this post was submitted on 20 Sep 2023
786 points (99.0% liked)

Technology

58303 readers
14 users here now

This is a most excellent place for technology news and articles.


Our Rules


  1. Follow the lemmy.world rules.
  2. Only tech related content.
  3. Be excellent to each another!
  4. Mod approved content bots can post up to 10 articles per day.
  5. Threads asking for personal tech support may be deleted.
  6. Politics threads may be removed.
  7. No memes allowed as posts, OK to post as comments.
  8. Only approved bots from the list below, to ask if your bot can be added please contact us.
  9. Check for duplicates before posting, duplicates may be removed

Approved Bots


founded 1 year ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 34 points 1 year ago (3 children)

Great news! Mullvad is great even if their account security makes you do a double take

[–] [email protected] 24 points 1 year ago (1 children)
[–] [email protected] 26 points 1 year ago (2 children)

I assume they mean there are no account credentials. When you "create" an account on their website, you'll be given a random account number, and no password.

[–] [email protected] 17 points 1 year ago (1 children)

Yeah this is what I meant. It feels so wrong but also makes complete sense.

I think I've gotten used to the "safety" of setting my own password and always typing it with my email or username.

But practically speaking they're very similar and Mullvad's is arguably safer

[–] [email protected] 5 points 1 year ago

I think of it more as "no username, only password". Realistically, usernames are not expected to be secure or private, so this is effectively the same.

[–] [email protected] 1 points 1 year ago (1 children)

What's to stop somebody guessing your account number and gaining access? (Honest question)

[–] [email protected] 1 points 1 year ago

There are lots of possible account numbers, much more than there are accounts. So there is a very small chance that you will guess an active paid account.

And if you do, there's not much you can get out of it. There's no personal information tied to the account.

[–] [email protected] 5 points 1 year ago (1 children)

I am surprised that they don’t provide UUIDv4’s, feels like what they provide is somewhat guessable

[–] [email protected] 3 points 1 year ago* (last edited 1 year ago) (1 children)

https://mullvad.net/en/blog/2017/6/20/mullvads-account-numbers-get-longer-and-safer/

As they outline here, there are ~9 quadrillion possible keys, needing around 5.5 million guesses to find an account. I think they hit a nice middleground between decent entropy and still having a number you can memorize (like a credit card).

[–] [email protected] 1 points 1 year ago (1 children)

people memorize their credit card numbers?

[–] [email protected] 2 points 1 year ago (1 children)

Nowadays, not so much. In the previous decades before password managers, card vaulting, apple pay and so on: yes, if you were typing it in or writing it on forms frequently, it wasn't uncommon to just memorize it.

My point though was that there is a limit to our ability to remember long and random alphanumeric strings, and I find credit card numbers to be that limit. UUIDs are longer and have a much bigger character set.

[–] [email protected] 1 points 1 year ago

I never put my cc in any password manager, but I also mostly just use it for online payments where I don't mind taking out the actual card to type the number in

[–] [email protected] 1 points 1 year ago (1 children)

To be fair, would it matter if someone got access to your account key? There isn't really any data on your account is there (isn't that the point)? It'd just let you connect to the VPN

[–] [email protected] 1 points 1 year ago

They can use your secondary connection for free. It depends if that bothers you or not. If you're already using both it could lead to disruption on your part I guess? Not 100% on that though