I Was Hacked.

NotAGolf

NotAGolf

NotAGolf

Soldato
Joined
22 Oct 2005
Posts
2,801
Location
Moving...
This thread has made me finally get my act together regarding security. I had 2FA on my email accounts, but that was all.

I've installed bit warden and moved my saved passwords from chrome to that, and downloaded authy for the 2FA side of things. Currently going through all 196 passwords I have saved and updating them to be stronger, and deleting them if no longer used. I'm also adding 2FA to any sites that offer it.

Regarding comments about writing down passwords, I don't think it's that bad of an idea, especially for things like master passwords. Just keep it safe and hidden, and most importantly, don't write it down verbatim, use a code. For example write down 'postcode of 1st house', 'colour of favourite car' or something like that. String a load of random clues together like that and it should be enough for you to remember, but not for anyone else to decipher if they were to find it.
 

Deleted member 77746

Deleted member 77746

Deleted member 77746

Permabanned
Joined
9 Aug 2008
Posts
35,707
Rainmaker said:
Haha. I'm not a moron, so I have backups of the database in three places (on-prem and off-prem); and good luck cracking AES256 with a 4096 bit key (seeded by a 30 character aA1& space password) further layered at-rest inside GPG crypt. I'll even give you a clue - it starts with '3'. :p
Click to expand...

Nobody is saying you are a moron. Don't forget nobody knows the skill set of the person behind the screen. Trusting some random behind the screen is what I really mean.

Anyone taking you up on the offer yet? :p
 

Shovinus

Shovinus

Shovinus

OcUK Staff
Joined
7 Nov 2010
Posts
1,938
@Rainmaker
My suggestion of using open source 2FA clients was really only for those who don't trust larger organizations. Authy and similar large companies such as google auth are fine if you are not wearing a tin hat, there is far more for them to lose by abusing the trust than to ever gain. As for trusting some random person from a forum, that's harder to do than trusting a large organization with something to lose. I know you can't decode the passwords and 2fa codes without the master password, however technically speaking you only have to try brute forcing the master password people set up I assume and if someone uses a simple Master, which is likely, then you have a good chance of getting access to all their passwords and 2fa codes. If you create your own server, you can control the access and also place measures to stop brute force attacks etc.

For the common user, using a standard trusted password manager provider is easier than setting up their own servers and clients and is only very very very very slightly less secure, and the chance is so infinitesimally small that it is not worth worrying about, you should be more concerned crossing the street.
 

Rainmaker

Rainmaker

Rainmaker

Soldato
Joined
18 Aug 2007
Posts
9,704
Location
Liverpool
Bouton Aide said:
Don't forget nobody knows the skill set of the person behind the screen. Trusting some random behind the screen is what I really mean.

Anyone taking you up on the offer yet? :p
Click to expand...

I think you're mixing up the three(!) threads about MFA going in GD atm. MRK said password managers can only store passwords, so I said Bitwarden stores everything you like. That's it. Semple said so if you lose access to your Bitwarden you're screwed, but it's encrypted and you can back it up so I said not really...

Shovinus said:
For the common user, using a standard trusted password manager provider is easier than setting up their own servers and clients and is only very very very very slightly less secure, and the chance is so infinitesimally small that it is not worth worrying about, you should be more concerned crossing the street.
Click to expand...

Again, not disputing that. I only said BW can store more than passwords and is heavily encrypted? You don't need to set up any servers to sign up with BW, they're a pretty large org and make it very simple.
 

Deleted member 77746

Deleted member 77746

Deleted member 77746

Permabanned
Joined
9 Aug 2008
Posts
35,707
Rainmaker said:
I think you're mixing up the three(!) threads about MFA going in GD atm. MRK said password managers can only store passwords, so I said Bitwarden stores everything you like. That's it. Semple said so if you lose access to your Bitwarden you're screwed, but it's encrypted and you can back it up so I said not really...
Click to expand...

I am but it's ok to cross post, it's about the same thing :D

Anyway we all know what's good.
 

Russinating

Russinating

Russinating

Soldato
Joined
27 Dec 2005
Posts
17,285
Location
Bristol
NotAGolf said:
Regarding comments about writing down passwords, I don't think it's that bad of an idea, especially for things like master passwords. Just keep it safe and hidden, and most importantly, don't write it down verbatim, use a code. For example write down 'postcode of 1st house', 'colour of favourite car' or something like that. String a load of random clues together like that and it should be enough for you to remember, but not for anyone else to decipher if they were to find it.
Click to expand...

Maybe, but there's just no need either. If you use a passphrase as opposed to a password, which is more secure anyway, and also appears to be your suggestion, then you should have no problems remembering it.

We update our passphrase at work sometimes every 4 weeks and by the end of the day everyone has it remembered.

If you need to write it down because it's difficult to remember, what happens if you lose it or your house burns down etc?
 

touch

touch

touch

Soldato
Joined
28 Oct 2006
Posts
12,456
Location
Sufferlandria
mickyflinn said:
Could you elabarate further please is it better than 2fa ?
Click to expand...

It's another name for 2fa but can be used to cover more.
2fa = 2 factor authentication.
You can have more than 2 factors though:
4fa could be password + fingerprint + GPS location + hardware key but it would be annoying for users so most things just use 2 factors. MFA could be used to mean any number of factors, 2fa means 2 factors. So, yes, MFA could be better than 2FA but usually people mean the same thing when they use these terms.
 
Last edited:

NotAGolf

NotAGolf

NotAGolf

Soldato
Joined
22 Oct 2005
Posts
2,801
Location
Moving...
Russinating said:
Maybe, but there's just no need either. If you use a passphrase as opposed to a password, which is more secure anyway, and also appears to be your suggestion, then you should have no problems remembering it.

We update our passphrase at work sometimes every 4 weeks and by the end of the day everyone has it remembered.

If you need to write it down because it's difficult to remember, what happens if you lose it or your house burns down etc?
Click to expand...

Some people have better memories than others ;). Mine, for example, is awful :D. I don't have any problem remembering work passwords/pass phrases, but that's because I use them several times a day. If its for an account that I use once in a blue moon then I might need some assistance!
 

Stu999

Stu999

Stu999

Soldato
Joined
3 Aug 2015
Posts
7,037
I’ve started using Microsoft Authenticator for here. Have to use it for work anyway so may as well add another account to it.
 

mickyflinn

mickyflinn

mickyflinn

Man of Honour
OP
Joined
23 Mar 2011
Posts
16,867
Location
West Side
touch said:
It's another name for 2fa but can be used to cover more.
2fa = 2 factor authentication.
You can have more than 2 factors though:
4fa could be password + fingerprint + GPS location + hardware key but it would be annoying for users so most things just use 2 factors. MFA could be used to mean any number of factors, 2fa means 2 factors. So, yes, MFA could be better than 2FA but usually people mean the same thing when they use these terms.
Click to expand...
Tx

Bouton Aide said:
MFA = just 2 or more+ methods of login.
Click to expand...
Tx
 

V F

V F

V F

Soldato
Joined
13 Aug 2003
Posts
21,184
Location
UK
Russinating said:
What do you mean it's handwritten?? :confused:

Please tell me that doesn't mean it's written down on a scrap bit of paper in your wallet or desk drawer.
Click to expand...

Bouton Aide said:
At least someone needs physical access to that draw with the password book in it. That's of course if the passwords are all different for every account across the web.

I couldn't imaging writing down 160 different password combinations. :cry:
Click to expand...

Yes, my book is stupidly big. :cry:

It must be going as far back as 2004. Before that it was just A4 sheets of paper folded in half and stacked.
 
You must log in or register to reply here.
Back
Top Bottom