General > General Technical Chat
2FA two step verification & the obsession with security
<< < (9/15) > >>
tooki:

--- Quote from: magic on February 14, 2022, 09:22:28 am ---
--- Quote from: tooki on February 13, 2022, 02:37:41 pm ---The stupid in this post is so strong it hurts.

You clearly haven’t put even two seconds of thought or research into what the consequences of a personal security breach can be.

--- End quote ---
No, the real stupid are those who would suffer serious consequences of some shitty web service or their account at a shitty web service getting compromised (read: most of the population these days). IMVHO it's them who clearly haven't put even two seconds of thought into what the consequences of a personal security breach could be :P

It's all about the old joke:
noob's password: Suzy, cause no one could guess his girlfriend's name
lamer's password: OHECU*&*(SH34, cause no one could guess this one
hacker's password: Suzy, cause script kiddies with dictionaries are not the real danger

--- End quote ---
So just forgo all the utility of modern services. Email? Gone. Online storage and backup? Gone. Sync between devices? Gone.

And with that, no more applying for jobs online, signing up for government services, or any other of the myriad things that one is now expected to do online, often with no alternative method.

Yeah, totally practicable.  :palm:

Besides, the whole point of “forcing” 2FA onto users is precisely because almost no users consider the security ramifications because they aren’t security experts. We cannot expect most people to be computer experts. It’s the experts’ duty to design systems that are inherently secure.
PlainName:
But, countering that, security that gets in the way can be worse than poor security because users will try to subvert it.

2FA is fine, but it relies on a hardware key that I probably won't have with me sometimes. Like the aforementioned card reader that banks used, all it did was make me use a different bank instead  because then I wouldn't have to walk around collecting card and reader before even thinking about logging in just to make a quick check.

Now it's assumed everyone  has a phone, it's always with them, and it's always the same phone (or, at least, the same number). That's not actually always the case, and as with any other hardware key, if you lose it you're in for a world of hurt.

I don't know the solution, but going for max security because you can isn't it.
ejeffrey:

--- Quote from: mansaxel on February 14, 2022, 03:52:36 am ---
--- Quote from: dunkemhigh on February 13, 2022, 09:25:47 pm ---
--- Quote ---People are very bad at remembering passwords that are good enough.
--- End quote ---

I think most people can remember a pretty decent password. The problem is remembering a zillion of the blighters, which leads to repeat use. The stupid passwords, I would bet, are from having to think one up on the spot under pressure to just get the damn registration completed and move on to something useful. Ultimately, it's the same issue as you describe, though.

--- End quote ---

Yes.  What I do is that I make no effort at even trying to learn the password I set for another site which wants an account. I sometimes make an email address specifically for that site (easy if you are running your own domain) and then autogenerate a password which I stuff into my password repository, and go on. In the loop with verification et c this usually takes minimal extra time.

Also, and this is important: Where there are those stupid "personal questions" I strongly suggest people do something like this:

Mothers maiden name: qQmnJpQDhA7grA6XMxOE10qqYIkauAQxH

First pet: Vhg8stsKNa1zHZPVHzf5IfboLP

Favourite teacher: mNbMIMOKZTREIhxRBsentZVWNdrKZ1D/9LUIWC

And, of course keep those well stashed away.

Further:

If you don't think you can trust a computer with your passwords, that little black book which was bought to keep your poems in can be repurposed. Small black books are very resilient to online low-cost attack, providing they're kept under watchful lock and key.  And most of the attacks are made under the assumption that they mustn't cost much at all. Very few of us are being targeted personally.

If you can't count on being able to cut 'n paste strings (one of the known limitations of small black books), perhaps using a method like the one made into program here can be useful.   Of course I'd never let a web service generate a password that I'm intent on using (much like my strings above should not be copied verbatim and used!) but instead have my own computer perform the composition.  If you can't do that, a set of dice and a book will do. It is imperative that you must remove yourself from the password selection, and let reasonably good randomness work.  Dice are OK, if handled well.

--- End quote ---

You can go to all of this effort and yet be considerably less secure in the real world that someone who uses a yubikey and their password is their pets name followed by 123.  You are also probably less secure than someone who uses a phone app based TOTP with a weak, reused password.

I use a password manager to generate strong unique passwords with a securely stored and encrypted database.  I recommend the same to anyone who is interested.  But 2FA provides much better security for less end-user burden.  Again, I strongly recommend yubikey or similar hardware tokens if possible.  Once set up they are extremely convenient as well as extremely secure, but failing that a TOTP phone app is pretty good.  The main problem with TOTP is that it can be phished just like a password.  At least the code is time limited and most implementations require a second code to change your authentication information but hardware tokens eliminate this problem.  A lesser problem with TOTP for high security applications is that it is cloneable, but this does have the advantage of making offline backups easier.
mansaxel:

--- Quote from: ejeffrey on February 14, 2022, 06:34:57 pm ---
You can go to all of this effort and yet be considerably less secure in the real world that someone who uses a yubikey and their password is their pets name followed by 123.  You are also probably less secure than someone who uses a phone app based TOTP with a weak, reused password.

--- End quote ---

Yes, fully agree, but until everything will do token login properly this is what we need to do. In addition to tokens where they work.
metebalci:

--- Quote from: ejeffrey on February 14, 2022, 06:34:57 pm ---Again, I strongly recommend yubikey or similar hardware tokens if possible.  Once set up they are extremely convenient as well as extremely secure, but failing that a TOTP phone app is pretty good.  The main problem with TOTP is that it can be phished just like a password.  At least the code is time limited and most implementations require a second code to change your authentication information but hardware tokens eliminate this problem.  A lesser problem with TOTP for high security applications is that it is cloneable, but this does have the advantage of making offline backups easier.

--- End quote ---

New phones have similar security hardware as hardware tokens, so eliminating the need for using hardware tokens for many use cases. Also the services are moving from user generated OTP to server triggered probably signature based mechanisms which eliminates the issue with phishing or man in the middle.
Navigation
Message Index
Next page
Previous page
There was an error while thanking
Thanking...

Go to full version
Powered by SMFPacks Advanced Attachments Uploader Mod