undefined | Better HN

0 pointsTwisell2y ago0 comments

Yes but what I'm still confused about is that: 1) Is one/some of your public key reused on different services 2) Or is there a different public key for each service

1) In the first case what will prevent different services to track users by comparing public key... and if so I would be more at ease with a site specific randomly generated password

2) In the second case when one service is breached you'd still have to manage rotation of public key somehow, how trivially is that done with current implementation ?

0 comments

gruez2y ago

>2) In the second case when one service is breached you'd still have to manage rotation of public key somehow

Why would you need to rotate your keys? If they're storing passwords/hashes it makes sense to rotate because they might be able to brute force the hashes on a GPU cluster, but you're not going to be able to brute force a randomly generated public key.

TwisellOP2y ago

If I have any fear that the associated private key have leaked. For instance if my off-site encrypted backup is stolen. I sure would want to rotate my private key because my secret would be only as safe as the encryption method at the time the backup was stolen. I'm still not entirely sold on the "quantum will break any current crypto" but better safe than sorry.

gruez2y ago

>If I have any fear that the associated private key have leaked. For instance if my off-site encrypted backup is stolen.

That sounds like a totally separate threat compared to "when one service is breached". In your last comment you were talking about your password manager being hacked, but in the post before that you were talking about the service (ie. the website you're using) being hacked?

Also, while I do agree that if your your password manager database were hacked you would need to rotate both passwords and passkeys, but I would hope that occurs far less frequently than some random service you use getting hacked.

ezfe2y ago

Not reused, each service has a different key

To rotate, you go to the key management page of the service and delete/add a new key.

UncleMeat2y ago

The whole point of a public key is that it is not secret. A breach where a service leaks the public keys of its users does not harm your security posture at all.

j / k navigate · click thread line to collapse

0 comments

gruez2y ago

>2) In the second case when one service is breached you'd still have to manage rotation of public key somehow

TwisellOP2y ago

gruez2y ago

>If I have any fear that the associated private key have leaked. For instance if my off-site encrypted backup is stolen.

ezfe2y ago

Not reused, each service has a different key

To rotate, you go to the key management page of the service and delete/add a new key.

UncleMeat2y ago

The whole point of a public key is that it is not secret. A breach where a service leaks the public keys of its users does not harm your security posture at all.

j / k navigate · click thread line to collapse