If you use a phone or a phone app for the second factor you can’t guarantee that the user isn’t using that phone as the first

How do you mean? I don’t recall seeing a secure app where the phone alone is the primary authentication, they’ve always needed a password or fingerprint. Though I agree that if someone has that first layer and the actual phone then something like Google Authenticator is already compromised. It’s still a worthwhile security measure in that it can prevent access from an unknown device though.

In the end it’s all about limiting surfaces, but if it comes down to it not many people will resist the classic $5 wrench attack.

I despair at this stuff. I can only actually remember 2-3 passwords. The rest are between 20 and 50 random characters (thanks password manager).

I use lastpass both for work and home. I’ve a yubikey for work and I use Google authenticator for home (weaker I admit). I still turn on 2FA for important accounts.

Most people are completely clueless when it comes to computer security. Until they get burned.

How do you mean? I don’t recall seeing a secure app where the phone alone is the primary authentication, they’ve always needed a password or fingerprint.

Like trying to make a payment and the OTC comes over text. If you have the device the 2FA is compromised.

Would you like to remember that password?

the only security against quantum computer based hacking will be codes that are also designed by quantum computers

Not true, there’s plenty of work already well underway, not using quantum computers, that are developing new quantum computing resistant algorithms. It’s also pretty trivial to increase the key length of existing algorithms (for symmetric encryption at least) to negate much of the advantage of quantum computing.

Like trying to make a payment and the OTC comes over text. If you have the device the 2FA is compromised.

Well, that’s a 2nd factor rather than the primary since you’re already in the app but yes, supplying OTCs by SMS is not ideal. There are plenty of examples where mobile numbers have been hijacked so the OTC goes to the villain’s phone so they don’t even need the original device. That’s usually been used to engineer password resets though AFAIK.

Re 2FA, bit of an exception, but we were in Swaledale the other week and the village has no cellular coverage. I can get some texts (iMessage etc) and make calls over Wifi but I couldn’t do any bank stuff as 2FA SMS messages couldn’t get through….

and xkcd forums have been breached…..

XKCD forums breached

One of the companies i contract for has introduced a ridiculously complex system for passwords, because they were worried about peoples laptops being breached. Thing is, there are pretty much likely situations for laptops, and none of the measures introduced actually help in either case:

1) accidntally lost laptop (left on train) Fair enough, this happens (a lot) . However, if someone finds a lost laptop on a train, and is not honest enough to hand it in to lost property, what do they do with it? I’m going to suggest that 999,999 out of a million they are just going to sell in on ebay or in the local pub for a quick buck. In that case, any basic password means it’ll just get wiped and re-installed, or even if they crack the p/w, they aren’t going to spend more than a few sec looking at the hard drive for top secret info, they’ll just delete the user stuff.

2) Arch villans steal critical laptop at knife/gun point to get critical company info. In this case, they’ll just put a knife to the throat of the laptop owner and say “password or you’re dead” which means any password is irrelevant

So I’ve just tried a password manager for the first time (1Password). From what I understand, in order to convert my reasonably easy to remember, but probably not that secure passwords for over 200 websites using 1Password, I need to go to a website, navigate to “change your password” in that website, open the password manager app, navigate to “generate a password”, copy the resulting long, secure, password generated in the app and paste it into the website, then associate/ save the password in the app. Then repeat 200+ times. Sounds like a lot of hassle to me? Not sure what I was expecting, but something a bit more automated 😕

Could I just generate my own random passwords (by smearing my finger across the keyboard) and asking Chrome / Google to remember the password (a prompt to do this usually appears) and ditch the app?

Not sure what I was expecting, but something a bit more automated

Visit website click change password ask iCloud to generate password. Done.

Then repeat 200+ times.

I just waited until I needed to access a site then did it with Lastpass setting the password values so yes 200+ times but not all in one go.

then forgot my Lastpass password and failed the re-authentication so I now have very secure passwords on lots of sites but no access to find out what they are…

From what I understand, in order to convert my reasonably easy to remember, but probably not that secure passwords for over 200 websites using 1Password, I need to go to a website, navigate to “change your password” in that website, open the password manager app, navigate to “generate a password”, copy the resulting long, secure, password generated in the app and paste it into the website

Chrome does this really well.

@Roger_Mellie I would be checking the have I been pwned site and changing any accounts that show up there first. Then  on an as you need basis until it’s done.

You may also be able to thin out the number of passwords by deleting those you no longer use.

Chrome does this really well.

Yup I’m not sure there’s such a need for 3rd partly ones now.

Cool, thanks folks for the replies. I was being a bit dramatic there. I’ll stick with chrome and do a bit of website / password husbandry.

@wwaswas

Ooops! 🙂  I mean, 🙁

It’s the changing of passwords that pisses me off. If someone knows your password, they know it. They’re not going to hang on for 30 days and then use it! “Oh shit they’ve changed it!”

Yeah, we have to do this with the phones and tablets we use at work. Thing is, none are used for anything financial or for any kind of personal reasons, the data is purely concerned with the condition and location on site of cars that we are repairing or storing. All of those cars are easily visible from the road, and anyone can get apps that will give all of the history of a car just from its registration, so having to keep changing the password is pointless, because, as has been pointed out, everyone just thinks of a word and adds a number sequence to the end.

This is possibly the geekiest thread I’ve seen on STW for a while.

Love it, it’s the reading version of listening to the shipping forecast to me. Keep it up!

I would be checking the have I been pwned site and changing any accounts that show up there first.

… and anywhere else where you’ve used the same credentials.

Microsoft’s security baseline take on things is interesting (they’ve recently dropped any recommendation to expire them, this is in a domain setting).

Why are we removing password-expiration policies?

First, to try to avoid inevitable misunderstandings, we are talking here only about removing password-expiration policies – we are not proposing changing requirements for minimum password length, history, or complexity.

Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.

If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time? Well, it is, and yet our current baseline says 60 days – and used to say 90 days – because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit. Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.

Our baselines are intended to be usable with minimal if any modification by most well-managed, security-conscious enterprises. They are also intended to serve as guidance for auditors. So, what should the recommended expiration period be? If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?

Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines

I like the not-so-subtle dig at users being the weakest link :p

The biggest argument I can see in favour of password expiration is online shopping sites (which rarely do it).

If I have to set up an account somewhere to shop that account is, in effect, ‘live’ for ever – if the password is stolen then it’s available to use in perpetuity.

I’d rather if I didn’t shop somewhere for 6 weeks or whatever that they expired the password and I had to reset it to shop again.

There’s probably little ‘harm’ that could come from an account I used once and never used again being compromised and if I’m worried about the password being stolen I should use a unique one for each site but the thought of their being possibly hundreds of active accounts that I’ve setup in the past 20 years and rarely if ever use does worry me a little – as much because changes may occur in future that gives value to access to such accounts by third parties.

I like the not-so-subtle dig at users being the weakest link

I particularly like the subtle dig at auditors, who IME when I did this sort of thing were complicit in preventing more risk-appropriate password policies from being adopted.

they’ve recently dropped any recommendation to expire them

… in line with current NCSC guidelines.

https://www.infosecurity-magazine.com/blogs/password-requirements-from-ncsc-1/

The other thing to think about is validation questions – mother’s maiden name, that kind of thing. I always make a point of defining the place I was born as ‘correcthorsebatterystaple’ and my favourite colour as ‘ketchupthecortina’ – or words to that effect…

I wonder how many people’s favourite colour is ‘What’?