Dear #matrix developers. Riot lets me know that "sessions" are not "trusted" as a reason of why encryptions fails. What about letting me know what "sessions" and "trusted" means first? 😖
@mray or that if I verify a device on my phone, I want it verified on my desktop too. Don't need to verify on every device I own.
@jcgruenhage yes, but it isn't clear to me why you need two passwords for that. It seems like it could be encrypted with your primary password.
Certainly more secure users should be able to split them, but by default, that's as secure as similar apps.
@ted because then you could authenticate as any user when a database leak happens. This way, you need to know the password directly. You could of course handle this as a two layer system, hashing the hash, that would be one of the possible ways around it, but that doesn't work if you have something like ldap sitting there.
@jcgruenhage ah, I see. Hadn't considered that attack.
Seems like you could still use the same password for both though. I imagine the plain text password isn't stored locally, just used to get a token. So both the keys and the password wouldn't be stored next to each other.
Certainly, less secure, but I'm not sure the usability tradeoff for the increased security is good here.
The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!