I have a bunch of questions about password managers, mostly due to my unique situation.
Work computer: cannot add extensions to any browser, cannot install a local app, etc.
For the time being, I can have my phone at my desk, but that will be changing "soon."
If I incorporate a password manager in any way, how will it affect me logging into my accounts at work? Will I have to manually enter gibberish any time I want to check my credit card balances, or log into Mint?
We'll just start there. Basically I'm having concerns about how much friction will be involved if I incorporate a password manager (I have an old version of 1Password I bought ages ago that I may or may not give a shot; or I'll start fresh with either Keepass or Bitwarden)
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
I have a bunch of questions about password managers, mostly due to my unique situation.
Work computer: cannot add extensions to any browser, cannot install a local app, etc.
For the time being, I can have my phone at my desk, but that will be changing "soon."
If I incorporate a password manager in any way, how will it affect me logging into my accounts at work? Will I have to manually enter gibberish any time I want to check my credit card balances, or log into Mint?
We'll just start there. Basically I'm having concerns about how much friction will be involved if I incorporate a password manager (I have an old version of 1Password I bought ages ago that I may or may not give a shot; or I'll start fresh with either Keepass or Bitwarden)
If you can't install applications on your computer or add extensions to your browser, your only real option is your phone (this is what I use, but more because I don't want IT to have access to literally everything I have with a password). If you can't use a phone...I don't have much to offer you except maybe a small booklet?
+1
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
edited April 2019
I know I've brought this up before, but with the use of a password manager, isn't that basically increasing your attack surface?
If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.
Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).
If you don't have a password manager on your phone, then at the very least your accounts should stay safe.
But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.
TetraNitroCubane on
0
Options
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
edited April 2019
Are you even allowed to surf non-work stuff if your job is going to restrict installations and even your phone in that manner?
An alternative would be to write down the passwords you need on paper, and changing them whenever you throw away or lose them. The nice thing about password managers is that changing your password is super easy should something happen.
Also, enabling two-factor authentication and having a hardware key fob adds another layer of security for these kinds of situations.
I know I've brought this up before, but with the use of a password manager, isn't that basically increasing your attack surface?
If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.
Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).
If you don't have a password manager on your phone, then at the very least your accounts should stay safe.
But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.
To some extent that is true even without a password manager. Unless you're saying you only log into your accounts on your computer and never use your phone, since a compromised phone could just wait and record your passwords rather than stealing your password database.
Personally I just keep my lastpass phone app logged out. If I need to log into something I'll open it, log in with the main password, then copy the password I need, then log out. It's definitely more of a pain but then at least the default state is that my passwords are not accessible if someone gets access to my phone.
"The world is a mess, and I just need to rule it" - Dr Horrible
Seems like the way things are going these days it's more secure to just put your passwords on a post-it note on your monitor assuming your building is mostly secure and you can trust your family/roommates. I mean, I'd even figure that your average smash-and-grab meth addict would have their brain too addled to be wasting their time trying to log into your computer with your passwords.
"Simple, real stupidity beats artificial intelligence every time." -Mustrum Ridcully in Terry Pratchett's Hogfather p. 142 (HarperPrism 1996)
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
I know I've brought this up before, but with the use of a password manager, isn't that basically increasing your attack surface?
If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.
Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).
If you don't have a password manager on your phone, then at the very least your accounts should stay safe.
But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.
Unless you're going to go through the effort of having a dedicated device for your password manager...yeah? There aren't a great set of options here. Security is always diametrically opposed to convenience (c.f. my complaints about iOS, the need for passwords in the first place, etc.). For my expected threat profile, for my willingness to actually follow through, a password manager on my phone that has a datastore vulnerable to offline attack when Dropbox gets pwned is the best compromise available to me.
I'm not going to carry around a booklet, and not keeping a dedicated device just for passwords.
I mean, if you really want 2FA to be safe, you don't use your phone, you use a dedicated device that is fully offline and so only vulnerable if it gets stolen. But seemingly nobody supports that, and it's inconvenient, so...
I have a bunch of questions about password managers, mostly due to my unique situation.
Work computer: cannot add extensions to any browser, cannot install a local app, etc.
For the time being, I can have my phone at my desk, but that will be changing "soon."
If I incorporate a password manager in any way, how will it affect me logging into my accounts at work? Will I have to manually enter gibberish any time I want to check my credit card balances, or log into Mint?
We'll just start there. Basically I'm having concerns about how much friction will be involved if I incorporate a password manager (I have an old version of 1Password I bought ages ago that I may or may not give a shot; or I'll start fresh with either Keepass or Bitwarden)
If you can't install applications on your computer or add extensions to your browser, your only real option is your phone (this is what I use, but more because I don't want IT to have access to literally everything I have with a password). If you can't use a phone...I don't have much to offer you except maybe a small booklet?
Yes, we can surf externally with a proxy in between. It lets me get to most places (hence why I'm posting here from work) but there are many others I cannot access.
----
So I need an explanation then. I set things up with a password manager. I go to log into [X Site] that is using a random, 12-character password at work. I have my phone. Do I have to physically type said password in, using the list the phone gives me? I was under the impression you basically used some sort of "token" (for lack of a better word) that lets you use secure passwords that you don't have to remember.
Or am I understanding this wrong, and you have to physically type in the shitty password?
I have a bunch of questions about password managers, mostly due to my unique situation.
Work computer: cannot add extensions to any browser, cannot install a local app, etc.
For the time being, I can have my phone at my desk, but that will be changing "soon."
If I incorporate a password manager in any way, how will it affect me logging into my accounts at work? Will I have to manually enter gibberish any time I want to check my credit card balances, or log into Mint?
We'll just start there. Basically I'm having concerns about how much friction will be involved if I incorporate a password manager (I have an old version of 1Password I bought ages ago that I may or may not give a shot; or I'll start fresh with either Keepass or Bitwarden)
If you can't install applications on your computer or add extensions to your browser, your only real option is your phone (this is what I use, but more because I don't want IT to have access to literally everything I have with a password). If you can't use a phone...I don't have much to offer you except maybe a small booklet?
Yes, we can surf externally with a proxy in between. It lets me get to most places (hence why I'm posting here from work) but there are many others I cannot access.
----
So I need an explanation then. I set things up with a password manager. I go to log into [X Site] that is using a random, 12-character password at work. I have my phone. Do I have to physically type said password in, using the list the phone gives me? I was under the impression you basically used some sort of "token" (for lack of a better word) that lets you use secure passwords that you don't have to remember.
Or am I understanding this wrong, and you have to physically type in the shitty password?
In the scenario where you are accessing a site on a computer without the extension/password manager application installed then yes -- you would need to type in the password you presumably retrieved from your phone.
Ultimately this just shows that you NEED to use unique passwords for every system. You need to. Need to.
I mean, we also need to do away with the current password system. But in the meantime it is not tenable to reuse passwords.
The thing is that EVERYTHING needs a password. I can't remember fifty different passwords that I also should change every time a breach happens. Reuse is suicidal, but also your options are basically either constant reuse or resetting your password every time you go into a thing you don't use every day, cause you sure as heck ain't gonna remember the long password for that thing you set up last week.
I need to look into how password managers work, and how the whole thing works if you need to constantly access stuff from a lot of computers that aren't your own, but also the fact that I'd need to manually change fuck knows how many passwords to get it set up is kind of a barrier.
Password managers are in fact the solution to your problem. Most of them are quick to setup, easy to use, and robust. They are a necessity in this day. The one I use, Keepass, is free and will generate passwords for you. It also has an Android app that I keep synced using Dropbox. I am sure others here will recommend more.
I'm... reluctant about an android app. My phone is probably the biggest weakpoint in my already porous security. It's easily lost, easily stolen, necessarily constantly connected and unreliably updated, probably more vulnerable than my computer (due to said inconsistent security updating and generally phones seeming an easy attack surface) and I don't keep any kind of complex unlock mechanism because having to input any kind of long key over a hundred times a day to constantly unlock the lockscreen grated on my nerves. So for my peace of mind what I do is not keep basically anything sensitive there (throwaway google account, no actual data beyond phone numbers, etcetera) and generally only log in to places that are not terribly sensitive (I will log into this forum on my phone, I sure as heck ain't logging in into my bank). If I lose my phone tomorrow it's a pain, but it's not an absolute disaster.
Ultimately this just shows that you NEED to use unique passwords for every system. You need to. Need to.
I mean, we also need to do away with the current password system. But in the meantime it is not tenable to reuse passwords.
The thing is that EVERYTHING needs a password. I can't remember fifty different passwords that I also should change every time a breach happens. Reuse is suicidal, but also your options are basically either constant reuse or resetting your password every time you go into a thing you don't use every day, cause you sure as heck ain't gonna remember the long password for that thing you set up last week.
I need to look into how password managers work, and how the whole thing works if you need to constantly access stuff from a lot of computers that aren't your own, but also the fact that I'd need to manually change fuck knows how many passwords to get it set up is kind of a barrier.
Password managers are in fact the solution to your problem. Most of them are quick to setup, easy to use, and robust. They are a necessity in this day. The one I use, Keepass, is free and will generate passwords for you. It also has an Android app that I keep synced using Dropbox. I am sure others here will recommend more.
I'm... reluctant about an android app. My phone is probably the biggest weakpoint in my already porous security. It's easily lost, easily stolen, necessarily constantly connected and unreliably updated, probably more vulnerable than my computer (due to said inconsistent security updating and generally phones seeming an easy attack surface) and I don't keep any kind of complex unlock mechanism because having to input any kind of long key over a hundred times a day to constantly unlock the lockscreen grated on my nerves. So for my peace of mind what I do is not keep basically anything sensitive there (throwaway google account, no actual data beyond phone numbers, etcetera) and generally only log in to places that are not terribly sensitive (I will log into this forum on my phone, I sure as heck ain't logging in into my bank). If I lose my phone tomorrow it's a pain, but it's not an absolute disaster.
You don't have to put the manager on your phone if you don't need it there. It would just be a browser extension on your PC - then you just remember one strong password to login to that and it generates/fills passwords for everything else.
I know I've brought this up before, but with the use of a password manager, isn't that basically increasing your attack surface?
If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.
Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).
If you don't have a password manager on your phone, then at the very least your accounts should stay safe.
But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.
Unless you're going to go through the effort of having a dedicated device for your password manager...yeah? There aren't a great set of options here. Security is always diametrically opposed to convenience (c.f. my complaints about iOS, the need for passwords in the first place, etc.). For my expected threat profile, for my willingness to actually follow through, a password manager on my phone that has a datastore vulnerable to offline attack when Dropbox gets pwned is the best compromise available to me.
I'm not going to carry around a booklet, and not keeping a dedicated device just for passwords.
I mean, if you really want 2FA to be safe, you don't use your phone, you use a dedicated device that is fully offline and so only vulnerable if it gets stolen. But seemingly nobody supports that, and it's inconvenient, so...
Your phone is more secure than a physical token. If someone steals your token, they have your token. If someone steals your phone, they have to get into it before they can use the token.
This is assuming you're not using sms or voice call for 2fa. Don't use sms or voice calls for 2fa.
I have a bunch of questions about password managers, mostly due to my unique situation.
Work computer: cannot add extensions to any browser, cannot install a local app, etc.
For the time being, I can have my phone at my desk, but that will be changing "soon."
If I incorporate a password manager in any way, how will it affect me logging into my accounts at work? Will I have to manually enter gibberish any time I want to check my credit card balances, or log into Mint?
We'll just start there. Basically I'm having concerns about how much friction will be involved if I incorporate a password manager (I have an old version of 1Password I bought ages ago that I may or may not give a shot; or I'll start fresh with either Keepass or Bitwarden)
If you can't install applications on your computer or add extensions to your browser, your only real option is your phone (this is what I use, but more because I don't want IT to have access to literally everything I have with a password). If you can't use a phone...I don't have much to offer you except maybe a small booklet?
Yes, we can surf externally with a proxy in between. It lets me get to most places (hence why I'm posting here from work) but there are many others I cannot access.
----
So I need an explanation then. I set things up with a password manager. I go to log into [X Site] that is using a random, 12-character password at work. I have my phone. Do I have to physically type said password in, using the list the phone gives me? I was under the impression you basically used some sort of "token" (for lack of a better word) that lets you use secure passwords that you don't have to remember.
Or am I understanding this wrong, and you have to physically type in the shitty password?
In the scenario where you are accessing a site on a computer without the extension/password manager application installed then yes -- you would need to type in the password you presumably retrieved from your phone.
I know I've brought this up before, but with the use of a password manager, isn't that basically increasing your attack surface?
If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.
Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).
If you don't have a password manager on your phone, then at the very least your accounts should stay safe.
But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.
Unless you're going to go through the effort of having a dedicated device for your password manager...yeah? There aren't a great set of options here. Security is always diametrically opposed to convenience (c.f. my complaints about iOS, the need for passwords in the first place, etc.). For my expected threat profile, for my willingness to actually follow through, a password manager on my phone that has a datastore vulnerable to offline attack when Dropbox gets pwned is the best compromise available to me.
I'm not going to carry around a booklet, and not keeping a dedicated device just for passwords.
I mean, if you really want 2FA to be safe, you don't use your phone, you use a dedicated device that is fully offline and so only vulnerable if it gets stolen. But seemingly nobody supports that, and it's inconvenient, so...
Your phone is more secure than a physical token. If someone steals your token, they have your token. If someone steals your phone, they have to get into it before they can use the token.
This is assuming you're not using sms or voice call for 2fa. Don't use sms or voice calls for 2fa.
SMS is literally the only thing some companies use though. Like Sony for instance, at least for my psn account.
I know I've brought this up before, but with the use of a password manager, isn't that basically increasing your attack surface?
If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.
Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).
If you don't have a password manager on your phone, then at the very least your accounts should stay safe.
But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.
Unless you're going to go through the effort of having a dedicated device for your password manager...yeah? There aren't a great set of options here. Security is always diametrically opposed to convenience (c.f. my complaints about iOS, the need for passwords in the first place, etc.). For my expected threat profile, for my willingness to actually follow through, a password manager on my phone that has a datastore vulnerable to offline attack when Dropbox gets pwned is the best compromise available to me.
I'm not going to carry around a booklet, and not keeping a dedicated device just for passwords.
I mean, if you really want 2FA to be safe, you don't use your phone, you use a dedicated device that is fully offline and so only vulnerable if it gets stolen. But seemingly nobody supports that, and it's inconvenient, so...
Your phone is more secure than a physical token. If someone steals your token, they have your token. If someone steals your phone, they have to get into it before they can use the token.
This is assuming you're not using sms or voice call for 2fa. Don't use sms or voice calls for 2fa.
SMS is literally the only thing some companies use though. Like Sony for instance, at least for my psn account.
You use what you've got. SMS is better than nothing. Just don't trust it to protect anything particularly vulnerable.
0
Options
TetraNitroCubaneThe DjinneratorAt the bottom of a bottleRegistered Userregular
I know I've brought this up before, but with the use of a password manager, isn't that basically increasing your attack surface?
If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.
Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).
If you don't have a password manager on your phone, then at the very least your accounts should stay safe.
But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.
To some extent that is true even without a password manager. Unless you're saying you only log into your accounts on your computer and never use your phone, since a compromised phone could just wait and record your passwords rather than stealing your password database.
Yeah, this is actually my strategy. I never log into anything on my phone that's sensitive, because I don't trust over-the-air networks with sensitive information. And furthermore I consider my phone an attack vector I'm not allowed to control appropriately. I essentially use the 2FA on my phone via Google Auth and don't log into things like my bank account unless I'm on a wired connection via a computer I trust.
I mean, if you really want 2FA to be safe, you don't use your phone, you use a dedicated device that is fully offline and so only vulnerable if it gets stolen. But seemingly nobody supports that, and it's inconvenient, so...
I did hear something a while back about essentially a physical 2FA key - one that operates via USB or somesuch - but I've never seen anyone support anything like that. Heck, it's beyond me why some sites don't even use Google Authenticator, so I suppose wanting for something more is rather unrealistic at this point.
I know I've brought this up before, but with the use of a password manager, isn't that basically increasing your attack surface?
If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.
Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).
If you don't have a password manager on your phone, then at the very least your accounts should stay safe.
But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.
To some extent that is true even without a password manager. Unless you're saying you only log into your accounts on your computer and never use your phone, since a compromised phone could just wait and record your passwords rather than stealing your password database.
Yeah, this is actually my strategy. I never log into anything on my phone that's sensitive, because I don't trust over-the-air networks with sensitive information. And furthermore I consider my phone an attack vector I'm not allowed to control appropriately. I essentially use the 2FA on my phone via Google Auth and don't log into things like my bank account unless I'm on a wired connection via a computer I trust.
I mean, if you really want 2FA to be safe, you don't use your phone, you use a dedicated device that is fully offline and so only vulnerable if it gets stolen. But seemingly nobody supports that, and it's inconvenient, so...
I did hear something a while back about essentially a physical 2FA key - one that operates via USB or somesuch - but I've never seen anyone support anything like that. Heck, it's beyond me why some sites don't even use Google Authenticator, so I suppose wanting for something more is rather unrealistic at this point.
This is assuming you're not using sms or voice call for 2fa. Don't use sms or voice calls for 2fa.
SMS is literally the only thing some companies use though. Like Sony for instance, at least for my psn account.
*Glares intensely at one of the largest banks in the world*.
You'd think financial institutions would be more concerned about security, but a great many of them still lean on SMS 2FA.
Realistically, most of their customers don't really need to worry. Most people don't make enough money to be targeted by an attacker sophisticated enough to bother with them. And almost every form of 2fa can be bypassed completely using phishing. You only need enough security to raise the barrier high enough that anyone interested in stealing your stuff will not bother. Because if someone wants it bad enough, there is almost literally not enough security in the world to keep them from getting it.
I mean, if you really want 2FA to be safe, you don't use your phone, you use a dedicated device that is fully offline and so only vulnerable if it gets stolen. But seemingly nobody supports that, and it's inconvenient, so...
I did hear something a while back about essentially a physical 2FA key - one that operates via USB or somesuch - but I've never seen anyone support anything like that. Heck, it's beyond me why some sites don't even use Google Authenticator, so I suppose wanting for something more is rather unrealistic at this point.
Are you thinking of TitanKey; which I believe Google was pushing at one point?
This is assuming you're not using sms or voice call for 2fa. Don't use sms or voice calls for 2fa.
SMS is literally the only thing some companies use though. Like Sony for instance, at least for my psn account.
*Glares intensely at one of the largest banks in the world*.
You'd think financial institutions would be more concerned about security, but a great many of them still lean on SMS 2FA.
Financial institutions are still more concerned about minimizing operating expenses at all costs. So they do the bare minimum to meet Federal requirements.
I would actually be very interested in using a form of Yubikey at work instead of a card with a smart chip. There's also rumors of a card-less solution but I'm not sure how much traction it actually has; or if it's just musings. It's basically a cell phone app that "learns your activity patterns" and confirms to a server (somewhere) that you are you and you're allowed to log into a given system. Except that there are some areas that don't permit mobile devices in workspaces.
0
Options
Inquisitor772 x Penny Arcade Fight Club ChampionA fixed point in space and timeRegistered Userregular
Yeah it's pretty telling that Google doesn't use their own 2FA solution.
I feel like I am missing something here, what advantage does the key have over an app? Losing the key seems easier, and less noticeable. I assume the key is still vulnerable to the same sort of advanced phishing techniques, but I could be wrong.
Yeah it's pretty telling that Google doesn't use their own 2FA solution.
I feel like I am missing something here, what advantage does the key have over an app? Losing the key seems easier, and less noticeable. I assume the key is still vulnerable to the same sort of advanced phishing techniques, but I could be wrong.
The apps can be compromised by a screen-reader app if the attacker is sufficiently determined to get malware on your phone, and the protocols themselves aren't quite as complex as FIDO, IIRC.
I'm not 100% sure on the specifics of the FIDO protocols, but there isn't really any way to break it without physically stealing the key.
Yeah. I guess the big improvement over what they do with Smart Lock for Chromebooks is the physical button-press, but it's still kind of a half-ass solution.
Well that and I haven't experienced a desktop motherboard with integrated Bluetooth out of the box. Maybe it's out there, now, though, since the hardware I'm currently dealing with is around 7 years old. I'm not sure something like this is worth buying a BT dongle for, either.
Well that and I haven't experienced a desktop motherboard with integrated Bluetooth out of the box. Maybe it's out there, now, though, since the hardware I'm currently dealing with is around 7 years old. I'm not sure something like this is worth buying a BT dongle for, either.
Integrated Bluetooth is much more common on laptops for sure, but many mobos have it nowadays. My current desktop has on-board wifi and bluetooth.
Yeah it's pretty telling that Google doesn't use their own 2FA solution.
I feel like I am missing something here, what advantage does the key have over an app? Losing the key seems easier, and less noticeable. I assume the key is still vulnerable to the same sort of advanced phishing techniques, but I could be wrong.
The apps can be compromised by a screen-reader app if the attacker is sufficiently determined to get malware on your phone, and the protocols themselves aren't quite as complex as FIDO, IIRC.
I'm not 100% sure on the specifics of the FIDO protocols, but there isn't really any way to break it without physically stealing the key.
Ok that helps some. What about an attack that uses a redirect to phishing page that looks identical and hijacks your 2fa and login as you enter them. Can the key prevent that?
I'm not sure the best place to post this. My PSU is dying so I'm looking for deals and I found a good deal on a replacement from Seasonic. It turns out that Seasonic has an offer card in their PSU boxes that when you register the PSU and link your Steam account, they send you a fairly substantial Steam GC.
I can't help but wonder what Seasonic is doing with that data, and to whom they are selling.
0
Options
OrcaAlso known as EspressosaurusWrexRegistered Userregular
I'm not sure the best place to post this. My PSU is dying so I'm looking for deals and I found a good deal on a replacement from Seasonic. It turns out that Seasonic has an offer card in their PSU boxes that when you register the PSU and link your Steam account, they send you a fairly substantial Steam GC.
I can't help but wonder what Seasonic is doing with that data, and to whom they are selling.
Yeah it's pretty telling that Google doesn't use their own 2FA solution.
I feel like I am missing something here, what advantage does the key have over an app? Losing the key seems easier, and less noticeable. I assume the key is still vulnerable to the same sort of advanced phishing techniques, but I could be wrong.
The apps can be compromised by a screen-reader app if the attacker is sufficiently determined to get malware on your phone, and the protocols themselves aren't quite as complex as FIDO, IIRC.
I'm not 100% sure on the specifics of the FIDO protocols, but there isn't really any way to break it without physically stealing the key.
Ok that helps some. What about an attack that uses a redirect to phishing page that looks identical and hijacks your 2fa and login as you enter them. Can the key prevent that?
I think with FIDO that they would have to have the website's private key to generate a challenge that your token would create the correct response to.
I don't really have time to read the whole spec, but it looks like they would have to MITM your registration to be able to access your account (or steal your private key from the server and then MITM your login), which is more difficult than getting you to type 8 numbers into a box within 90 seconds.
Descendant XSkyrim is my god now.Outpost 31Registered Userregular
What do you folks think of the iCloud Keychain vs. 1Password? I use both because I have a Linux box, but I definitely like the Keychain better. Are there any issues with either?
Garry: I know you gentlemen have been through a lot, but when you find the time I'd rather not spend the rest of the winter TIED TO THIS FUCKING COUCH!
Microsoft is warning users of older versions of Windows to urgently apply a Windows Update today to protect against a potential widespread attack. The software giant has patched a critical remote code execution vulnerability in Remote Desktop Services that exists in Windows XP, Windows 7, and server versions like Windows Server 2003, Windows Server 2008 R2, and Windows Server 2008. Microsoft is taking the highly unusual approach of releasing patches for Windows XP and Windows Server 2003 even though both operating systems are out of support. Windows XP users will have to manually download the update from Microsoft’s update catalog.
“This vulnerability is pre-authentication and requires no user interaction,” explains Simon Pope, director of incident response at Microsoft’s Security Response Center. “In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”
Windows 8 and 10 aren't impacted by this flaw, but Windows 7 is. Plenty of people are still using Windows 7.
This is particularly noteworthy, seeing as Microsoft decided it was serious enough that they've released a patch for Windows XP of all things.
Microsoft is warning users of older versions of Windows to urgently apply a Windows Update today to protect against a potential widespread attack. The software giant has patched a critical remote code execution vulnerability in Remote Desktop Services that exists in Windows XP, Windows 7, and server versions like Windows Server 2003, Windows Server 2008 R2, and Windows Server 2008. Microsoft is taking the highly unusual approach of releasing patches for Windows XP and Windows Server 2003 even though both operating systems are out of support. Windows XP users will have to manually download the update from Microsoft’s update catalog.
“This vulnerability is pre-authentication and requires no user interaction,” explains Simon Pope, director of incident response at Microsoft’s Security Response Center. “In other words, the vulnerability is ‘wormable’, meaning that any future malware that exploits this vulnerability could propagate from vulnerable computer to vulnerable computer in a similar way as the WannaCry malware spread across the globe in 2017.”
Windows 8 and 10 aren't impacted by this flaw, but Windows 7 is. Plenty of people are still using Windows 7.
This is particularly noteworthy, seeing as Microsoft decided it was serious enough that they've released a patch for Windows XP of all things.
Server 2008 R2 is the most important OS on that list. A lot of companies are still running on that as it's not true end of life till later this year.
Posts
Work computer: cannot add extensions to any browser, cannot install a local app, etc.
For the time being, I can have my phone at my desk, but that will be changing "soon."
If I incorporate a password manager in any way, how will it affect me logging into my accounts at work? Will I have to manually enter gibberish any time I want to check my credit card balances, or log into Mint?
We'll just start there. Basically I'm having concerns about how much friction will be involved if I incorporate a password manager (I have an old version of 1Password I bought ages ago that I may or may not give a shot; or I'll start fresh with either Keepass or Bitwarden)
If you can't install applications on your computer or add extensions to your browser, your only real option is your phone (this is what I use, but more because I don't want IT to have access to literally everything I have with a password). If you can't use a phone...I don't have much to offer you except maybe a small booklet?
If I have a password manager on my phone, and I'm using 2FA through my phone, basically if my phone gets compromised I've lost everything - Because now the baddies have both my complete set of passwords via the password manager, and access to all my 2FA codes.
Obviously none of us aim to get compromised, but considering the current trends I'd presume that mobile malware is going to be on the rise (particularly via drive-by attack, and to say nothing of the insufficient protection available for android).
If you don't have a password manager on your phone, then at the very least your accounts should stay safe.
But at the same time, NOT using a mobile app for a password manager seems like it's going to be a tremendous pain in the ass.
An alternative would be to write down the passwords you need on paper, and changing them whenever you throw away or lose them. The nice thing about password managers is that changing your password is super easy should something happen.
Also, enabling two-factor authentication and having a hardware key fob adds another layer of security for these kinds of situations.
To some extent that is true even without a password manager. Unless you're saying you only log into your accounts on your computer and never use your phone, since a compromised phone could just wait and record your passwords rather than stealing your password database.
Personally I just keep my lastpass phone app logged out. If I need to log into something I'll open it, log in with the main password, then copy the password I need, then log out. It's definitely more of a pain but then at least the default state is that my passwords are not accessible if someone gets access to my phone.
Unless you're going to go through the effort of having a dedicated device for your password manager...yeah? There aren't a great set of options here. Security is always diametrically opposed to convenience (c.f. my complaints about iOS, the need for passwords in the first place, etc.). For my expected threat profile, for my willingness to actually follow through, a password manager on my phone that has a datastore vulnerable to offline attack when Dropbox gets pwned is the best compromise available to me.
I'm not going to carry around a booklet, and not keeping a dedicated device just for passwords.
I mean, if you really want 2FA to be safe, you don't use your phone, you use a dedicated device that is fully offline and so only vulnerable if it gets stolen. But seemingly nobody supports that, and it's inconvenient, so...
Yes, we can surf externally with a proxy in between. It lets me get to most places (hence why I'm posting here from work) but there are many others I cannot access.
----
So I need an explanation then. I set things up with a password manager. I go to log into [X Site] that is using a random, 12-character password at work. I have my phone. Do I have to physically type said password in, using the list the phone gives me? I was under the impression you basically used some sort of "token" (for lack of a better word) that lets you use secure passwords that you don't have to remember.
Or am I understanding this wrong, and you have to physically type in the shitty password?
In the scenario where you are accessing a site on a computer without the extension/password manager application installed then yes -- you would need to type in the password you presumably retrieved from your phone.
I'm... reluctant about an android app. My phone is probably the biggest weakpoint in my already porous security. It's easily lost, easily stolen, necessarily constantly connected and unreliably updated, probably more vulnerable than my computer (due to said inconsistent security updating and generally phones seeming an easy attack surface) and I don't keep any kind of complex unlock mechanism because having to input any kind of long key over a hundred times a day to constantly unlock the lockscreen grated on my nerves. So for my peace of mind what I do is not keep basically anything sensitive there (throwaway google account, no actual data beyond phone numbers, etcetera) and generally only log in to places that are not terribly sensitive (I will log into this forum on my phone, I sure as heck ain't logging in into my bank). If I lose my phone tomorrow it's a pain, but it's not an absolute disaster.
You don't have to put the manager on your phone if you don't need it there. It would just be a browser extension on your PC - then you just remember one strong password to login to that and it generates/fills passwords for everything else.
Your phone is more secure than a physical token. If someone steals your token, they have your token. If someone steals your phone, they have to get into it before they can use the token.
This is assuming you're not using sms or voice call for 2fa. Don't use sms or voice calls for 2fa.
Thank you for that clarification.
SMS is literally the only thing some companies use though. Like Sony for instance, at least for my psn account.
PSN:Furlion
You use what you've got. SMS is better than nothing. Just don't trust it to protect anything particularly vulnerable.
Yeah, this is actually my strategy. I never log into anything on my phone that's sensitive, because I don't trust over-the-air networks with sensitive information. And furthermore I consider my phone an attack vector I'm not allowed to control appropriately. I essentially use the 2FA on my phone via Google Auth and don't log into things like my bank account unless I'm on a wired connection via a computer I trust.
I did hear something a while back about essentially a physical 2FA key - one that operates via USB or somesuch - but I've never seen anyone support anything like that. Heck, it's beyond me why some sites don't even use Google Authenticator, so I suppose wanting for something more is rather unrealistic at this point.
*Glares intensely at one of the largest banks in the world*.
You'd think financial institutions would be more concerned about security, but a great many of them still lean on SMS 2FA.
Realistically, most of their customers don't really need to worry. Most people don't make enough money to be targeted by an attacker sophisticated enough to bother with them. And almost every form of 2fa can be bypassed completely using phishing. You only need enough security to raise the barrier high enough that anyone interested in stealing your stuff will not bother. Because if someone wants it bad enough, there is almost literally not enough security in the world to keep them from getting it.
PSN:Furlion
Are you thinking of TitanKey; which I believe Google was pushing at one point?
Financial institutions are still more concerned about minimizing operating expenses at all costs. So they do the bare minimum to meet Federal requirements.
I think Google's current internal solution is FIDOv1-based Yubikeys: https://www.yubico.com/products/yubikey-hardware/
Yeah it's pretty telling that Google doesn't use their own 2FA solution.
I feel like I am missing something here, what advantage does the key have over an app? Losing the key seems easier, and less noticeable. I assume the key is still vulnerable to the same sort of advanced phishing techniques, but I could be wrong.
PSN:Furlion
The apps can be compromised by a screen-reader app if the attacker is sufficiently determined to get malware on your phone, and the protocols themselves aren't quite as complex as FIDO, IIRC.
I'm not 100% sure on the specifics of the FIDO protocols, but there isn't really any way to break it without physically stealing the key.
Welp.
Integrated Bluetooth is much more common on laptops for sure, but many mobos have it nowadays. My current desktop has on-board wifi and bluetooth.
Ok that helps some. What about an attack that uses a redirect to phishing page that looks identical and hijacks your 2fa and login as you enter them. Can the key prevent that?
PSN:Furlion
I can't help but wonder what Seasonic is doing with that data, and to whom they are selling.
...huh.
I think with FIDO that they would have to have the website's private key to generate a challenge that your token would create the correct response to.
https://fidoalliance.org/how-fido-works/
I don't really have time to read the whole spec, but it looks like they would have to MITM your registration to be able to access your account (or steal your private key from the server and then MITM your login), which is more difficult than getting you to type 8 numbers into a box within 90 seconds.
FIDO2 (part of webauthn) spec is here: https://www.w3.org/TR/webauthn/
That's a HELL of an exploit.
Windows 8 and 10 aren't impacted by this flaw, but Windows 7 is. Plenty of people are still using Windows 7.
This is particularly noteworthy, seeing as Microsoft decided it was serious enough that they've released a patch for Windows XP of all things.
Steam | XBL
Server 2008 R2 is the most important OS on that list. A lot of companies are still running on that as it's not true end of life till later this year.
I've still got it on an old and somewhat battered laptop I haven't so much as booted up in years
Steam | XBL