General > General Technical Chat
2FA two step verification & the obsession with security
<< < (7/15) > >>
mansaxel:

--- Quote from: dunkemhigh on February 13, 2022, 09:25:47 pm ---
--- Quote ---People are very bad at remembering passwords that are good enough.
--- End quote ---

I think most people can remember a pretty decent password. The problem is remembering a zillion of the blighters, which leads to repeat use. The stupid passwords, I would bet, are from having to think one up on the spot under pressure to just get the damn registration completed and move on to something useful. Ultimately, it's the same issue as you describe, though.

--- End quote ---

Yes.  What I do is that I make no effort at even trying to learn the password I set for another site which wants an account. I sometimes make an email address specifically for that site (easy if you are running your own domain) and then autogenerate a password which I stuff into my password repository, and go on. In the loop with verification et c this usually takes minimal extra time.

Also, and this is important: Where there are those stupid "personal questions" I strongly suggest people do something like this:

Mothers maiden name: qQmnJpQDhA7grA6XMxOE10qqYIkauAQxH

First pet: Vhg8stsKNa1zHZPVHzf5IfboLP

Favourite teacher: mNbMIMOKZTREIhxRBsentZVWNdrKZ1D/9LUIWC

And, of course keep those well stashed away.

Further:

If you don't think you can trust a computer with your passwords, that little black book which was bought to keep your poems in can be repurposed. Small black books are very resilient to online low-cost attack, providing they're kept under watchful lock and key.  And most of the attacks are made under the assumption that they mustn't cost much at all. Very few of us are being targeted personally.

If you can't count on being able to cut 'n paste strings (one of the known limitations of small black books), perhaps using a method like the one made into program here can be useful.   Of course I'd never let a web service generate a password that I'm intent on using (much like my strings above should not be copied verbatim and used!) but instead have my own computer perform the composition.  If you can't do that, a set of dice and a book will do. It is imperative that you must remove yourself from the password selection, and let reasonably good randomness work.  Dice are OK, if handled well.
metebalci:

--- Quote from: mansaxel on February 14, 2022, 03:52:36 am ---Of course I'd never let a web service generate a password that I'm intent on using (much like my strings above should not be copied verbatim and used!) but instead have my own computer perform the composition.  If you can't do that, a set of dice and a book will do. It is imperative that you must remove yourself from the password selection, and let reasonably good randomness work.  Dice are OK, if handled well.

--- End quote ---

I wonder why you dont trust an online pass generator ? I used hotbits for a long time before I start using a password manager which generates on its own.

Not sure but I guess it is not that important how you generate a password as long as it is resistant to dictionary attacks and reasonable brute force. The password is not a key, so its entropy does not need to be a certain value, but of course it is easy to generate one like a key, so why not.
ejeffrey:

--- Quote from: dunkemhigh on February 13, 2022, 04:07:18 pm ---Would you want to do 2FA to get onto EEVBlog?

--- End quote ---

I certainly wouldn't object as long as it was implemented well-- multiple security tokens plus recovery codes allowed, working with standard tokens that can be used with multiple services, and only prompting for second factor monthly or on a new sign on.  I've been using yubikeys for everything that supports it for 7-8 years, and it's just not a big deal.

Poorly implemented 2FA can be annoying but in the same way that crazy password rotation policies are annoying.  The fault is with the administrator or whatever misguided standards they have to conform to.
magic:

--- Quote from: tooki on February 13, 2022, 02:37:41 pm ---The stupid in this post is so strong it hurts.

You clearly haven’t put even two seconds of thought or research into what the consequences of a personal security breach can be.

--- End quote ---
No, the real stupid are those who would suffer serious consequences of some shitty web service or their account at a shitty web service getting compromised (read: most of the population these days). IMVHO it's them who clearly haven't put even two seconds of thought into what the consequences of a personal security breach could be :P

It's all about the old joke:
noob's password: Suzy, cause no one could guess his girlfriend's name
lamer's password: OHECU*&*(SH34, cause no one could guess this one
hacker's password: Suzy, cause script kiddies with dictionaries are not the real danger
magic:

--- Quote from: Marco on February 13, 2022, 01:21:17 pm ---It's a shame FIDO is explicitly designed to prevent cloning, even by the user.

I'd really prefer a paper backup of the private key.

--- End quote ---
It's the whole point of those things, though.

The attitude is: the user is an untrustworthy idiot guaranteed to fall for a phishing scam. With enough users, it even becomes a solid fact.
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod