I Was Hacked.

This thread has made me finally get my act together regarding security. I had 2FA on my email accounts, but that was all.

I've installed bit warden and moved my saved passwords from chrome to that, and downloaded authy for the 2FA side of things. Currently going through all 196 passwords I have saved and updating them to be stronger, and deleting them if no longer used. I'm also adding 2FA to any sites that offer it.

Regarding comments about writing down passwords, I don't think it's that bad of an idea, especially for things like master passwords. Just keep it safe and hidden, and most importantly, don't write it down verbatim, use a code. For example write down 'postcode of 1st house', 'colour of favourite car' or something like that. String a load of random clues together like that and it should be enough for you to remember, but not for anyone else to decipher if they were to find it.
 
Rainmaker said:
Haha. I'm not a moron, so I have backups of the database in three places (on-prem and off-prem); and good luck cracking AES256 with a 4096 bit key (seeded by a 30 character aA1& space password) further layered at-rest inside GPG crypt. I'll even give you a clue - it starts with '3'. :p
Click to expand...

Nobody is saying you are a moron. Don't forget nobody knows the skill set of the person behind the screen. Trusting some random behind the screen is what I really mean.

Anyone taking you up on the offer yet? :p
 
@Rainmaker
My suggestion of using open source 2FA clients was really only for those who don't trust larger organizations. Authy and similar large companies such as google auth are fine if you are not wearing a tin hat, there is far more for them to lose by abusing the trust than to ever gain. As for trusting some random person from a forum, that's harder to do than trusting a large organization with something to lose. I know you can't decode the passwords and 2fa codes without the master password, however technically speaking you only have to try brute forcing the master password people set up I assume and if someone uses a simple Master, which is likely, then you have a good chance of getting access to all their passwords and 2fa codes. If you create your own server, you can control the access and also place measures to stop brute force attacks etc.

For the common user, using a standard trusted password manager provider is easier than setting up their own servers and clients and is only very very very very slightly less secure, and the chance is so infinitesimally small that it is not worth worrying about, you should be more concerned crossing the street.
 
Bouton Aide said:
Don't forget nobody knows the skill set of the person behind the screen. Trusting some random behind the screen is what I really mean.

Anyone taking you up on the offer yet? :p
Click to expand...

I think you're mixing up the three(!) threads about MFA going in GD atm. MRK said password managers can only store passwords, so I said Bitwarden stores everything you like. That's it. Semple said so if you lose access to your Bitwarden you're screwed, but it's encrypted and you can back it up so I said not really...

Shovinus said:
For the common user, using a standard trusted password manager provider is easier than setting up their own servers and clients and is only very very very very slightly less secure, and the chance is so infinitesimally small that it is not worth worrying about, you should be more concerned crossing the street.
Click to expand...

Again, not disputing that. I only said BW can store more than passwords and is heavily encrypted? You don't need to set up any servers to sign up with BW, they're a pretty large org and make it very simple.
 
Rainmaker said:
I think you're mixing up the three(!) threads about MFA going in GD atm. MRK said password managers can only store passwords, so I said Bitwarden stores everything you like. That's it. Semple said so if you lose access to your Bitwarden you're screwed, but it's encrypted and you can back it up so I said not really...
Click to expand...

I am but it's ok to cross post, it's about the same thing :D

Anyway we all know what's good.
 
NotAGolf said:
Regarding comments about writing down passwords, I don't think it's that bad of an idea, especially for things like master passwords. Just keep it safe and hidden, and most importantly, don't write it down verbatim, use a code. For example write down 'postcode of 1st house', 'colour of favourite car' or something like that. String a load of random clues together like that and it should be enough for you to remember, but not for anyone else to decipher if they were to find it.
Click to expand...

Maybe, but there's just no need either. If you use a passphrase as opposed to a password, which is more secure anyway, and also appears to be your suggestion, then you should have no problems remembering it.

We update our passphrase at work sometimes every 4 weeks and by the end of the day everyone has it remembered.

If you need to write it down because it's difficult to remember, what happens if you lose it or your house burns down etc?
 
mickyflinn said:
Could you elabarate further please is it better than 2fa ?
Click to expand...

It's another name for 2fa but can be used to cover more.
2fa = 2 factor authentication.
You can have more than 2 factors though:
4fa could be password + fingerprint + GPS location + hardware key but it would be annoying for users so most things just use 2 factors. MFA could be used to mean any number of factors, 2fa means 2 factors. So, yes, MFA could be better than 2FA but usually people mean the same thing when they use these terms.
 
Last edited:
Russinating said:
Maybe, but there's just no need either. If you use a passphrase as opposed to a password, which is more secure anyway, and also appears to be your suggestion, then you should have no problems remembering it.

We update our passphrase at work sometimes every 4 weeks and by the end of the day everyone has it remembered.

If you need to write it down because it's difficult to remember, what happens if you lose it or your house burns down etc?
Click to expand...

Some people have better memories than others ;). Mine, for example, is awful :D. I don't have any problem remembering work passwords/pass phrases, but that's because I use them several times a day. If its for an account that I use once in a blue moon then I might need some assistance!
 
touch said:
It's another name for 2fa but can be used to cover more.
2fa = 2 factor authentication.
You can have more than 2 factors though:
4fa could be password + fingerprint + GPS location + hardware key but it would be annoying for users so most things just use 2 factors. MFA could be used to mean any number of factors, 2fa means 2 factors. So, yes, MFA could be better than 2FA but usually people mean the same thing when they use these terms.
Click to expand...
Tx

Bouton Aide said:
MFA = just 2 or more+ methods of login.
Click to expand...
Tx
 
Russinating said:
What do you mean it's handwritten?? :confused:

Please tell me that doesn't mean it's written down on a scrap bit of paper in your wallet or desk drawer.
Click to expand...

Bouton Aide said:
At least someone needs physical access to that draw with the password book in it. That's of course if the passwords are all different for every account across the web.

I couldn't imaging writing down 160 different password combinations. :cry:
Click to expand...

Yes, my book is stupidly big. :cry:

It must be going as far back as 2004. Before that it was just A4 sheets of paper folded in half and stacked.
 
You must log in or register to reply here.
Back
Top Bottom