I've had 2 factor authentication enabled on my gmail account for over a year now, and once you get past the initial setup phase, it's really not that inconvenient.
I have even been able to train my parents to use 2 factor auth, I just need to get them using a password manager now...
Yup, exactly why I made https://GAuthify.com, keep it standard via Google Authenticator and allow other options like SMS, Voice and Email. If you want to add it to your app and can't afford it, shoot support and email and I'll try to set you up with a discount/free-er account.
What happens if I'm i) outside the country, so no SMS for me, ii) outside cell tower coverage but with wifi (happens every day for me inside buildings), or I got my cellphone stolen for instance. How does 2fauth works in that case?
(Just wondering, as the above are the reasons I decided not to use it)
Authentication apps like Google Authenticator or Authy work without any data service of any kind. Most services provide backup codes you can print out and keep in your wallet or another safe spot in case you lose or destroy your device.
You can print two copies of your backup codes, keep one in your wallet and one at home. You don't have to worry too much about them getting stolen because they are useless without your password. You can also generate a new set of backup codes at any time, which invalidates the old ones.
2-factor authentication does not require the second factor every time. It typically only asks for the second factor if the device is unrecognized, or the usage pattern is unfamiliar.
So, your laptop that's logged into GMail will stay logged in when you're out of the country. Unless you explicitly log out, it will stay this way.
I enter maybe one two-factor auth code a week, if that.
So:
i) Prepare ahead and log into your services.
ii) Walk to the nearest window, get the code, and go back to your desk.
iii) Replace your phone - you keep your number - request the auth key again.
None of these are completely seamless of course, but the idea is that all of the above happen rarely enough, and are mitigable enough, that it's far better than the alternative: getting pwned.
There are also second factors in the form of mobile apps, which eliminate the need for SMS, so as long as you have data/WiFi you're set. There are also ones that don't need data at all (see: the Battle.net Authenticator, which is basically a RSA key on your phone), but require more substantial initial setup.
As far as I know's Google's authenticator app works by using a PRNG being seeded with a unique code for your account that's transferred when you first setup the authenticator and the current time. The app certainly works without a network connection.
AS for theft, you have backup codes which you should store securely (in a Truecrypt file with multiple backups or something), which allow you to log into your account once per code.
With gmail, you get 10 one-time use codes, which you can keep on a small slip of paper. So if you need to register on someone else's computer, you can use one of the codes and cross it off. If you lose the codes but not your device, you can print out new ones.
With google's 2FA, you can print out codes ahead of time that can each be used once in place of the SMS'd code. Bring some of those with you, perhaps...
When you are activating 2-factor authentication it gives you around 10 codes that you need to write down or print, to a wallet or under your freezer ets. However in university when I sit to a computer everytime I have to open a new clean Windows session, it leads me to enter 2-factor 4-5 a day. Thus I don't use it.
I gave up on Google yesterday, when I tried to log-in to my account, from home, with the correct username and password, and they decided to lock me out. They said it was a 'new location', and to recover, I needed to know the answer to my 5 year old security question. That wasn't possible, so the other option was entering the month my account was created. The month? I can narrow it down to a 3 year window at best. Needless to say, recovery failed, and I can no longer access my account, because Google just decided I'm not me.
Another lesson people need to learn is to keep their security information up to date! Google (and others) periodically prompt you to do this. I suppose it gets treated much like regularly changing your password though..
Saying that, I'm sorry to hear you got locked out! How inconvenient.
I have my passwords secure, and use Keepass. The database is backed up on my Truecrypt external drives, in case my laptop is stolen, and I lose the database file.
I figure my job is to protect my username and password, so that's exactly what I do, secure them, and have backups. What I don't expect is getting locked out of my account when I have the valid username and password to login. Also, Google provides zero support. I generate them at least $20k a year in profits off advertising, and I lose my Gmail account for no reason. Anyway, I'm done with them, and switching to alternatives.
In addition, for those using a Windows PC in a remote location (such as travelling and visiting an internet cafe) a simple step you can take to help avoid this issue is to use the on-screen keyboard. It's available as an accessibility option, but you can also open it using "Windows Key + R", and then type "osk"
Of course, you should take care to shield your screen while you type the password, or use a combination of mouse+keyboard when entering it.
I had twitter's 2 factor auth set up. Guess what? I was once logged out and couldn't login again. It just stopped working. I enter the code I receive over SMS and I go back to the login screen. I tweeted to @twitter from a signed in device and tried to get help for days. No response. Finally ended up dis-associating my phone number from twitter via an SMS and haven't gone back to 2-factor auth again.
Certainly a good - and probably the best - option right now.
But maybe there are simpler alternatives. Maybe passwords shoudn't mean anything, just like losing a key on a busy street is not exactly a security threat to its owner, password leaks shouldn't be harmful. Maybe the problem is not how passwords are stored or encrypted but how meaninful our 'ids' are - and how they are attached to that password.
Does anyone maintain a list of sites/services that support two factor auth? I'd like to be able to go through a list and make sure I have it enabled for all services where I have an account.
All the articles I've found are at least a couple months old.
I agree.
However for people just not interested in tech stuff, teaching them how to use 2 factor authentication is pretty hard. I tried writing out the tutorial for friends but realized it's pretty daunting for regular users.
What if Google started charging people (only ones with credit card on file which means they are in place with necessary infrastructure) $5 a year for NOT using 2 factor authentication... I guess I can dream...
I enabled 2 Factor Authentication some time ago and know I am much more secure now.
As for password managers, I think it would be cool if the browser &/or websites could figure out a way to launch a default password manager installed on the computer (or in the cloud?) and auto-populate a strong password and enter it into the manger. Way more people would use best practices if they were virtually automatic.
Facebook just gave a talk at an HN London meetup recently about exactly this topic: http://vimeo.com/80460475#t=11m48s . The gist is that 2FA doesn't work because people don't enable it, but you can protect accounts by detecting anomalous behaviour on logins.
I'm with you on 2 factor auth, but I'm not sure about the password manager.
I've always felt like putting all your passwords in one place defeats the purpose of memorizing separate, secure passwords (or, better yet, pass phrases).
The purpose of separate, secure passwords is because otherwise all it takes is 1 website out there to be insecure to compromise all your logins. If your computer is compromised you already lost, regardless of whether you use a password manager or not.
If a person accesses your phone or laptop, he or she will not necessarily have access to all your credentials for various services and for other devices. But if all this info is stored in one place, in a password manager, the scope of the potential data breach suddenly grows.
They don't suddenly have access, if your password manager is secure and your master password is strong.
That's one of the nice things about password managers. You reduce the number of potential points of failure from many to one. Why is this good? Think of Thermopylae. You increase the stakes, but you also dramatically improve your ability to fight back.
I don't care for two-factor authentication because I use a password manager. What I'd like is the option to use a one-time-password when I'm sitting at a computer I don't trust.
So if I understand this, this is how it would work.
At any time you'd have two passwords: one regular, which you use every day; and one for one-time-use only, which you keep around in case of need.
When sitting at an untrusted computer, you use your one-time-use password. This proves your identity, but also immediately expires your one-time-use password. Next time you want to generate a usable one-time-password you'll have to login with your regular password again.
More like the OTP token would be on my smartphone or some other device, so I can generate passwords as needed that are guaranteed to be unique.
But they don't require my normal password to be entered at all. I'd accept punching in my real password or a code on my phone to generate the smart token, since the time required to brute force something like that would be give me plenty of time to revoke it's authorization.
Ah sure, as long as both the client and the server are in agreement of what the next token should be then everything is fine. I didn't think this through.
That would be much more useful. My password is strong enough, but I would never use an computer other than my own to log into Gmail or any other important account. One-time passwords would be a good thing to have.
Maybe possible with 2-factor-auth, but it would still require me to input my password on an untrusted device. No.
Two-factor authentication might partially be the answer to that. You still provide your own password, except that a second password is generated when you request to be logged in. At least that how I think it works.
I've been on 2-factor auth for a while, but only switched to a password manager after my "default" password got hacked in that Adobe incident some weeks back. (KeePassX!)
Misleading headline, makes it seem like these guys were hacked on their servers. When the reality is people spread a virus and passwords were logged from individual machines. No fault from Google or Twitter.
Looks like they updated the article to read "File Transfer Protocol (FTP, the standard network used when transferring big files)". Better, although it's still wrong to call FTP a "network".
If you use LastPass, this is a good time to run their Security Challenge (https://lastpass.com/index.php?securitychallenge=1) to audit the strength and uniqueness of your passwords. If you're not using LassPass or something similar like 1Password then today is a good time to fix that.
Strength of password won't really help for key logging, but using e.g. Lastpass helps because it logs you into everything without having to type your passwords. It will even generate and fill in your initial passwords so that you never have to type your passwords even once.
Ah great question. It does, but it usually stays logged in on your computer, since it runs locally. So you rarely if ever need to type your password for Lastpass, meaning the keylogger would have had to be running on your computer when you installed and set up Lastpass. On a related note, it can also be set up with 2 factor auth.
Presumably the password is stored to a file or in memory (of course that could be arbitrarily difficult to figure out how to decode, but it can't be encrypted since that would require another password.)
Why do you assume it'd be stored in plain text rather than hashed? Also, what does compromising someone's local filesystem have to do with the functionality of a keylogger?
Even if it's hashed, then the hash can still be used to reconstruct the lastpass passwords. And I'm just assuming that you can't trust your filesystem if your machine has been compromised by malware. You're right the keylogger probably isn't that complicated. It depends on what level of paranoia you have and how widely lastpass becomes adopted (thus more incentive to hack it.) More likely the keylogger will just get the first time you enter your password into lastpass and then steal it that way.
The point is lastpass is designed to protect you from weak passwords and password reuse. It doesn't do anything to protect against attacks on your actual computer.
Oh, I misunderstood you; I thought you were referring to the master password of LastPass as being plain-text or reversibly encrypted. You mean that the passwords stored by LastPass must be reversibly encrypted on disk. Yes, that's true. Password managers do open the door for such an attack, but they tend to be much less vulnerable to attacks in general than reusing the same passwords. Of course, it's really up to each person to decide what risks are acceptable in the trade-off between convenience and security.
I think the main point was that a password manager would have been much less susceptible to the keylogger attack which lead to this particular incident.
I found this rather amusing: “Among the compromised data are 41,000 credentials used to connect to File Transfer Protocol (FTP, the standard network used when working from home)”
Not as safe as other solutions, but I can remember all my passwords by choosing passwords by website category (6 for example):
one low-security sites,
one for sites that have your CC #,
one for social networking,
one for email,
one for work,
and one for your banking sites. keep a copy in your wallet. Sleep better.
> Facebook, LinkedIn and Twitter told CNNMoney they have notified and reset passwords for compromised users.
> The hackers set up the keylogging software to rout information through a proxy server, so it's impossible to track down which computers are infected.
Have I missed something or are these statements contradictory?
Nothing contradictory about it. First statement is about accounts on services, second is about finding the machines used to log into said accounts.
The sad part is that many people with this keylogger may react to the password change before/without removing the logger, which would entirely defeat the point.
I was wondering, how does these services come to know that they had a breach. How Facebook or Twitter or Gmail, exactly number the amount of data(passwords) stolen.
Just curious to know!
The ADP -- a payroll service -- passwords (which, interestingly, aren't in the headline), are probably the ones that, despite being smallest in number, offer the most opportunity for direct financial disruption.
ADP is horrible, but their website can't change financial details (it only shows paystubs and tax forms). You can kinda change things through ADP FlexDirect, but all direct deposit enrollment is done elsewhere.
The ADP employee site hasn't changed in the past ten years and still uses basic auth. It's horrible. And freaky. When you login to your new company account, it shows all paystubs from your past employers too. [With the implication of your current payroll department being able to see how much you were getting paid at all your previous jobs since it's the same account?]
Does anyone know if this is actually the case? I have noticed something similar and I am curious about it. My new employer uses ADP for payroll, but does not use the online system. However I can still log in to the ADP online system using my account credentials from my old employer and get electronic copies of my new paystubs. I would like to know if my old employer has access to these paystubs.
> ADP is horrible, but their website can't change financial details
The article here says that the account information that was compromised can. I'm not sure if that is a result of bad reporting on the same level as that related to FTP in the article, or the accounts that were compromised are different than the ones for the website you are talking about.
That's probably only even roughly true in tech organizations where the low-level folk have tech-related duties. (Though HN users are probably somewhat biased to think in terms of such organizations.)
i thought hotmail was least secure. But every time passwords are stolen, its always for the Big-3 Social networks. Facebook, Twitter or LinkedIn. This time Gmail joined in.
Great !! But then what can you expect from a free service {kidding}
I've had 2 factor authentication enabled on my gmail account for over a year now, and once you get past the initial setup phase, it's really not that inconvenient.
I have even been able to train my parents to use 2 factor auth, I just need to get them using a password manager now...