Author Topic: 2FA two step verification & the obsession with security  (Read 9332 times)

0 Members and 1 Guest are viewing this topic.

Offline Someone

  • Super Contributor
  • ***
  • Posts: 5155
  • Country: au
    • send complaints here
Re: 2FA two step verification & the obsession with security
« Reply #25 on: February 13, 2022, 08:16:56 pm »
GMail isn't the only "brand name provider".

Last time I checked, Microsoft still allowed signups without phone numbers and bullshit like that. You did have to do some captcha thing.
Just checked and it looks like Microsoft backed out their 2FA mandate on outlook/skype for new users, noting that: a) these things have been geolocked and vary country to country, and b) have popped up from time to time as a retroactive requirement (holding accounts "hostage").
 

Offline mansaxel

  • Super Contributor
  • ***
  • Posts: 3559
  • Country: se
  • SA0XLR
    • My very static home page
Re: 2FA two step verification & the obsession with security
« Reply #26 on: February 13, 2022, 09:11:16 pm »
big fundamental problem when some people use the same password on eevblog as on other sites.

This is a very important observation.  People are very bad at remembering passwords that are good enough.  So once they get one they like, they use it over and over again. And the more important the purpose is, the more likely it is that an old and bad one will be used. Because it is important that it not be forgotten...

The first counter-action is password change policies. That does not work; because people will adapt by changing "password01" to "password02".

The second counter-action is "fhAHUo98ee0nUU9pmDPV/n8rMxxKj0l"; complicated password policies. That, in itself,  just makes the original situation worse. And, "correct battery horse staple".

The successful solution must be a hybrid, with multi-factor authentication an important part, because it raises the cost of a compromise to levels only interesting for spear-phishing operations. Trawling, which is what most of us are caught up in, will be completely blocked by multi-factor and a modicum of street smartness.

For all those things where MFA is not an option, an unique password is required. And since you now will have several hundred accounts (I just counted mine to 220) you need a password manager.  And, since you need a password manager, a random password generator is now a sensible thing. Because you can forget the passwords, and therefore make them complex enough to be very expensive to crack.

I use "pass" and a small shell script to make passwords -- the one above was made by this.

Code: [Select]
#!/bin/bash

#
# 20 to 40-char password.
#

case `uname` in
"Linux")
        line=`shuf -i 1-90 -n 1`
        len=`shuf -i 20-40 -n 1`
        ;;
"Darwin")
        line=`jot -r 1 1 90`
        len=`jot -r 1 20 40`
        ;;
"FreeBSD")
        line=`jot -r 1 1 90`
        len=`jot -r 1 20 40`
        ;;
esac


dd if=/dev/urandom bs=1024 count=2 2>/dev/null|\
        base64 |\
        tr -cd '[[:alnum:]].-/_,='  |\
        fold -w ${len} -b |\
        sed -n -e "${line}p"



#
# EOF
#



Offline PlainName

  • Super Contributor
  • ***
  • Posts: 7508
  • Country: va
Re: 2FA two step verification & the obsession with security
« Reply #27 on: February 13, 2022, 09:25:47 pm »
Quote
People are very bad at remembering passwords that are good enough.

I think most people can remember a pretty decent password. The problem is remembering a zillion of the blighters, which leads to repeat use. The stupid passwords, I would bet, are from having to think one up on the spot under pressure to just get the damn registration completed and move on to something useful. Ultimately, it's the same issue as you describe, though.
 

Offline metebalci

  • Frequent Contributor
  • **
  • Posts: 460
  • Country: ch
Re: 2FA two step verification & the obsession with security
« Reply #28 on: February 13, 2022, 10:34:12 pm »
So what happened/happens basically is from remembering one or two pins/passwords which was enough in the past (and they might also be protected by another factor as well e.g. banking cards), we moved to a (online world) situation that required us to remember many and complex passwords which is impossible (and also it was impossible to carry another factor for each of them separately), that led to current state of using password managers with integrated or separate 2FA apps doing that job and securing password managers with the other two (something you have + you are) factors. When a system is in place, there is no additional burden neither on site owner nor on user to use this, so it doesnt matter much if a site with less/zero sensitive data e.g. eevblog forum needs 2FA or not. It might even be more troublesome to not use the mainstream methods.
 

Offline Cerebus

  • Super Contributor
  • ***
  • Posts: 10576
  • Country: gb
Re: 2FA two step verification & the obsession with security
« Reply #29 on: February 13, 2022, 10:54:00 pm »
Eevblog isn’t the keys to the castle that email accounts, Google logins, and Apple IDs are. It can’t be used to gain access to other sites/services/devices.

It could cause reputational damage though. If some people's accounts were hacked, the time they have put into building their reputation could be ruined by correct spelling, accurate punctuation, or evidence of cogent thinking.  :)
Anybody got a syringe I can use to squeeze the magic smoke back into this?
 
The following users thanked this post: vk6zgo

Offline mansaxel

  • Super Contributor
  • ***
  • Posts: 3559
  • Country: se
  • SA0XLR
    • My very static home page
Re: 2FA two step verification & the obsession with security
« Reply #30 on: February 14, 2022, 03:52:36 am »
Quote
People are very bad at remembering passwords that are good enough.

I think most people can remember a pretty decent password. The problem is remembering a zillion of the blighters, which leads to repeat use. The stupid passwords, I would bet, are from having to think one up on the spot under pressure to just get the damn registration completed and move on to something useful. Ultimately, it's the same issue as you describe, though.

Yes.  What I do is that I make no effort at even trying to learn the password I set for another site which wants an account. I sometimes make an email address specifically for that site (easy if you are running your own domain) and then autogenerate a password which I stuff into my password repository, and go on. In the loop with verification et c this usually takes minimal extra time.

Also, and this is important: Where there are those stupid "personal questions" I strongly suggest people do something like this:

Mothers maiden name: qQmnJpQDhA7grA6XMxOE10qqYIkauAQxH

First pet: Vhg8stsKNa1zHZPVHzf5IfboLP

Favourite teacher: mNbMIMOKZTREIhxRBsentZVWNdrKZ1D/9LUIWC

And, of course keep those well stashed away.

Further:

If you don't think you can trust a computer with your passwords, that little black book which was bought to keep your poems in can be repurposed. Small black books are very resilient to online low-cost attack, providing they're kept under watchful lock and key.  And most of the attacks are made under the assumption that they mustn't cost much at all. Very few of us are being targeted personally.

If you can't count on being able to cut 'n paste strings (one of the known limitations of small black books), perhaps using a method like the one made into program here can be useful.   Of course I'd never let a web service generate a password that I'm intent on using (much like my strings above should not be copied verbatim and used!) but instead have my own computer perform the composition.  If you can't do that, a set of dice and a book will do. It is imperative that you must remove yourself from the password selection, and let reasonably good randomness work.  Dice are OK, if handled well.
« Last Edit: February 14, 2022, 03:54:58 am by mansaxel »
 

Offline metebalci

  • Frequent Contributor
  • **
  • Posts: 460
  • Country: ch
Re: 2FA two step verification & the obsession with security
« Reply #31 on: February 14, 2022, 06:37:24 am »
Of course I'd never let a web service generate a password that I'm intent on using (much like my strings above should not be copied verbatim and used!) but instead have my own computer perform the composition.  If you can't do that, a set of dice and a book will do. It is imperative that you must remove yourself from the password selection, and let reasonably good randomness work.  Dice are OK, if handled well.

I wonder why you dont trust an online pass generator ? I used hotbits for a long time before I start using a password manager which generates on its own.

Not sure but I guess it is not that important how you generate a password as long as it is resistant to dictionary attacks and reasonable brute force. The password is not a key, so its entropy does not need to be a certain value, but of course it is easy to generate one like a key, so why not.
 

Online ejeffrey

  • Super Contributor
  • ***
  • Posts: 4033
  • Country: us
Re: 2FA two step verification & the obsession with security
« Reply #32 on: February 14, 2022, 07:59:27 am »
Would you want to do 2FA to get onto EEVBlog?

I certainly wouldn't object as long as it was implemented well-- multiple security tokens plus recovery codes allowed, working with standard tokens that can be used with multiple services, and only prompting for second factor monthly or on a new sign on.  I've been using yubikeys for everything that supports it for 7-8 years, and it's just not a big deal.

Poorly implemented 2FA can be annoying but in the same way that crazy password rotation policies are annoying.  The fault is with the administrator or whatever misguided standards they have to conform to.
 

Online magic

  • Super Contributor
  • ***
  • Posts: 7453
  • Country: pl
Re: 2FA two step verification & the obsession with security
« Reply #33 on: February 14, 2022, 09:22:28 am »
The stupid in this post is so strong it hurts.

You clearly haven’t put even two seconds of thought or research into what the consequences of a personal security breach can be.
No, the real stupid are those who would suffer serious consequences of some shitty web service or their account at a shitty web service getting compromised (read: most of the population these days). IMVHO it's them who clearly haven't put even two seconds of thought into what the consequences of a personal security breach could be :P

It's all about the old joke:
noob's password: Suzy, cause no one could guess his girlfriend's name
lamer's password: OHECU*&*(SH34, cause no one could guess this one
hacker's password: Suzy, cause script kiddies with dictionaries are not the real danger
 

Online magic

  • Super Contributor
  • ***
  • Posts: 7453
  • Country: pl
Re: 2FA two step verification & the obsession with security
« Reply #34 on: February 14, 2022, 09:25:18 am »
It's a shame FIDO is explicitly designed to prevent cloning, even by the user.

I'd really prefer a paper backup of the private key.
It's the whole point of those things, though.

The attitude is: the user is an untrustworthy idiot guaranteed to fall for a phishing scam. With enough users, it even becomes a solid fact.
 

Offline mansaxel

  • Super Contributor
  • ***
  • Posts: 3559
  • Country: se
  • SA0XLR
    • My very static home page
Re: 2FA two step verification & the obsession with security
« Reply #35 on: February 14, 2022, 10:20:42 am »

I wonder why you dont trust an online pass generator ?

The risk analysis matrix becomes a lot bigger if you have to extend trust (however small) to the people who clean the room where the computer that hosts the logs from the password generation service lives. 

Ideally, one should do private key generation on a permanently offline system, and only export data on read-only media, preferably smart cards, which then are used as intended (not only as carriers, but using the compute on-card to sign data using the private key).  Since doing that is a major ass-ache, I have settled for using a local random generator on my frequently patched computer, and then storing the passwords encrypted on local disk.  I believe this is a trade-off that is reasonable in my situation.

Online richard.cs

  • Super Contributor
  • ***
  • Posts: 1201
  • Country: gb
  • Electronics engineer from Southampton, UK.
    • Random stuff I've built (mostly non-electronic and fairly dated).
Re: 2FA two step verification & the obsession with security
« Reply #36 on: February 14, 2022, 11:40:43 am »
Quote
I'm more upset about rules for passwords, that is really getting out of hand.

No kidding. I have to use a system where the password must be >12 characters, contain letters, numbers, caps (but fortunately no punctuation, yet), and can't be one that's been used before. And you get forced to change it every 4 weeks. Sometimes I want to cry.
I had one a few weeks ago where it had some perverse combination of password requirements and didn't tell you what they were. It would also drop you back a couple of pages if it didn't like your password. It took me 10 minutes to construct a password it would eat, and I still have only a vague idea what the requirements actually are (something along the lines of 3 each of lowercase, uppercase, numbers and symbols, plus a minimum of around 16 characters and some rules around repeated-characters).
 
The following users thanked this post: tooki, Cubdriver

Offline JohanH

  • Frequent Contributor
  • **
  • Posts: 669
  • Country: fi
Re: 2FA two step verification & the obsession with security
« Reply #37 on: February 14, 2022, 12:13:20 pm »
The updated NIST guidelines are going in a sensible direction, with recommendation on reducing complexity, allowing for unicode characters and elimination of expiration: https://stealthbits.com/blog/nist-password-guidelines/ (random blog that explains changes in NIST guidelines).

Now it will take a couple of decades for companies to follow recommendations. Some seem to be stuck in the 90's. And HARD. With head in the sand.
 

Offline madires

  • Super Contributor
  • ***
  • Posts: 8276
  • Country: de
  • A qualified hobbyist ;)
Re: 2FA two step verification & the obsession with security
« Reply #38 on: February 14, 2022, 02:31:12 pm »
For all those things where MFA is not an option, an unique password is required. And since you now will have several hundred accounts (I just counted mine to 220) you need a password manager.  And, since you need a password manager, a random password generator is now a sensible thing. Because you can forget the passwords, and therefore make them complex enough to be very expensive to crack.

I recommend to use an offline pasword manager. They also include a password generator. Just choose the length and the characters types. Very simple and effective. Most password managers support some sort of login automation - also very handy. And don't forget to backup the database and to place a cleartext copy in the safe.
 

Offline JohanH

  • Frequent Contributor
  • **
  • Posts: 669
  • Country: fi
Re: 2FA two step verification & the obsession with security
« Reply #39 on: February 14, 2022, 02:59:36 pm »

I recommend to use an offline pasword manager. They also include a password generator. Just choose the length and the characters types. Very simple and effective. Most password managers support some sort of login automation - also very handy. And don't forget to backup the database and to place a cleartext copy in the safe.

I used Keepass variants for many years (on different devices and operating systems). I even used a terminal variant on linux. Now I'm a bit lazy and have moved my private passwords to Bitwarden. It is open source and you can run your own instance. Only stupidity, it doesn't support storing a full PGP private key (have to cut it in half due to size).

For 2FA application I use AndOTP. Important is that it supports backup and export of codes, so that you can restore TOTP codes if your device fails.


 

Offline tooki

  • Super Contributor
  • ***
  • Posts: 13157
  • Country: ch
Re: 2FA two step verification & the obsession with security
« Reply #40 on: February 14, 2022, 04:31:35 pm »
The stupid in this post is so strong it hurts.

You clearly haven’t put even two seconds of thought or research into what the consequences of a personal security breach can be.
No, the real stupid are those who would suffer serious consequences of some shitty web service or their account at a shitty web service getting compromised (read: most of the population these days). IMVHO it's them who clearly haven't put even two seconds of thought into what the consequences of a personal security breach could be :P

It's all about the old joke:
noob's password: Suzy, cause no one could guess his girlfriend's name
lamer's password: OHECU*&*(SH34, cause no one could guess this one
hacker's password: Suzy, cause script kiddies with dictionaries are not the real danger
So just forgo all the utility of modern services. Email? Gone. Online storage and backup? Gone. Sync between devices? Gone.

And with that, no more applying for jobs online, signing up for government services, or any other of the myriad things that one is now expected to do online, often with no alternative method.

Yeah, totally practicable.  :palm:

Besides, the whole point of “forcing” 2FA onto users is precisely because almost no users consider the security ramifications because they aren’t security experts. We cannot expect most people to be computer experts. It’s the experts’ duty to design systems that are inherently secure.
 

Offline PlainName

  • Super Contributor
  • ***
  • Posts: 7508
  • Country: va
Re: 2FA two step verification & the obsession with security
« Reply #41 on: February 14, 2022, 04:45:26 pm »
But, countering that, security that gets in the way can be worse than poor security because users will try to subvert it.

2FA is fine, but it relies on a hardware key that I probably won't have with me sometimes. Like the aforementioned card reader that banks used, all it did was make me use a different bank instead  because then I wouldn't have to walk around collecting card and reader before even thinking about logging in just to make a quick check.

Now it's assumed everyone  has a phone, it's always with them, and it's always the same phone (or, at least, the same number). That's not actually always the case, and as with any other hardware key, if you lose it you're in for a world of hurt.

I don't know the solution, but going for max security because you can isn't it.
 
The following users thanked this post: magic

Online ejeffrey

  • Super Contributor
  • ***
  • Posts: 4033
  • Country: us
Re: 2FA two step verification & the obsession with security
« Reply #42 on: February 14, 2022, 06:34:57 pm »
Quote
People are very bad at remembering passwords that are good enough.

I think most people can remember a pretty decent password. The problem is remembering a zillion of the blighters, which leads to repeat use. The stupid passwords, I would bet, are from having to think one up on the spot under pressure to just get the damn registration completed and move on to something useful. Ultimately, it's the same issue as you describe, though.

Yes.  What I do is that I make no effort at even trying to learn the password I set for another site which wants an account. I sometimes make an email address specifically for that site (easy if you are running your own domain) and then autogenerate a password which I stuff into my password repository, and go on. In the loop with verification et c this usually takes minimal extra time.

Also, and this is important: Where there are those stupid "personal questions" I strongly suggest people do something like this:

Mothers maiden name: qQmnJpQDhA7grA6XMxOE10qqYIkauAQxH

First pet: Vhg8stsKNa1zHZPVHzf5IfboLP

Favourite teacher: mNbMIMOKZTREIhxRBsentZVWNdrKZ1D/9LUIWC

And, of course keep those well stashed away.

Further:

If you don't think you can trust a computer with your passwords, that little black book which was bought to keep your poems in can be repurposed. Small black books are very resilient to online low-cost attack, providing they're kept under watchful lock and key.  And most of the attacks are made under the assumption that they mustn't cost much at all. Very few of us are being targeted personally.

If you can't count on being able to cut 'n paste strings (one of the known limitations of small black books), perhaps using a method like the one made into program here can be useful.   Of course I'd never let a web service generate a password that I'm intent on using (much like my strings above should not be copied verbatim and used!) but instead have my own computer perform the composition.  If you can't do that, a set of dice and a book will do. It is imperative that you must remove yourself from the password selection, and let reasonably good randomness work.  Dice are OK, if handled well.

You can go to all of this effort and yet be considerably less secure in the real world that someone who uses a yubikey and their password is their pets name followed by 123.  You are also probably less secure than someone who uses a phone app based TOTP with a weak, reused password.

I use a password manager to generate strong unique passwords with a securely stored and encrypted database.  I recommend the same to anyone who is interested.  But 2FA provides much better security for less end-user burden.  Again, I strongly recommend yubikey or similar hardware tokens if possible.  Once set up they are extremely convenient as well as extremely secure, but failing that a TOTP phone app is pretty good.  The main problem with TOTP is that it can be phished just like a password.  At least the code is time limited and most implementations require a second code to change your authentication information but hardware tokens eliminate this problem.  A lesser problem with TOTP for high security applications is that it is cloneable, but this does have the advantage of making offline backups easier.
 
The following users thanked this post: Someone

Offline mansaxel

  • Super Contributor
  • ***
  • Posts: 3559
  • Country: se
  • SA0XLR
    • My very static home page
Re: 2FA two step verification & the obsession with security
« Reply #43 on: February 14, 2022, 07:06:10 pm »

You can go to all of this effort and yet be considerably less secure in the real world that someone who uses a yubikey and their password is their pets name followed by 123.  You are also probably less secure than someone who uses a phone app based TOTP with a weak, reused password.

Yes, fully agree, but until everything will do token login properly this is what we need to do. In addition to tokens where they work.

Offline metebalci

  • Frequent Contributor
  • **
  • Posts: 460
  • Country: ch
Re: 2FA two step verification & the obsession with security
« Reply #44 on: February 14, 2022, 08:05:13 pm »
Again, I strongly recommend yubikey or similar hardware tokens if possible.  Once set up they are extremely convenient as well as extremely secure, but failing that a TOTP phone app is pretty good.  The main problem with TOTP is that it can be phished just like a password.  At least the code is time limited and most implementations require a second code to change your authentication information but hardware tokens eliminate this problem.  A lesser problem with TOTP for high security applications is that it is cloneable, but this does have the advantage of making offline backups easier.

New phones have similar security hardware as hardware tokens, so eliminating the need for using hardware tokens for many use cases. Also the services are moving from user generated OTP to server triggered probably signature based mechanisms which eliminates the issue with phishing or man in the middle.
 

Online magic

  • Super Contributor
  • ***
  • Posts: 7453
  • Country: pl
Re: 2FA two step verification & the obsession with security
« Reply #45 on: February 14, 2022, 08:08:03 pm »
So just forgo all the utility of modern services. Email? Gone. Online storage and backup? Gone. Sync between devices? Gone.

And with that, no more applying for jobs online, signing up for government services, or any other of the myriad things that one is now expected to do online, often with no alternative method.
I have email. Still works without 2FA and admittedly the password isn't Suzy, I know, I'm lame. I try to minimize my exposure to pwnage by being sure to have other means of communication with important people or institutions and of course keeping a local archive of all mail. It would suck to lose the address, but I would rather have that minimal risk than be forcibly locked out without a fucking phone at hand. I'm not a target to anyone who genuinely cares to justify such level of paranoia.

I use one service which does use the 2FAD and it's the bank. Arguably a good idea, but because of some stupid EUSSR directive it no longer works with one time passwords sent by snail mail, but requires the fucking phone. Lotta fun if that PoS breaks.

Government services? Fun that you ask. Some moron in Poland routinely uses my e-mail address to sign up to various services that don't require e-mail confirmation to start using :palm: :palm: :palm: and one of them is indeed a government body. I'm still wondering if/how/when to pwn him for maximum lulz >:D
 

Offline metebalci

  • Frequent Contributor
  • **
  • Posts: 460
  • Country: ch
Re: 2FA two step verification & the obsession with security
« Reply #46 on: February 14, 2022, 08:16:06 pm »
Now it's assumed everyone  has a phone, it's always with them, and it's always the same phone (or, at least, the same number).

I always argued that the phone number/SMS OTP is not a proper 2FA. The phone number does not fully belong to you. Mobile operator can connect your number to another SIM without you realizing, there happened fraud cases because of this when SMS OTP started to be used by banks 10+ years ago. It is not a big issue anymore but I still think there is a difference and I prefer to not use it if there is an alternative.
 

Offline JohanH

  • Frequent Contributor
  • **
  • Posts: 669
  • Country: fi
Re: 2FA two step verification & the obsession with security
« Reply #47 on: February 14, 2022, 08:29:23 pm »

Now it's assumed everyone  has a phone, it's always with them, and it's always the same phone (or, at least, the same number). That's not actually always the case, and as with any other hardware key, if you lose it you're in for a world of hurt.


Most services assume you have a 2FA application of some sort. Some still offer SMS and email as the second factor. In most of the cases, they also offer TOTP that works with any TOTP application. This isn't tied to a phone (but is most commonly used on a phone app), it could be a separate PC (your desktop or a raspberry works fine) or hardware key. If you backup the TOTP keys (encrypted of course), you will not lose anything.
 

Offline Someone

  • Super Contributor
  • ***
  • Posts: 5155
  • Country: au
    • send complaints here
Re: 2FA two step verification & the obsession with security
« Reply #48 on: February 14, 2022, 09:17:58 pm »
Now it's assumed everyone  has a phone, it's always with them, and it's always the same phone (or, at least, the same number).
... the subscriber account is paid up, and they have mobile network coverage.
 

Offline Halcyon

  • Global Moderator
  • *****
  • Posts: 6126
  • Country: au
Re: 2FA two step verification & the obsession with security
« Reply #49 on: February 14, 2022, 09:35:09 pm »
Would you want to do 2FA to get onto EEVBlog?

Many users are already doing it. It's not such a bad thing.
 


Share me

Digg  Facebook  SlashDot  Delicious  Technorati  Twitter  Google  Yahoo
Smf