Yet Another Cycling Forum
General Category => The Knowledge => OT Knowledge => Topic started by: Nutbeem on 31 July, 2019, 10:05:10 am
-
I managed to forget or mix up a bank card pin code yesterday
Then when I phoned the bank today I was asked for an access no. and when I couldn't remember this I was asked for a variety of memorable names and dates I'd previously provided.
You can probably guess - I managed 1 out of 4, the others I had no idea.
I can't be the only person with this problem. For now they've all been reset & I've saved them in a password protected file (it's a good password which I can remember). Any other suggestions on how to cope with this would be welcome.
It doesn't help that for work I have to remember key codes for several doors, and have a dozen usernames and passwords, many of which I'm required to change every 8-10 weeks. Remembering abstract names and numbers has never been my forte.
-
LastPass ?
-
For home/personal stuff, write it all down on a piece of paper in your desk drawer.
many of which I'm required to change every 8-10 weeks.
This is security theatre that any competent security professional will advise against doing, since it means passwords written down on post-its or constantly forgotten - and the more routinely you're resetting forgotten passwords, the easier it is to social engineer resetting someone else's. It's long been surpassed by two-factor authentication and suchlike.
In the unlikely event that you're in a position to ask them to stop this (in return for 2FA), please do so.
-
LastPass ?
or keepass or any of the encrypted thingies
trouble is that you replace the problem with "I can't remember the master password to my magic password safe"
postit notes are good :)
-
I'm mostly still using variations of a password that I was given by my then ISP "Global Internet" in around 1987'ish. It was already ahead of it's time as it was 8 characters, and a mixture of upper case, lower case and numbers. I've added a "special" character, and swapped the upper and lower cases over the years and it mostly works. Except at work where I need both a bitlocker login and a 12 character password, changed quarterly. ::-)
But yeah, post-its are good at home. I still sometimes have problems remembering stuff I set up for, say, phone contact with my bank - probably a once a year thing.
-
LastPass ?
or keepass or any of the encrypted thingies
trouble is that you replace the problem with "I can't remember the master password to my magic password safe"
postit notes are good :)
This is a good way. I have so many passwords (many hundreds) that the only way is to trust to a system like these. I use 1Password and it resides on my phone, tablet and computer. I keep passcodes, software licences, secure notes as well as passwords.
I can remember the master password. :smug:
-
For home/personal stuff, write it all down on a piece of paper in your desk drawer.
many of which I'm required to change every 8-10 weeks.
This is security theatre that any competent security professional will advise against doing, since it means passwords written down on post-its or constantly forgotten - and the more routinely you're resetting forgotten passwords, the easier it is to social engineer resetting someone else's. It's long been surpassed by two-factor authentication and suchlike.
In the unlikely event that you're in a position to ask them to stop this (in return for 2FA), please do so.
Yes the security risk is patently obvious to anyone with a bit of sense. The only possible way to remember the numerous usernames and passwords, not to mention door codes, that we need to do our jobs is to write them down & the loss of that list could have potentially serious consequences. An added complication for me is that my regular shift is 10pm to 4:30am, if I have any I.T. issues at that time I'm stuffed.
I've spent the last 10 years pointing out to various managers that having multiple passwords that we have to regularly change is actually creating risk rather than preventing it. It's a pointless exercise though, but it eases my conscience.
-
LastPass ?
or keepass or any of the encrypted thingies
trouble is that you replace the problem with "I can't remember the master password to my magic password safe"
postit notes are good :)
This is a good way. I have so many passwords (many hundreds) that the only way is to trust to a system like these. I use 1Password and it resides on my phone, tablet and computer. I keep passcodes, software licences, secure notes as well as passwords.
I can remember the master password. :smug:
I do have a good master password that I believe to be a good one, i.e. I won't forget it but it's highly unlikely anyone else would figure it out.
our apps like keepass any more or less scure than an open office document saved with password protection?
It's at least reassuring to know I'm not the only person who needs to us the post it and notepad approach & can't remember passwords on the rare occasions I find myself phoning the bank.
-
LastPass ?
or keepass or any of the encrypted thingies
trouble is that you replace the problem with "I can't remember the master password to my magic password safe"
postit notes are good :)
This is a good way. I have so many passwords (many hundreds) that the only way is to trust to a system like these. I use 1Password and it resides on my phone, tablet and computer. I keep passcodes, software licences, secure notes as well as passwords.
I can remember the master password. :smug:
And it's only one password which you don't have to change at someone else's say-so and might or might not contain lowercase, uppercase, numbers, special characters and anything else, at your decision.
-
For home/personal stuff, write it all down on a piece of paper in your desk drawer.
many of which I'm required to change every 8-10 weeks.
This is security theatre that any competent security professional will advise against doing, since it means passwords written down on post-its or constantly forgotten - and the more routinely you're resetting forgotten passwords, the easier it is to social engineer resetting someone else's. It's long been surpassed by two-factor authentication and suchlike.
In the unlikely event that you're in a position to ask them to stop this (in return for 2FA), please do so.
My only encounter with two-factor authentication has been on things like voting forms for the AUK AGM or voter registration, and it hasn't made any sense to me. There are two passwords, random strings of numbers and letters, but they're printed next to each other on the same piece of paper. So what's the point in having two parts? Is this just a case of people doing it wrong?
-
With online banking it seems to take the form of a text (or possibly email if you have no mobile signal at home) sent to you to enter onto the website.
-
Yes, I've used that, and IIRC you get the text after you've entered your card number etc. It's the "two parts" being on one sheet of paper that I can't see the point of.
-
Yeah, proper 2FA the two things need to be separate, and the second thing needs to be an uncopiable physical object. So the bank card in chip and pin, or your phone in SMS authentication*, or the embedded code in one of these keyfob thingies (https://en.wikipedia.org/wiki/RSA_SecurID).
(* the SMS network is insecure enough that it's not good enough for real security, but it's a hell of a lot better than not having it)
-
The mothership does 2FA now which is nice till your phone runs out of battery. For home, I used Keychain which works fine until it doesn't (why oh why does it only work for the browser but is unavailable for any other apps' password field). I also put them in file secured away on an encrypted volume.
-
LastPass seems to be a vulnerable attack vector*, KeePass allows you to store the data yourself and has versions for all platforms. I use an encrypted file synching on Dropbox for the purpose, with Win and Android clients, iOs are available too. Remember that ANY browser plug in is vulnerable and, again, a common attack vector and potentially hundreds of thousands of users, if not millions, use it. That would be the most likely attack for LastPass, use the plug in at your own risk. Conceptually, copy and paste, while being a little more long winded, is a LOT safer.
*That is, it is a prime site for attack and people WILL be putting in effort to see if it can be done. By contrast a 256bit encrypted file in your own space isn't worth attacking.
-
On 2FA, it isn't that well known but both Paypal and Amazon support 2FA, using Google Authenticator app, as does Google but that is better known. If you aren't using 2FA, don't moan when you are hacked.
-
I forgot to say that all memorable questions are anything but. And when you do remember them the machine says no. But it was my first pet, you'll bleat. No, the machine will demand, the goldfish you had when you were three.
Banks are the worst, it's like recovering the first 20 years of your life, then having to remember a passcode, PIN, secret code and first, third, and fiftieth letter of a password that must include now include at least one hieroglyph.
-
2FA makes me laugh. I enter my password then it sends a code to my phone.
Of course, I’ve got iMessage synced to my desktop so the code pops up on my screen right next to the box I need to enter it into... :facepalm:
-
Keep Ass?
-
2FA makes me laugh. I enter my password then it sends a code to my phone.
Of course, I’ve got iMessage synced to my desktop so the code pops up on my screen right next to the box I need to enter it into... :facepalm:
And the problem with 2FA is?
The overwhelming majority of password compromises involving someone stealing your credentials, as long as they don't have your phone you have more than a small degree of security, even if you have chosen to echo text messages onto your desktop. Although, please note that many 2FA will support Google Authenticator (or other 2-step validation, there are several) which is what I suggest to use.
-
And the problem with 2FA is?
That it won't save me if someone has access to my desktop because my passwords are saved by my web browser and iMessage is synced to my desktop. So if I leave my desktop unlocked while I get up to pick up something from the printer or make a coffee... well, really, I might as well have my passwords on post-it notes. I'm a fucking idiot.
I suppose that if I have my phone on me, I will at least get fair warning that someone is logging in to my accounts.
-
2FA means if someone intercepts your password but doesn't have your machine than the password is useless. That's the whole point.
If a hacker has physical access to your machine then that's a whole different set of security measures.
(does the iMessage sync thing work if your phone is off or not in the vicinity?)
-
(does the iMessage sync thing work if your phone is off or not in the vicinity?)
Yes. It's synced to the account, not the phone itself.
I'm not saying there's anything wrong with 2FA per se, just highlighting that it is not a panacea, for the simple reason that people (ie not just me) are idiots when it comes to security.
I must get back into the habit of locking my screen every time I leave my desk...
-
Well, yes, and the simple fact is that 2FA does add to your security, almost however much you try to thwart it.
There are two prime attack vectors used.
The first is the easiest, where people use the same password on all online accounts. Look at https://haveibeenpwned.com/ - I'll have a shilling that you are there, I know I am. It doesn't bother me as I don't use a single password on all sites. OK, OK, I know I do for all sites that don't matter, and it isn't even a particularly strong one. That's the username password pair they've got. If I appear on here selling viagra at a special price, you will know that hackers are taking advantage of my security failing. Either that or my $Megacorp employer has decided they no longer need my services.
The second is likely the greatest threat, that you are the victim of malware. Either through a compromised website, or spear phishing (where you receive a targeted phishing attack tailored to you, eg an eMail from a mate saying "You won't believe the price of this bike, click here) your activity gets logged and sent to a central server, where they use your credentials to attempt to log in. 2FA stops this, dead.
Sure leaving your computer unlocked in a semi public environment is a risk, but it is minimal. To benefit, the attacker would have to sit in your place, use your computer for a reasonable period of time which is a risk. It is much more likely that anyone bent on harm will simply install a keylogger and we''re back to #2.
Ultimately, if you walk outside your front door leaving it wide open and your valuables on show, you can't really blame the insurance company for the locks they insisted you have failing to work.
-
I started using the securenvoy authenticator app at work for remote access then realised it can be used for google and amazon. it is great. no waiting for a sms, just open the app and enter the 6 digit code. Unless you actually have my phone and know my pin code I should be safe.
-
I find the sync'ed messages thing useful for 2FA because I can copy and paste and job done. Otherwise I have to play a game of hunt the phone (which may be 20 miles away). I think a minimal security risk, the SMS comes in instantly after I've typed the first password and doesn't give me a chance to wander off.
Any security system is hackable, but generally there's so much low hanging fruit there's little point trying to get by anything even vaguely difficult. My Netflix got nabbed by a Peruvian last year, checking back it was an ancient pwned password that I'd never changed. I let Safari do the password thing now.
-
I let Safari do the password thing now.
I do that too, or rather I let Chrome do it, but unlike Safari, Chrome can't link iPhone apps to the keychain so you need to track down and retype your very secure but entirely unmemorable password when logging in via apps.
I'm trying to wean myself off Chrome and go back to Safari but it's so much effort.
-
My only gripe with keychain is that it won't for instance, offer up passwords outside of Safari, even for Apple native apps like Mail (I know I'm expecting too much for Cisco). So to VPN, for instance, I have to open Keychain and copy and paste the bloody password. OK, first world annoyance, an entire 20 seconds of my day...
I dumped Chrome a while back, very happy with Safari now.
-
I can remember my online banking password but it's 15 letters long and I'm not able pick out 3 random letters from it in my head. I could recite it and use my fingers to count it out but It's quicker to have the password written down in an encrypted text file which is on my full disk encrypted laptop (2 different passwords).
-
My only gripe with keychain is that it won't for instance, offer up passwords outside of Safari, even for Apple native apps like Mail (I know I'm expecting too much for Cisco). So to VPN, for instance, I have to open Keychain and copy and paste the bloody password. OK, first world annoyance, an entire 20 seconds of my day...
I dumped Chrome a while back, very happy with Safari now.
You can get the passwords out, on a Mac, using Keychain Access. Other than that, I agree, and that's why I use 1Password. You actually get to see the passwords on a device, if you, the password creator and user, wants to.
-
Just endured this myself.
My biggest problem with this memorable words is that I don't follow a sport ball team so how the feck will I be able to remember one random one I pick (heck even what sport) in say 3 months time.
I can't remember my teachers name, changed school many a time and Danes don't suffer from the same thing that that Brits do, the ability to remember every teacher you had :)
I don't really have a favorite actor, like many films and every week the best movie I have watched will have changed.
And best of all my granddads name is shorter than the minimum amount of letters that my bank allows your granddads to have.
Oh that goes for your favorite pet too, oh I have had many and none of them have been a favorite one.
-
We should have a thread for best Security Questions
in fact I'll start one..
-
I went with Dashlane personally, it's paid for but its working well. I like that they scan leaks and inform you when your email or something has been acquired via a hack on randomsite.com.
-
My Dad used to tell us tales of a fictional character he had imagined, when we were small.
Its name is my password in several places but sadly not long enough in others.
-
I have a system for creating memorable yet pretty secure passwords... but I’m not going to share it here, for obvious reasons.
I don’t use a different password for absolutely everything (I have a set of about 10) but do use unique ones for things like online banking.