How long will existing encryption last?

[Dabs]

There are other things to consider, encryption is just a tool. I was (still am) in the military, so top secret communications are dealt with differently, but as an officer, I wouldn't mind using 4096 RSA. However, since I do have physical contact with most of the operators in the field, then it would be fine to also just use AES256 and use shared keys that they keep. (as opposed to one time pads, which was the traditional way of communicating with field agents.)

Of course, that would mean said agents need a computer and can no longer decode by hand, but they should be resourceful enough to have them available from regular consumer hardware, or bring it with them in the form of some small device like a smart phone or small laptop.

They also frequently use unencrypted radio anyway, so they have codes as well for that.

--------------
Yes, another question, if I may, you mention:
"...they also often use unencrypted radio, so they have codes for that."

Does that mean they use disposable paper books with codes? Once they accept the code, they use one page of the notebook.  The second time I took the code, the second page of the notebook. Is that it?

If that's true, it's a disposable notebook system, basically Vernam's class encryption. It's the most secure kind of encryption available today.

Not only that, it's the only type of encryption that is absolutely reliable of all the encryption systems that ever existed!
It is the only system for which the Shannon theorem of absolute reliability was proven back in 1945.

To change this system to RSA with any length of key is a loss of reliability. In addition, everything that is encrypted by the RSA system is carefully written down because there is a public key, which means that sooner or later everything will be decrypted.  And why allow that?

So your way of working is the best and most reliable. I think it is.

You're talking about one time pads. That's the really old school way of encrypting messages, using pen and paper, with no computer. But it requires code books.

When I said they use codes, I meant they use like code words so normal eavesdroppers don't easily figure it out. It's not the most secure, since they enemy can be listening in and eventually figure out what the words mean, but during the last world war, the US forces used "code talkers" who spoke a different language, over unencrypted radio. They even made movies about it.


When we talk about using RSA, yes, that's usually the method, you only actually use RSA to encrypt a one time use for that email symmetric key. Or in most cases, just use GPG.

But when there has been previous physical contact between the two parties, they can securely exchange keys that way.


As for the Apple thing, they still require physical possession of the device, and have to jailbreak it.

[1713256761]

1713256761

[1713256761]

1713256761

[fenixosup]

Exisiting mass encryption will be exist for a long time after quantum computer.
They should recieve really mass adoption to change it

[tartibaya]

Existing encryption is already a model used in banking. It's very good for security. Hack cases usually occur with the method of fake. Or ponzi systems, people are losing their money. Very powerful computers need to emerge. I think there's still a good security structure.

[Voland.V]

Existing encryption is already a model used in banking. It's very good for security. Hack cases usually occur with the method of fake. Or ponzi systems, people are losing their money. Very powerful computers need to emerge. I think there's still a good security structure.

---------------------
Cryptography in bank security systems is common, household, conditionally reliable.

Attacking a bank's security system through a cryptographic attack itself is not necessary.

Cyber security in banks is so low that there are many other, more effective means of attack. And scammers always choose the easiest way.

Very strange solved the issue of cryptography, without our consent, in the protection systems of all banks. 

They (I do not know who these people are) make a distinction between "commercial" or general cryptography (this is the one for us) and state cryptography.

Commercial cryptography must be based on the same standards throughout the world, because modern business, let alone banking, often goes beyond the borders of a single country.

But state standards for cryptography are much better, they cannot be distributed anywhere, they will only be used within government structures and as is done in the United States.

And despite this high level (relative to "our" bank cryptography), they must be updated every five years (at the algorithmic level).

Then it is even more interesting.

Commercial structures should not have access to this algorithm itself. Thus, it will be possible to apply simultaneously public "commercial" algorithms - for us, the simple and naive, and for the celestials - to ensure the normal preservation of state secrets and other important secrets.

We, bank customers, ordinary customers, not VIPs, are confronted by organized cybercrime, which has a huge, well-organized business that operates billions of dollars annually around the world.

Far from cyberattacks are not always protected by antivirus programs or data protection technologies, because hackers' technologies are always and constantly being improved.

The case has gone so far in the bad direction that:

1) American banks and online lenders Citigroup, Kabbage, Depository Trust & Clearing Corporation, Hewlett Packard and Swiss Zurich Insurance Group announced the creation of a consortium on cyber security - it will be managed by the World Economic Forum.

2) SWIFT management has sent a letter to client banks warning of the growing threat of cyber attacks. A similar document was made available to Reuters editorial staff.
The letter from SWIFT also says that hackers have improved their cyberattack techniques on local banking systems. One new tactic involves using software that allows hackers to access technical support computers.
"Threats are constant, sophisticated and have a good degree of adaptability - and are already normal," says the letter SWIFT.
 Unfortunately, we continue to see cases in which some of our clients are now compromised by thieves who then send out fraudulent payment instructions via SWIFT.

3) Check Point: The number of attacks on mobile banking has doubled in the first half of the year:

On August 1, 2019 Check Point Software Technologies released Cyber Attack Trends: 2019 Mid-Year Report. Hackers continue to develop new toolsets and methods aimed at targeting corporate data stored in the cloud infrastructure; personal mobile devices; various applications; and even popular email platforms. Researchers note that none of the sectors is fully protected against cyber attacks.


4) The Neutrino Trojan once again confirms that cyber threats are constantly evolving. New versions of known spies are becoming more complex, their functionality is expanding, and appetites are growing. And as the number of different digital devices grows, malware areas are also becoming wider.

5) Cyber criminals have learned how to steal data by distributing malicious plug-ins from over 80,000 sites on the Internet.

By installing unproven malicious plug-ins, the user gives cybercriminals access to passwords, logins and bank card data.

6) German banks refuse to support authorization via one-time SMS code
Several German banks announced in July 2019 that they planned to abandon the use of one-time SMS passwords as a method of authorization and transaction confirmation.

Over the past few years, the number of attacks using the "SIM swapping" method has increased, thanks to which a fraudster can deceive a telecom operator and transfer a user's phone number to another SIM card, gaining access to the user's online accounts with banks and crypt currency exchanges.

Cyber security specialists have been warning against using one-time SMS passwords for several years, but not because of "SIM swapping" attacks. The problem lies in the inherent and unrecoverable weaknesses of the protocol (SS7), which is used to configure most telephone exchanges around the world. Vulnerabilities in this protocol allow attackers to steal a user's phone number invisibly, even without the knowledge of a provider, allowing them to track the owner of the phone and authorize online payments or login requests.

And banks use this and impose it on their users as an "additional" security measure. A paradox?


7) 97% of large banks are vulnerable to cyber attacks.
On July 10, 2019 it became known that only three banks out of a hundred received the highest score in terms of ensuring the security of their sites and implementation of SSL encryption.
The vast majority of large financial institutions in the S&P Global rating are vulnerable to hacker attacks. This conclusion was made by the experts of the Swiss company ImmuniWeb on the basis of a large-scale study, which examined 100 sites owned by large banks, 2,336 subdomains, 102 Internet banking applications, 55 mobile banking applications and 298 mobile banking APIs.

Positive Technologies: All online banks are under threat of unauthorized access to bank secrecy.
On April 5, 2019 Positive Technologies reported that its experts assessed the level of security of online banks in 2018 and found that 54% of the surveyed systems allow attackers to steal money, and all online banks are under threat of unauthorized access to personal data and bank secrecy. According to the analysis, most of the online banks studied contain critical vulnerabilities. As a result of the online bank security assessment, vulnerabilities were identified in each system studied, which could lead to serious consequences.

9) Trojan under the name Android.BankBot.149.origin is distributed as harmless programs. After downloading to your smartphone, tablet and installation, it requests access to the mobile device administrator functions to make it harder to remove it. It then hides from the user by removing its icon from the home screen.

Then the virus connects to the management server and waits for commands.
It can do the following:
1. Send SMS messages;
2. to intercept SMS messages;
3. to request administrator rights;
4. to execute USSD requests;
5. Receive a list of the numbers of all available contacts from the phone book;
6. To send SMS with the text received in the command to all numbers from the telephone book;
7. To track the location of the device via GPS satellites;
8. to request additional permission to send SMS messages on devices with modern versions of Android OS,
9. making calls,
10. access to the phone book
11. Working with a GPS receiver;
12. obtaining a configuration file with a list of bank applications under attack;
13. display of phishing windows.

What do you think he can do with your "bank security"? 
Whatever he wants to do!!!

And beyond that:

14. the Trojan steals confidential information from users, tracking the launch of "bank-client" applications and software to work with payment systems.
15. controls the launch of over three dozen such programs.
16. as soon as the virus detects that one of them has started working, it downloads from the management server the corresponding phishing form for entering the login and password to access the bank account and shows it on top of the attacked application.
17. In addition to stealing logins and passwords, the Trojan attempts to steal information about the bank card of the owner of an infected mobile device.

To do this, the virus monitors the launch of popular applications such as Facebook, Viber, Youtube, Messenger, WhatsApp, Uber, Snapchat, WeChat, imo, Instagram, Twitter, Play Market and shows a phishing window of the payment service settings on top of them.

18. Upon receipt of SMS, the Trojan turns off all sound and vibration signals, sends the content of messages to attackers and tries to remove intercepted SMS from the list of incoming ones.

As a result, the user may not only fail to receive notifications from credit organizations with information about unplanned money transactions, but also fail to see other messages that come to his number.

Conclusion:
- The imperfect security system (first of all, the bank system) does not allow us to use the mobile phone, which receives one-time SMS-passwords, for other purposes!
It should not be used for online banking (mobile banking)!
It is necessary to allocate a separate device (computer, smartphone, tablet) from which you can access and manage your bank account.

Moreover, this device should not be used for any other purposes other than online banking, including it should not be used for any other purpose:
- browsing the Internet;
- social networks;
- email;
- the device must be equipped with special software implementing the "default ban" function.

These are the restrictions that each of us has to apply - if we want to use banking products that are very vulnerable to attack, not cryptographic nature.

It is possible to live well and quietly, but only when you don't know this information.
The banking security system is a false myth, in our time.

[Voland.V]

Scammers who specialize in hacking into bank security systems are not just looking for access to their victims' money.
It's complicated and thoughtful on their part.
They're hunting for the information they need.
Fraud not only involves using the money in the accounts themselves, but also often opens the door for further fraudulent activity. Criminals may use information obtained as a result of the successful theft of your personal data to further manipulate other financial products, such as consumer loans or credit cards.

Criminals have found and continue to find many opportunities for their illegal activities.

Do not believe advertisements about the boundless reliability of banking security systems. If this were the case, you wouldn't spend a lot of effort constantly modernizing such systems.

In general, a security system cannot be more reliable than the elements of which it consists.
I'm interested in its most important element - cryptographic.
A system built on key cryptography and password authentication methods will always be in danger.
Probably the only way out is with keyless encryption and passwordless authentication.

These options are discussed here:
https://bitcointalk.org/index.php?topic=5204368.0.

And the possible first implementation of such a fundamentally new security system may be in this project:
https://toxic.chat/

[Voland.V]

Another example of how quietly and for a very long time it is possible to exploit the vulnerability of banking security systems.

It should be noted that these are not the last banks in the world.

And yet, it is impossible to keep silent that phishing, which is the basis of many attacks, is possible only in password authentication systems, in systems with a permanent client ID.

These improperly built security systems guarantee the existence of such facts.

14 Canadian banks were affected, among others:
1. CIBC bank;
2. TD Canada Trust;
3. Scotiabank;
4. Royal Bank of Canada (RBC);
5. other banks.
 - were the victims of a large-scale phishing campaign that lasted for two years.

What good is it if fraudsters worked without problems for 2 years.

As noted by researchers from Check Point in their report, in the case of RBC attackers simply took a screenshot of the official site and added invisible text fields over the input fields to collect the credentials of the victim.

If you start collecting these facts, it's very quick to get a very thick and sad book... 

[Dabs]

Phishing = not "real" hacking, but rather a social engineering attempt at getting users to give up their own credentials. It's not the fault of the system or the bank, but user error.

Even more effective are invisible keyloggers, as they can then get passwords for any other website or online banking account the victims log into.

Again, that's not the fault of the encryption or the bank.

But it is indeed a problem.

[fiulpro]

Actually hacking is really hard and requires n number of softwares , the thing what people call hacking now a days might just be your accidental mistake , like opening up your FB id from a link sent to you , therefore that's two different fields , what can be done is :-
You need to secure your own system first , after that you need to limit your usage of apps and devices .
It is gonna take a while for people to figure out how to hack something like cryptography that we are using today but we all know that it is inevitable , that's what the whole thing is about , the IT sector improves every hour, every minute therefore expecting any less would be wrong .

[Voland.V]

Actually hacking is really hard and requires n number of softwares , the thing what people call hacking now a days might just be your accidental mistake , like opening up your FB id from a link sent to you , therefore that's two different fields , what can be done is :-
You need to secure your own system first , after that you need to limit your usage of apps and devices .
It is gonna take a while for people to figure out how to hack something like cryptography that we are using today but we all know that it is inevitable , that's what the whole thing is about , the IT sector improves every hour, every minute therefore expecting any less would be wrong .

---------------------
As for improving the IT security sector, my opinion is that we are always trying to be inspired by the idea that the new security product you buy or use is better than the old one.
But it is not always the case.
More often than not, it is a myth that is spread by the sellers of products for our security.
History knows a lot of cases when new top IT products were hastily made and were inferior to the old proven software solutions.
We live in a world of public opinion.
And as long as huge efforts are made to support this public opinion, there is no way to find out if the new is better than the old until time itself settles the dispute between the disputing parties.

And now, about the facts of time.

Try to look at statistical studies, about successful attacks today compared to what happened 5 years ago.
This is the right indicator of how our IT security is evolving. 

Yes, you will find that many of the bugs of the past have been fixed, and seem to be reliable.
You will also find that cheaters are developing very much ahead of the security industry.
You will also find that security administrators will find out about their bugs once they are detected by scammers.

And you're always told, like this:
- a dangerous vulnerability has been discovered, so urgently install the latest update;
- or so: the vulnerability cannot be fixed with an update, you need to change the software;
- or so (as with the vulnerability of almost all Apple iPhones since model 7): this vulnerability cannot be corrected programmatically, a hardware replacement is required...

And beyond that is the paradox of our perception:
- the first group thinks it's okay, because the vulnerability was discovered and warned about it (the question remains behind the scenes, but what security holes weren't warned about?);
- the second group, more courageous, believes that in such cases, the security system fails to perform its duties, especially when the found shortcomings have already been exploited by criminals.

The pseudo-security industry does everything to make the first group of users dominate the second.

And what group do you think you belong to?

P.S.
Given that, year after year, the financial and reputational losses from cybercriminals are steadily increasing, not decreasing.

[Voland.V]

Phishing = not "real" hacking, but rather a social engineering attempt at getting users to give up their own credentials. It's not the fault of the system or the bank, but user error.

Even more effective are invisible keyloggers, as they can then get passwords for any other website or online banking account the victims log into.

Again, that's not the fault of the encryption or the bank.

But it is indeed a problem.

-----------------------------
You correctly noticed that this is really a problem.

Speaking directly, but not counting on the support of a large number of people, the problem with any key encryption system is the keys.

We develop thought in this direction.
The problem with any password authentication system is passwords.
Once upon a time, this was not so noticeable.
This problem emerged over time, after a statistical analysis of the causes of successful cybercrimes.

For this reason, I advocate only new passwordless authentication methods that are based on the new keyless cryptography. Interestingly, in this field of knowledge, there are almost no publications and studies.
https://bitcointalk.org/index.php?topic=5204368.0

The whole world sees no alternative to either keys or passwords.

In a wonderful world we live, we find it hidden from our eyes, but we don’t notice the obvious on the surface.

[Dabs]

I notice that it is a problem, but I also notice that it is mostly, or almost all of it, a user problem. It's not a technical problem. Good password systems do work. It's the users that reuse old passwords, or increment digits to new passwords, or some other variation that is now found in most brute force password cracking algorithms.

People using names, using dates, using numbers that look like dates, using words they thought only they knew but are in many dictionaries, and using any of those previously mentioned mixed and matched up with rules that are now configurable in the latest generation word list generators for crackers.

Randomly generated passwords do not just get hacked. They are found through some other weak spot in the entire system. Usually, it's the user. Or some other low tech method like a hidden camera over the keyboard, or a hardware keylogger that can't be detected.

Anyone who is smart enough to use a password that looks like a Bitcoin address or Bitcoin private key, just once, for only one particular website or system, and uses completely different passwords for different systems, do not get hacked unless targeted individually by government agencies. Then you're screwed no matter what.

[Voland.V]

I notice that it is a problem, but I also notice that it is mostly, or almost all of it, a user problem. It's not a technical problem. Good password systems do work. It's the users that reuse old passwords, or increment digits to new passwords, or some other variation that is now found in most brute force password cracking algorithms.

People using names, using dates, using numbers that look like dates, using words they thought only they knew but are in many dictionaries, and using any of those previously mentioned mixed and matched up with rules that are now configurable in the latest generation word list generators for crackers.

Randomly generated passwords do not just get hacked. They are found through some other weak spot in the entire system. Usually, it's the user. Or some other low tech method like a hidden camera over the keyboard, or a hardware keylogger that can't be detected.

Anyone who is smart enough to use a password that looks like a Bitcoin address or Bitcoin private key, just once, for only one particular website or system, and uses completely different passwords for different systems, do not get hacked unless targeted individually by government agencies. Then you're screwed no matter what.

--------------------
I fully agree with that opinion.
 But I do not agree that stealing password and other personal information by means of phishing is not a technical problem and it is the problem of inattentive user.
It's not just your opinion, it's a public opinion.
Moreover, I think this opinion has been softly imposed on society by those who cannot and do not want to solve this problem using technical methods.
I'm sure that society will change soon.
Phishing is possible only when you do not authenticate the website, but only the website authenticates you. Only with one-way authentication.
Moreover, once you are caught in phishing, you lose a lot, you do not know that you are already attacked, or you will never know about it.
The security system makes this problem our problem.
And I think it's an old, wrong opinion imposed on us.
I think it's technically possible to do two-way authentication.
 But there's more to it than that. We need to ban authentication with permanent identifiers, as it is now.
These technical measures will completely eliminate phishing as a method, as a phenomenon.
And instead, we are offered to "look closely" at the site and remember in detail how it looks.
This is in the 21st century! This is ridiculous! It means that the whole old security system is unsuitable in our time.
I recently read how phishing attackers deceive the most attentive users - they take high-quality photos of the site and put the necessary active windows to enter the login and password.
What to do in this case? To be very attentive is not a method, it is a complete failure of password authentication technology.

[Voland.V]

Well, phishing can be left in question whose problem it is.
The whole world has put that responsibility on the user.
I strongly disagree with this, and I'm putting this responsibility on the security organizers.
There's no point in arguing.

But it makes sense to look at the root of the problem.

As none of the times I have pointed out that until the basis of modern security system changes - the reliability of any new security system will not change.

In other words, all the upgrades and sewing up of holes will not stop the appearance of new problems in a system with an unreliable basis.

An unreliable basis for all security systems is keys and passwords.

It's a bold statement, but it's thoughtful.  You need to look at the essence, not the form.

I'll give you a fresh example to defend your position.

 You are a user. There is a manufacturer. The manufacturer is in trouble. You use it without suspecting that there are vulnerabilities that affect the Intel Platform Trust (PTT) technology and STMicroelectronics' ST33 TPM chip.
What do you and I (users) have to do with this?
Well, here's the answer.
 Vulnerabilities in TPM chips allow stealing cryptographic keys. A team of researchers from the Worcester Polytechnic Institute (USA), the University of Luebeck (Germany) and the University of California at San Diego (USA) discovered two vulnerabilities in TPM processors. Exploiting problems commonly referred to as TPM-FAIL allows an attacker to steal cryptographic keys stored in the processors.
This chip is used in a wide variety of devices (from network equipment to cloud servers) and is one of the few processors that have received CommonCriteria (CC) EAL 4+ classification (comes with built-in protection against attacks through third-party channels).

The researchers have developed a number of attacks, which they call "timing leakage". The technique is that the attacker can determine the time difference when performing TPM repetitive operations, and "view" the data processed inside the protected processor. This technique can be used to extract 256-bit private keys in TPM used by certain digital signature schemes based on elliptical curve algorithms such as ECDSA and ECSchnorr. They are common digital signature schemes used in many modern cryptographically secure operations, such as establishing TLS connections, signing digital certificates and authorizing system logins.

So this is the subject of our disagreement - keys and stealing them.

It turns out, "A local attacker can recover an ECDSA key from an Intel fTPM in 4-20 minutes, depending on the access level. Attacks can also be carried out remotely on networks by recovering the VPN server authentication key in 5 hours," the researchers note.

This news would not be revealing to our discussion,
if news like this hadn't come from all over the world like rain.

There's no cybersecurity, it's a software salesman's myth.
Think of the number of critical updates released by Microsoft (or rather microscopic software) to their operating systems, exactly like a storm... 

[Dabs]

It's nothing to do with the technology. There is no cure for user incompetence except training them on how to use systems. They trust the wrong things, that's not the fault of technology.

I'm not arguing, just telling it as it is. Users who give their passwords to other people or entities other than the official website in question, well ... that's how they compromise their accounts.

[btcmurat]

Quantum computers have opened the door to a new technology. The old encryption methods will now remain simple. However, this technology has not yet become widespread. No problem until it becomes widespread. Malicious people now have more action

[Voland.V]

Quantum computers have opened the door to a new technology. The old encryption methods will now remain simple. However, this technology has not yet become widespread. No problem until it becomes widespread. Malicious people now have more action

-------------------
There's always been a problem with cryptography.
The story even 10-20 years ago tells us that.

There are problems in cryptography now, except for symmetric encryption systems.

The problems that we see in cryptography are much more serious than the problems that a quantum computer will create.

Just before the quantum computer, the problems were known to a narrow circle of people and only to special organizations.

The advent of quantum computing has added new problems, which are now readily shared with everyone, in order to hide the real problems in cryptography.

Information for thought, even a theoretical very large quantum computer will not do anything with the number 256 bits in a binary system. And if you increase the key length in AES to 512 bits - you can forget about any fantastic calculations at all.

And if you increase the key length in AES to 1024 bits, even the idea of quantum computing becomes ridiculous.

In this case, the load on calculations will increase only 2-4 times, which is not a problem.

And the key length in post quantum systems with the length of 32 000 bits is considered small at all. There are systems with the key length up to 1,000,000 bits.
So what?
Or do you think these systems are afraid of a quantum computer with that much key length?

Therefore, a quantum computer is a terrible "Halloween" for the uninformed about the present state of affairs in modern cryptography.

Modern asymmetric cryptography (the one that is being replaced) is a temporary phenomenon based on unproven hypotheses.

The same is true for the security of the block-chain technology, a precisely temporary phenomenon, precisely based on assumptions that cannot be verified.

Details here (second post of December 4):
https://bitcointalk.org/index.php?topic=5204368.40.   

[Voland.V]

The most sophisticated security system, any security system based on keys and passwords is vulnerable in these very places.
Individually, each of us can arrange secure storage of keys and passwords. But overall, it doesn't work well.

Here's the news again! The price of our security has dropped to a record $6. That's how much the program to hack into our accounts in one of the forums.

Check out the full text:
"Ring and Amazon have been sued for hacking into IoT video surveillance cameras.

The lawsuit charges the companies with breach of contract, invasion of privacy (!), negligence, unfair enrichment, and violation of the California Unfair Competition Act "by misrepresenting security".

Interesting wording: "by misrepresenting security".

In the same way, it is possible to formulate a claim against almost all companies that release all the software.

It's a sober view of our security situation.

But Ring has refused to comment on this situation.

Recall that in mid-December, credentials for thousands of Amazon Ring camera owners were published on the Internet, as well as 3,672 email addresses, passwords, time zone information and names assigned to specific Ring cameras (such as "front door" or "kitchen"). It has also become known that cyber criminals have created special programs to hack into company devices. In one of the forums, the user offered a tool to pick up Ring.com credentials for $6.
Here is the price for password and key security systems.

And the following news shows that such systems flow like a hole in a boat:

Provider of "smart" devices Wyze has leaked data to 2.4 million customers.

Smart Device Provider Wyze confirmed the data leak from the server.
Information such as client email addresses for Wyze accounts, names assigned by users to security cameras, WiFi network SSIDs and Alexa voice helper tokens used to connect Wyze devices to Amazon devices were leaked to the network.

Yes, I understand that stealing passwords (or keys) is not literally breaking cryptography, but it is a measure of the unsuitability of such technologies in today's reality. Yes, we've learned how to attack. More successfully than 10 years ago. And the techniques of such attacks are constantly being improved.

I am convinced that real superiority over swindlers can be achieved only through the introduction of new keyless encryption technologies and authentication methods without using a password, by variable digital identifiers (we are not talking about biometric identifiers), stealing and reusing variable identifiers makes no sense.

[Voland.V]

It is not clear what is the point in reliable cryptography if no one is going to break it directly, but its keys are stolen.

Indeed, according to the same logic, it is unclear what the meaning will be in post-quantum cryptography or even post-post-quantum if the same keys are stolen.

The same security system holes remain and operate, regardless of the level of complexity of the system.

Maybe existing cryptography will not live long because of problems related to keys and the human factor? And not because of quantum computers?

I give an example of exploiting vulnerabilities that have remained a mystery:

-In 2014, it became known about the activities of a highly professional cybercriminal group called Carbanak, specializing in attacks on banks. It is assumed that the group managed to withdraw a total of more than $ 1 billion from various banks - while other cybercriminal groups failed to surpass this result.

Among the most noteworthy events, it is worth mentioning the large-scale hacking of the Italian company Hacking Team, specializing in the development and sale of hacker tools to special services of various countries. As a result, cyber attacks stole more than 400 GB of corporate data, which subsequently ended up on the Web.

But this is an organization that worked for the government, special services, which itself knows how to steal anything and from anyone - it itself has suffered!

But this is a real paradox.
If they did this to them, then what can they do to us?

Didn't the fundamentals of existing security systems based on keys and passwords compromise themselves completely and irrevocably?

How many more examples should humanity have to get in order to understand the inconsistency of the cyber security solutions that we are offered.

I remain a committed follower of new keyless encryption technologies and passwordless authentication methods.

There is a similar in this project: https://toxic.chat

[Voland.V]

Or here's an example, it's not clear how a security vulnerability worked, but it seems to me that they got to the keys - passwords - and made it a crime:

Yesterday, on January 3, Chrome extension stole $16 thousand in cryptographic currency!

A user of Ledger Secure malicious extension for Chrome lost $16 thousand in ZCash encryption. As it later became known, this little-known extension was disguised as Ledger's popular crypto wallet - the latter's developers had already disavowed the malware in the Chrome Web Store.
It is claimed that the Ledger Secure extension sends a passphrase to a third party, which allowed the attackers to steal 600 ZCashes from the victim's account. This user, nicknamed hackedzec on his Twitter account, also specified that he entered the passphrase on his computer only once 2 years ago and that it was stored as a scanned document.
Which storage option contributed to the theft of the crypt currency from the wallet is still unknown. How exactly the extension got into Chrome's browser also remains a mystery, but it was discovered when hackedzec found an unknown file on your computer with links to your Ledger Secure Twitter account. The account simulates the official representation of the French company Ledger.

Earlier MyCrypto detected similar malicious software in the Chrome Web Store. The extension, called Shitcoin Wallet, was freely distributed in Google's directory and stole private keys and authorization data from various cryptographic exchanges such as Binance.

What a twist!
Now we can't even trust the monsters the whole system relies on!

Tell me, where is the solid ground in this sea of uncertainty?

I'll tell you where, but few people will believe it - in systems without passwords and keys.

A paradox?
I don't think so.
It's a rescue.

[Voland.V]

In general, a leak of data, any private data, may result in compromising accounts through password mining based on stolen information or using a stolen password.
Same scheme of attack development - on key information with the same or greater consequences.
Fraudsters also think about our bank data and methods of finding them or information that allows to access bank card data, pin codes, etc. in the same way.

As we can see from these observations on the logic of swindlers' attack, the ultimate goal is password, key, pin code and other permanent user identifiers.

The main word in this last sentence is Persistent Identifiers. And it does not matter what these identifiers are. What matters is their main disadvantage - their permanent nature.

Here is some known information, think about it:

1. Unknown persons have published unencrypted email addresses and user passwords in the public domain.  Security researcher Bob Diachenko discovered an unsecured Elasticsearch database back on December 4 this year, but it was indexed by the BinaryEdge search engine and has been publicly available ever since.
The database contained 2.7 billion e-mail addresses and over 1 billion unencrypted passwords to them. Database analysis showed that most of the data is a leak put up for sale by a cybercriminal under the nickname DoubleFlag.

2. In 2019, there were more than 14 billion user data records in the public domain around the world!
This figure is twice as high as the user data leak in 2018.

Thought it over.
Now the questions:
1) Why so many?
It's so much that calculations show - it's probably almost all users on the planet! 
2) And why is it coming out?
3) And where is the certainty that we are not in these bases?
4) Who says anything that steals in this sphere is published?

Who knows, is silent.

I draw one conclusion - we're all in danger of cyber crimes.

It's for these reasons that we advocate variable user IDs that make no sense to steal and sell.