyone is too dumb not to use the same login for their offshore tax haven accounts and their Reddit account except you.
"Old man yells at systemd"
Smells like somebody died.
So what happens when you lose your device or somebody steals it? Other people just have free reign over it?
GREAT IDEA!
You save your bootyhole for your elder cocksuckers to deposit their esoteric wisdom, I presume? Go stuff Putin's dick, fuckface.
This is exactly how stupid the US Government are. This AC is CIA. yes, here on Slashdot.
He thinks if you are against Google/US spying you are for Russia. This is why all spies burn in Hell. Too stupid to wander God's green Earth.
Because it's hard to hack many, many accounts even if they use very simple variations of the same password. Don't hackers have a hard enough life as it is? Won't someone think of the hackers?/P.
Guess who else sees you.
This post is proof that what the CIA call "intelligence" just gets them buttfucked.
Look at your last paragraph and tell me with a straight face you believe that. You know "techies" won't be using this. It will be average joes. And averages joes get hacked because they aren't techies.
I'm sure it will be just as good as their hilarious ReCAPTCHA 2 efforts, the one that was "so advanced" that it was broken by some random dude on Reddit I think it was.
I do not trust a single thing Google makes these days.
They seem to have lost all their good talent and replaced them with first-year college-tier coders at best.
This is like the greatest name ever! Because whenever I hear, "YOLO," my mind automatically translates that to, "Millennial Dipshit." Really translates well to how I view a single point of compromise.
The SSO/YOLO will be here, we're lazy humans. So I need:
First level with a day use password, easy to "read", some "write" ability.
Second level an "elevated" privileges of the account etc. must have high barrier of entry, different password, call-me-in-person back to verify (not automated though like 2-step verification), single use codes etc. Some execute this when logging from a new device. That's good but not enough.
E.g. I want to check my bank account - "daily use". I want to conduct transfers or change password - "elevated" and hence much tougher authentication.
This way if my first SSO/YOLO gets broken in I could wipe out all the other password accounts in one step with my "elevated" and unbroken password that is not a YOLO. Yes this may not be convenient to execute but hopefully it does not happen very often?
On the other hand 2 step verification every time I use something is too annoying...
4wdloop
It would be easier for me (a human) to remember and/or generate passwords if the rules where consistent across all web sites.
4wdloop
It's not about what you want because it isn't for you. It is for google. They want to associate as much data with you as they can because then they can charge more when they sell your information or sell ads
YOLO does not stand for "You Only Login Once." It stands for "You Only Log in Once."
Login is a noun. Log in is a verb.
For fuck's sake. Seriously.
Lol, you really think so?
From the limited information, it looks like this is probably dependent on a centralized server somewhere doing the authentication. I would much prefer a system that is entirely between you and whatever sites you log into, with no central server to go down and take all your logins with it. SQRL seems like a pretty good approach. (But we're probably going to get stuck with a hundred different competing incompatible systems.)
I don't know who you're trolling for and I don't have a problem with Russia at all. You're the one projecting delusions of spy movies onto real life conversation (something you are probably only minimally capable of having).
I just think it's hypocritical of someone to go around complaining about "faggots" when they've obviously got a romantic interest in homophobic world leaders.
It is funny, however, that you put so much effort into replying to my off-the-cuff schoolyard insult. I hope for your sake you aren't actually a troll for a developed nation or you may find you're doing an extremely shitty job. I hope your boss is more forgiving than you hallucinate my imaginary one to be.
Is it your mom? She wishes she had a son like me instead of you, I can tell you that.
I'm confused. Is that what you call an intelligent post?
And why do you have such an inferiority complex to the US that all you can do is talk about how much you want to be in the CIA?
You don't use the same password for your email as you use for your bank account because you want to make sure that when one is compromised, the other is not.
If a thief has your email, then most likely they can use that to reset your bank account password.
Ideology: A tool used primarily to avoid the bother of thinking.
Suffering again from the old LSD-induced synesthesia, eh comrade?
Secretly We Are Google And yes, welcome to OpenID circa a decade ago...
Authorization? Why authorization? Fuck it, we have your data anyway.
It's better and worse.
if somebody controls your googleaccount he controls everything and probably even knows where the login works. Okay. But you can choose a strong password and 2FA. You will probably be secure and if there is a hack, it has a large impact and everyone will react.
If you use the same password everywhere, people do not know where else you used it (but can guess with your e-mail and password combo), but you have a lot of different hashes, some insecure and sometimes maybe not hashed at all. So if then a weak site loses it (and the odds that a site without good security doesn't use good hashing either are large), they have your password for everything.
If your password gets lost, you need to reset it on 100 sites. If your google acc ist hacked, you need to lock it one time fastly, then change the password one time to a secure one.
So both approaches have ups and downs. And both lose to one-password-per-site with 2FA per site where available.