Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,707
You have to log in again to every website when you clear your cookies anyway.
For every single website. Not sure how you lot say that's better.
**** Please enable 2FA on your OcUK forum account ****
- Thread starter Feek
- Start date
You have to log in again to every website when you clear your cookies anyway.
For every single website. Not sure how you lot say that's better.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,707
Then a solution for soft auth, i.e authy (which you can install on windows, mac and linux) as an app and it's just needs a master password.
Associate
- Joined
- 29 Oct 2019
- Posts
- 1,002
Logging in without 2FA is usually 2 button clicks.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,707
What do you lot hope to achieve by clearing cookies every time the browser is closed?
Man of Honour
I knew that already and I have already said what I want several times. I want people to stop saying something that isn't true.
There's something else I want too - to know if I can use a hardware 2FA device such as a Yubikey or Onlykey for these forums.
Soldato
Already had to redo the 2FA. I dunno if I'll stick with the forum if it keeps booting me.
Make sure the box is ticked to stay logged in and don't block cookies or keep clearing them.
The mods and OcUK staff have been using 2FA for a very long time, it works perfectly well. The only reason it will keep asking for authentication is if you're blocking the cookies or haven't ticked the box to stay logged in.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,707
All I have to say is security online is only going to get bigger as time goes on.
This is a little tiny thing compared to what's coming.
In before the tin foil hat crew comes (IBTTFHCC) to say OcUK is tracking them.
This is a little tiny thing compared to what's coming.
In before the tin foil hat crew comes (IBTTFHCC) to say OcUK is tracking them.
And watching them through their webcams!
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,707
And watching them through their webcams!
You not got yours covered with a bit of sticky note? Or does yours not come with a light when the cam is activated?
You jest, but my Mac at work has a bit of duck tape over the camera lolYou not got yours covered with a bit of sticky note? Or does yours not come with a light when the cam is activated?
what's the point in giving cookies a lifetime across sessions, it just facilitates tracking, if you have no settings/form data you want to preserve for a site, just nuke them each time gucci & braces.
if blocking of 3rd party cookie access was compromised, other sites could share stuff via an OC cookie, too.
Personally Authy on Windows seems to have a memory leak , mine is often up to near a GB, which I need to get to the bottom of, comprmising authy would be the coup
Yes, xf_tfa_trust on forums.overclockers.co.uk.
Blocking third party cookies is wise, but I think deleting all cookies on session end is unnecessary, but that's up to you.
Well it would be their cookie not OcUK's.
Permabanned
- Joined
- 9 Aug 2008
- Posts
- 35,707
Don
As for clearing cookies every minute for whatever reason 
I'm sure there is an option to preserve cookies for favourites sites or similar in chrome, to prevent login tokens etc being removed
I'm sure there is an option to preserve cookies for favourites sites or similar in chrome, to prevent login tokens etc being removed
I can live with that, I thought this was a tech forum?
2FA isn't about two devices - It's about 2 authentication methods. In this case it could be an app that's installed on a PC to do the second token auth, or another device or email authentication so in reality someone needs 2 things to get into your account.
Without both they not getting in captain.
By definition yes, although if you just requiring two different passwords, its about as lazy as you can get.
Now you do need sms/voice authentication for things like transfers now, they should do that for logging in as well.
No just use the website, main phone is rooted, and I dont trust android, so only use virgin money app on my non rooted phone as they killed their website.
Deleted member 651465
D
Deleted member 651465
It’s really not hard to do.
Most decent websites / services offer 2FA and it is the easiest way to prevent unauthorised activities in the event that someone gets your password, regardless of how complex it is.
Most password managers (1Password, lastpass etc) can auto fill 2FA/OTP codes directly in the browser, so I’d suggest that if you’re finding it too difficult to grab a phone to generate a number then you’re probably better off looking at installing a password manager with a browser extension.
Hell, the 1Password extension on Edge auto fills the username and password AND then the 2FA code when the browser directs to the second page. It’s one click of a mouse and that’s on my awful work laptop
Most decent websites / services offer 2FA and it is the easiest way to prevent unauthorised activities in the event that someone gets your password, regardless of how complex it is.
Most password managers (1Password, lastpass etc) can auto fill 2FA/OTP codes directly in the browser, so I’d suggest that if you’re finding it too difficult to grab a phone to generate a number then you’re probably better off looking at installing a password manager with a browser extension.
Hell, the 1Password extension on Edge auto fills the username and password AND then the 2FA code when the browser directs to the second page. It’s one click of a mouse and that’s on my awful work laptop
Let the Philistines flounce. What's left might befit a tech website after all.
Reading between the lines I think we have similar threat models/opsec. What browser are you using though? Firefox has full cookie compartmentalisation nowadays. Just enable Enhanced Tracking Protection > Strict in settings, and then even without clearing cookies or whatever nobody from domain A can track you across domain B or vice versa. Now $(tracking company) and everyone else gets a new 'jailed' cookie for every domain you visit. They're kept in separate per-domain 'jars'. If, say, Facebook is trying to place a cookie on OcUK and a cookie on YouTube (why aren't you using Invidious?), it'll have one cookie in the OcUK jar (only readable on OcuK) and another cookie in the YouTube jar, etc.
Tracking you (using cookies) is now impossible, versus the usual method of allowing Amazon/DoubleClick/Facebook or whomever to access a single cookie from every domain you visit, giving them full birds-eye view of your browsing. Further disable all third party cookies if you must. This out of the box setup negates the need for effectively having private browsing enabled 24/7.
If you add in CookieAutoDelete extension on top, you can still set it to delete all cookies every time you change domain, except the few you have added to the whitelist. That way, everything's gone bar the things you want to keep (OcUK, forums, Github/Gitlab, your nugget porn, whatever) and you're solid. Don't forget uBO in 'hard mode' (or use NoScript), but it sounds like you have that covered. If you're really strict, use arkenfox user.js to harden the browser, add in javascript restrictor and etag stoppa (or Trace or ClearUrls at your fancy) and enjoy...
Now there's no excuse not to enable MFA without moaning, you great banana.
Reading between the lines I think we have similar threat models/opsec. What browser are you using though? Firefox has full cookie compartmentalisation nowadays. Just enable Enhanced Tracking Protection > Strict in settings, and then even without clearing cookies or whatever nobody from domain A can track you across domain B or vice versa. Now $(tracking company) and everyone else gets a new 'jailed' cookie for every domain you visit. They're kept in separate per-domain 'jars'. If, say, Facebook is trying to place a cookie on OcUK and a cookie on YouTube (why aren't you using Invidious?
), it'll have one cookie in the OcUK jar (only readable on OcuK) and another cookie in the YouTube jar, etc.
Tracking you (using cookies) is now impossible, versus the usual method of allowing Amazon/DoubleClick/Facebook or whomever to access a single cookie from every domain you visit, giving them full birds-eye view of your browsing. Further disable all third party cookies if you must. This out of the box setup negates the need for effectively having private browsing enabled 24/7.
If you add in CookieAutoDelete extension on top, you can still set it to delete all cookies every time you change domain, except the few you have added to the whitelist. That way, everything's gone bar the things you want to keep (OcUK, forums, Github/Gitlab, your nugget porn, whatever) and you're solid. Don't forget uBO in 'hard mode' (or use NoScript), but it sounds like you have that covered. If you're really strict, use arkenfox user.js to harden the browser, add in javascript restrictor and etag stoppa (or Trace or ClearUrls at your fancy) and enjoy...
Now there's no excuse not to enable MFA without moaning, you great banana.