1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

**** Please enable 2FA on your OcUK forum account ****

Discussion in 'General Discussion' started by Feek, 14 Oct 2021.

  1. Jay85

    Sgarrista

    Joined: 22 May 2010

    Posts: 7,556

    Royal mail will lose it :cry:
     
  2. andy_mk3

    Capodecina

    Joined: 5 Oct 2009

    Posts: 11,535

    Location: Lincolnshire

    I agree it's a nice offer but I wouldn't take it.

    You're better off buying a Raspberry Pi and hosting it yourself if you really wanted to.
     
  3. Bouton Aide

    Caporegime

    Joined: 9 Aug 2008

    Posts: 29,523

    Most people wouldn't trust themselves that's why they get others to do it. For the sake of £10 a year that might cost you a lot more loss if someone ever gets into your accounts, and it's hosted correctly (not saying people on here don't host it correctly) but it's a team of people who look after it I assume (BitWarden).
     
  4. andy_mk3

    Capodecina

    Joined: 5 Oct 2009

    Posts: 11,535

    Location: Lincolnshire

    Hence the "if you really wanted to" :p But yes, just paying the £10 a year is a much better option. :D
     
  5. Bouton Aide

    Caporegime

    Joined: 9 Aug 2008

    Posts: 29,523

    It's cheaper as well instead of purchasing a pi just for passwords.
     
  6. Scania

    Capodecina

    Joined: 25 Nov 2004

    Posts: 24,978

    Location: On the road....

    Done, along with 2FA on my email, hopefully I’m a bit more secure….

    Most definitely interested, I’m wondering why you say hosted by you? - isn’t Bitwarden it’s own entity with its own servers etc? (Sorry , I’m well out of my depth on this stuff…) :)
     
  7. Bouton Aide

    Caporegime

    Joined: 9 Aug 2008

    Posts: 29,523

    There's two types, hosted by BitWarden and Self Hosted. Self hosted requires you to set it up on your own and look after backups, ssl certs, power consumption bill for the server it's on, hardware replacement purchasing e.t.c.
     
  8. rodders

    Wise Guy

    Joined: 14 Dec 2004

    Posts: 2,098

    Is there 2FA for the shop account too?
     
  9. G J

    Wise Guy

    Joined: 3 Oct 2008

    Posts: 1,055

    So the data breach was a lie or some people have been phished via some unofficial OCUK discord/group or some scalper that got banned has gone mad.

    Someone breaks into an email and first thing they think off is trying to scam on a computer hardware forum. :rolleyes:

    I hope you're also reworking the trust system and the MM process as I've had to politely email a couple of users on here to **** off, delete my personal infomation and remove me off their spam email lists as for some reason they still have my email/personal details 6-12+ months after I've purchased something from them.

    All it takes is one person who uses the MM to get their account hacked and if its one of these I need purchase all this hardware for my "friends" types they'll have mountains of names/address/banking info and phone numbers in their emails.
     
  10. Bouton Aide

    Caporegime

    Joined: 9 Aug 2008

    Posts: 29,523

    You can say that about any site. Facebook market place, Gumtree, Ebay e.t.c. Not just relating to OcUK. It's more important now than ever before to set up a secure password vault with best practices.

    Remove yourself from sites you don't use, delete your data online where possible.

    Educate yourself about secure password vaults, implement it so in future you shouldn't come across this problem again. If all websites made 2FA compulsory it wouldn't matter.

    For someone to get access to an account with 2FA/MFA on they must have the code that gets sent to you on top of the password you use. Using a password manager enables you to click and forget.

    i.e - password "nS2ac#[email protected]$Tz37E", or "horse-staple-battery". Both of these would never be used on another website so when a website is compromised you don't have to worry about changing it for every other website you have an account with. It's all saved in the password vault.

    It takes a little while to set up though, but do it over time. I have 160 passwords currently saved. Every place uses a different password with all sites that have 2FA/MFA allowed, enabled.

    As time goes on these attacks are just going to get bigger so if you don't have this enabled you are going to find yourself having to change passwords a lot more than ever before.

    In theory, I could give you my password for overclockers but you would never get in because it uses a second authentication. You need both to login successfully. Not only that is, that one password is only used here so you would never gain access to my other accounts anywhere else.

    What's worse is if you have to change it for every single site because you have used the same password over and over again for different places. :)

    --------
    We do have a problem though if your vault is compromised they still have access to the whole entire list of your passwords. So it's important 2FA is enabled on the vault.
     
  11. Digital X

    Sgarrista

    Joined: 25 May 2013

    Posts: 9,906

    Location: Kent.

    Just done thanks, how long has 2FA been on here? I have the Authenticator app for Ubisoft mainly but never crossed my mind to search for it here.
     
  12. Nevakonaza

    Soldato

    Joined: 7 Jan 2009

    Posts: 5,665

    Glad this was posted, Someone had changed my email address..

    I've now changed my email address back to my own, Changed passwords and enabled security.
     
    Last edited: 14 Oct 2021
  13. Rainmaker

    Sgarrista

    Joined: 18 Aug 2007

    Posts: 9,041

    Location: Liverpool

    As I said, it’s two clicks to back up your vault from any Bitwarden instance or browser extension. You’d surely do that regularly no matter who hosts it. If (when) I drop dead (or BW itself disappears), you load your backup somewhere else and carry on.
     
  14. Bouton Aide

    Caporegime

    Joined: 9 Aug 2008

    Posts: 29,523

    and you do know that the backup is plain text right? It warns you to delete it properly and not to store it on any standard drive.

    Go backup yours and open that file.

    EDIT: ahhhhh they must have just implemented encrypted .json recently. It never used to be like that on the previous version. I just noticed there is now an option for encrypted backups. My bad.

    [​IMG]

    [​IMG]
     
  15. Uther

    Capodecina

    Joined: 16 Jun 2005

    Posts: 16,946

    Done. The internet is getting tedious.
     
  16. Werewolf

    Commissario

    Joined: 17 Oct 2002

    Posts: 30,144

    Location: Panting like a fiend

    With all the various breaches that are in "the wild" all it takes is someone to look for specific usernames/email address and to potentially try them on similar sites.

    For example if my details from another computer related site were hacked someone might look for my username on other sites and try that password&name combo to see if it works, potentially you can automate this to a very high degree.

    If you've got a breach that might include emails or their contents it become even easier.

    It's one of the reasons I've never reused a password across two sites, and for my important ones like here the password is long and complicated (my old UO passwords were long but because I was typing them in multiple times a day I can still do them in seconds).
     
  17. Rainmaker

    Sgarrista

    Joined: 18 Aug 2007

    Posts: 9,041

    Location: Liverpool

    Yes I’ve been running servers for 30 years and contributing to FOSS for 20 of them. I’m aware of some backup options being plain text, but there is an encrypted option. Plus it’s a single command to encrypt the file with GPG or any other system you prefer (AES or whatever). It’s not hard to put it on an encrypted USB and gpg —encrypt file.txt for safekeeping.

    Edit: I’ve just seen your own edit. No bother. Whether it’s hosted with BW, me or the pope doesn’t matter. Back up your vault weekly or monthly, use a strong master password and you’re set. The offer was to less techy members, I’d imagine most of us can run a server and use GPG and AES crypt.
     
  18. TNA

    Capodecina

    Joined: 13 Mar 2008

    Posts: 19,588

    Location: London

    :cry:
     
  19. TNA

    Capodecina

    Joined: 13 Mar 2008

    Posts: 19,588

    Location: London

    Good call. Would much prefer to just have 2FA on MM only. Makes logging in on the forum only easier.
     
  20. dLockers

    Sgarrista

    Joined: 21 Jan 2010

    Posts: 8,263

    Just tick "Remember me"?