Hard Light Productions Forums
Off-Topic Discussion => General Discussion => Topic started by: MP-Ryan on April 18, 2012, 01:16:08 am
-
A great article on this: http://www.codinghorror.com/blog/2012/04/make-your-email-hacker-proof.html
Google Accounts now supports 2-factor authentication, where you can link your account to Google Authenticator on (as many as you want) smartphones, or receive a code via SMS, which is required to log into your account on multiple machines. Ruins any potential hackers day. All you need is a Gmail account and a mobile device of some kind.
-
Done. Thanks for the heads up.
-
this is a thing i dont like. i dont like cell phones, and will never own one. seems every thing they do to make your email secure is counter-intuitive. frankly they seem to be doing everything possible to make email easy to hack. first thing they are doing is enforcing a really complicated hard to remember password. this makes people use the same password for multiple accounts. password recovery is also really counter-intuitive. thats how hackers get into your email in the first place. they follow chains of accounts collecting personal information, and then eventually get enough data to get into your account through your secret questions. that brings me to another point. why does everything that you do on the internet need to link up with every other thing you do on the internet. this makes it possible for your security to be compromised across the board. why does everything you do on the internet have to depend on an email account? i have 4 email accounts, 3 of them i keep mostly blank and use them when signing up for forums and stuff. the email i actually use doesnt get used to sign up for things.
here how i would manage security.
1. ABOLISH PASSWORD RECOVERY SYSTEMS!!!! you loose it its gone, just dont be a moron.
2. instead of making users follow 300 rules about password complexity, just make them have a really long password. 20 or 30 characters or so, minimum. maximize permutations.
3. make accounts stand alone. stop requiring some other account to sign up for another account. thats sets you up for cascade failures in security.
4. stop telling people to cough up non-relevant personal data.
5. use ip location checking. ip addresses are usually localized to a specific region, so its easy to determine the approximate geological location of the user. use this data to create a baseline usage. if you unexpectedly teleport from the us to nigeria and back again, that should be a MASSIVE RED FLAG that something is amiss. this would need to be optional, and possible to tell it if youre moving, changing internet providers, going on vacation, and your general radius of usage.
-
Google has supported 2-step authentication for bloody ages.
Also, Nuke is being silly.
-
i am not.
-
google can **** off with their ever-increasing appetite for more of my personal information.
-
I'm sorry but I don't see how this is a better idea than simply having a strong unique password in the first place (and many of the comments on that page seem to agree with that). Application specific passwords are basically strong unique passwords and now instead of just having one, I have several. Sure the others aren't master passwords, but using them someone can still download all my email.
I'd rather stick to having LastPass as my point of failure than this.
-
You seem to overlook the fact that 2-step authentication does not replace a strong password, it adds to it.
I have roughly 80 unique, strong passwords. I've stored them all to encrypted KeePass database. Which in turn is stored on Dropbox that I can access anywhere I need, even on phone if needed. The database is protected by strong master password that is not written down anywhere. Add 2-step authentication on top of that and any perp has hard time accessing my Google account.
LastPass I see as too weak. It's only one layer of security before giving full access to all passwords. It's also one surface for hackers to try and crack their security. It's not that much better than using same password everywhere. At least in case of Dropbox+KeePass combination, you have two security layers before any passwords are compromised. Dropbox will likely to be replaced by either SkyDrive or GDrive as soon as they offer similar sync app for PCs as Dropbox does.
-
I like using long, randomly generated nonsense phrases (Internet Anagram Database is great for this) that get changed every week or so. I do tend to rotate through a particular set of them, but not in any particular order and hopefully without a discernible pattern. That way, if I forget one, I have a finite set of phrases to try. I don't expect hackers to find that kind of thing an easy target, at any rate. I have them written down, but in a code. Even if someone breaks into my house and steals the notepad...locked in a safe, in a cubbyhole in the least obvious of places and certainly not on any floorplan of my house...they don't know my code.
Yes. I am paranoid, why do you ask? :D
-
im convinced that most hackers arent actually doing any hacking. they find a target and infomine the **** out of that person until they have enough info to answer one of the secret questions. completely bypassing the password all together.
-
Ideally, everything will use sensibly-scoped oauth tokens and you won't need any application-specific passwords. Contrary to the picture, you should not be using an application-specific password for an ICS phone.
Lastpass supports a variety of two-factor methods, including, most conveniently if you're using two-factor for a Google account, Google Authenticator (the Android/iPhone/etc. app).
Strong passwords are not a substitute for two-factor authentication. A strong password is still only one factor.
-
You seem to overlook the fact that 2-step authentication does not replace a strong password, it adds to it.
No, I'm not overlooking it. I'm questioning whether the enhanced security it adds is worth the hassle.
As I said, before I do this, someone able to crack a strong password is able to access all my email. After I do this, someone able to crack a strong password is able to access all my email.
Sure they can't take over my Gmail account any more, but how likely are they to be able to do that in the first place?
im convinced that most hackers arent actually doing any hacking. they find a target and infomine the **** out of that person until they have enough info to answer one of the secret questions. completely bypassing the password all together.
Which is why my password hint is usually "Why the **** would you ask people to create a strong password and then tell them to write something here!" :p
Seriously though, the article points out the horror story but never once questions how the **** the hacker got hold of that guy's wife's password in the first damn place.
-
so long as they dont make it mandatory. i have no intention to get a cell phone just so i can check my email. when that happens il cut my internet connection and move into the woods, because thats where technology hath forsaken me. im also not giving them another email address cause thats a setup for a multiple account breech. if they manage to guess my 32 digit random noise password well good for them.
-
Which is why my password hint is usually "Why the **** would you ask people to create a strong password and then tell them to write something here!" :p
i did something like that too. the answer was my password in reverse.
-
Strong passwords are not a substitute for two-factor authentication. A strong password is still only one factor.
I'm not saying they are. I'm questioning how much safer this move actually makes you in relation to the amount of hassle it gives you. Cause I honestly want to know if it's worth the hassle.
As far as I can see it really isn't. Until Google decide to update their Blackberry App to make use of this, I'm always going to be using one factor authentication to access my email via my mobile phone. So all I've done is given myself the illusion of security in return for a lot of hassle. So if I only want to access my email, then this does nothing much to help me.
Beefing up Lastpass' security on the other hand might be worth it.
-
im convinced that most hackers arent actually doing any hacking. they find a target and infomine the **** out of that person until they have enough info to answer one of the secret questions. completely bypassing the password all together.
You're really not too far off, AFAIK. Most "hacking" is actually phishing and/or social engineering. Most of it is done for profit nowadays, or for some kind of benefit to the "hacker" (like having a botnet); they look for easy targets. Sure, they could brute force passwords, but most people are so dumb that even simple measures like that aren't necessary. The most important thing about security, online or otherwise, is to make yourself a hard target. You can never be completely safe, but if you take the potential gain out of attacking you down to nil, it's not likely to happen.
-
Honestly, I can't really bring myself to care about making my accounts stronger/more secure. Does that mean there's a chance I might be royally boned someday? Sure. But I have bigger things to worry about, and quite honestly, most of the stuff I use passwords for is stuff that I don't place massive importance on.
-
to be frank, im not the cia. i dont need a whole lot of security. most everything i do is for entertainment, it doesnt need one layer of security let alone two. use strong passwords for your financial stuff, soft passwords for your entertainment stuff, and never share passwords or usernames between the two.
-
What makes me laugh about this is that Google have undermined the security of this system but not updating their own mobile apps with this as a consideration.
-
I'm sorry but I don't see how this is a better idea than simply having a strong unique password in the first place (and many of the comments on that page seem to agree with that). Application specific passwords are basically strong unique passwords and now instead of just having one, I have several. Sure the others aren't master passwords, but using them someone can still download all my email.
I'd rather stick to having LastPass as my point of failure than this.
I believe said app-specific passwords are single-use only.
-
The comments say otherwise.
How would a single use app password work anyway?
-
Works just fine. You generate a password in Google's account settings to be used with certain apps that do not support 2-step authentication. This password is very long and complex and given to an app as the password. It's not single use per-se, but you can generate new one when/if you want.
-
Works just fine. You generate a password in Google's account settings to be used with certain apps that do not support 2-step authentication. This password is very long and complex and given to an app as the password. It's not single use per-se, but you can generate new one when/if you want.
Well, it's effectively single-use as there's no way to re-access the generated password - once it's generated, Google displays it only once to be input and saved, and that's it. Unless you write it down somewhere, you can't see that password ever again. I suppose there's still the slight chance that it could be brute-forced, but that is minor and it would only allow access to view your account via something other than a web browser (smartphone app, Thunderbird, Outlook, etc) and no access to your account settings. While someone could read your email, they couldn't send without your knowledge nor change anything, making it pretty obvious if anyone was doing anything untoward other than simply reading activity.
Thus far, I'm pretty impressed with how sleek this is. I can link to my account from authenticator apps on both my work BlackBerry and personal Android phones, still access email through those devices, and still link it to Thunderbird on my desktop system, while benefitting from the additional security afforded by two-factor authentication. There's really no hassle involved beyond the 5 minutes it takes to set up.
I do find it a little amusing that people are disparaging two-factor authentication while simultaneously extolling the virtues of KeePass - it's mere presence on a system is a gigantic, singular target. Personally, I embed a text file in a TrueCrypt-encrypted volume. Not only does it support better encryption and a plausible-deniability system, but it also supports two-factor authentication via keyfiles. Dedicated password managers, even excellent open-source ones like KeePass, are a gigantic "TARGET THIS TO CAUSE MAYHEM!" banner ad in the event your system is ever compromised. Especially with a keylogger.
-
TrueCrypt encrypted volume is not readily accessible from everywhere you might need access in. Unless you make the computer remotely accessible. While KeePass is a singular target like LastPass is, it's still better than LastPass because online availability of the encrypted database is on your terms. To counter keyloggers, KeePass supports two-channel auto-type obfuscation. http://keepass.info/help/v2/autotype_obfuscation.html
At some point you just need to draw a line how far you go in protecting your passwords for sake of convenience. My KeePass database is not going to get cracked anytime soon unless someone gains both the master password and keyfile. I still use and recommend Google's 2-way authentication and I use it myself as well.