| General > General Technical Chat |
| 2FA two step verification & the obsession with security |
| << < (6/15) > >> |
| Someone:
--- Quote from: magic on February 13, 2022, 11:31:12 am ---GMail isn't the only "brand name provider". Last time I checked, Microsoft still allowed signups without phone numbers and bullshit like that. You did have to do some captcha thing. --- End quote --- Just checked and it looks like Microsoft backed out their 2FA mandate on outlook/skype for new users, noting that: a) these things have been geolocked and vary country to country, and b) have popped up from time to time as a retroactive requirement (holding accounts "hostage"). |
| mansaxel:
--- Quote from: jukk on February 13, 2022, 07:32:29 pm --- big fundamental problem when some people use the same password on eevblog as on other sites. --- End quote --- This is a very important observation. People are very bad at remembering passwords that are good enough. So once they get one they like, they use it over and over again. And the more important the purpose is, the more likely it is that an old and bad one will be used. Because it is important that it not be forgotten... The first counter-action is password change policies. That does not work; because people will adapt by changing "password01" to "password02". The second counter-action is "fhAHUo98ee0nUU9pmDPV/n8rMxxKj0l"; complicated password policies. That, in itself, just makes the original situation worse. And, "correct battery horse staple". The successful solution must be a hybrid, with multi-factor authentication an important part, because it raises the cost of a compromise to levels only interesting for spear-phishing operations. Trawling, which is what most of us are caught up in, will be completely blocked by multi-factor and a modicum of street smartness. For all those things where MFA is not an option, an unique password is required. And since you now will have several hundred accounts (I just counted mine to 220) you need a password manager. And, since you need a password manager, a random password generator is now a sensible thing. Because you can forget the passwords, and therefore make them complex enough to be very expensive to crack. I use "pass" and a small shell script to make passwords -- the one above was made by this. --- Code: ---#!/bin/bash # # 20 to 40-char password. # case `uname` in "Linux") line=`shuf -i 1-90 -n 1` len=`shuf -i 20-40 -n 1` ;; "Darwin") line=`jot -r 1 1 90` len=`jot -r 1 20 40` ;; "FreeBSD") line=`jot -r 1 1 90` len=`jot -r 1 20 40` ;; esac dd if=/dev/urandom bs=1024 count=2 2>/dev/null|\ base64 |\ tr -cd '[[:alnum:]].-/_,=' |\ fold -w ${len} -b |\ sed -n -e "${line}p" # # EOF # --- End code --- |
| PlainName:
--- Quote ---People are very bad at remembering passwords that are good enough. --- End quote --- I think most people can remember a pretty decent password. The problem is remembering a zillion of the blighters, which leads to repeat use. The stupid passwords, I would bet, are from having to think one up on the spot under pressure to just get the damn registration completed and move on to something useful. Ultimately, it's the same issue as you describe, though. |
| metebalci:
So what happened/happens basically is from remembering one or two pins/passwords which was enough in the past (and they might also be protected by another factor as well e.g. banking cards), we moved to a (online world) situation that required us to remember many and complex passwords which is impossible (and also it was impossible to carry another factor for each of them separately), that led to current state of using password managers with integrated or separate 2FA apps doing that job and securing password managers with the other two (something you have + you are) factors. When a system is in place, there is no additional burden neither on site owner nor on user to use this, so it doesnt matter much if a site with less/zero sensitive data e.g. eevblog forum needs 2FA or not. It might even be more troublesome to not use the mainstream methods. |
| Cerebus:
--- Quote from: tooki on February 13, 2022, 06:37:19 pm ---Eevblog isn’t the keys to the castle that email accounts, Google logins, and Apple IDs are. It can’t be used to gain access to other sites/services/devices. --- End quote --- It could cause reputational damage though. If some people's accounts were hacked, the time they have put into building their reputation could be ruined by correct spelling, accurate punctuation, or evidence of cogent thinking. :) |
| Navigation |
| Message Index |
| Next page |
| Previous page |