Author Topic: Changing passwords  (Read 888 times)

0 Members and 1 Guest are viewing this topic.

Online The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Stopped Going Outside
  • *****
  • Posts: 5374
Re: Changing passwords
« Reply #15 on: November 23, 2017, 11:19:28 AM »
The problem for me with two-factor using the phone is that I go places where I have internet access and want to access web sites, but where there is no cell service. Are there other commonly-used two-factor methods that do not depend on cell service or having USB on the device?

My two-factor authentication method does not require cell service or even Internet on my phone. If I have no internet access, it will generate a one-time authentication code I can enter at the LastPass two-factor prompt.
« Last Edit: November 23, 2017, 11:29:07 AM by The Latinist »
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Offline Mr. Beagle

  • Frequent Poster
  • ******
  • Posts: 3794
Re: Changing passwords
« Reply #16 on: November 23, 2017, 12:32:40 PM »
Has there been any recent study of fraud through brute-force password cracking versus phishing? Were I to enter the criminal life, it would seem phishing would be easier and have a high chance of success (maybe one sucker out of 1000 emails?).

I have seen some really good phishing emails that had to have had some success.
Mister Beagle
The real world is tri-color

Offline daniel1948

  • Stopped Going Outside
  • *******
  • Posts: 5454
  • Cat Lovers Against the Bomb
Re: Changing passwords
« Reply #17 on: November 23, 2017, 01:29:03 PM »
The problem for me with two-factor using the phone is that I go places where I have internet access and want to access web sites, but where there is no cell service. Are there other commonly-used two-factor methods that do not depend on cell service or having USB on the device?

My two-factor authentication method does not require cell service or even Internet on my phone. If I have no internet access, it will generate a one-time authentication code I can enter at the LastPass two-factor prompt.

If you don't have cell or internet access, what are you accessing that needs a password?

Has there been any recent study of fraud through brute-force password cracking versus phishing? Were I to enter the criminal life, it would seem phishing would be easier and have a high chance of success (maybe one sucker out of 1000 emails?).

I have seen some really good phishing emails that had to have had some success.

I would assume that brute-force password guessing would only work where the password is extremely weak, AND the system allows a large number of rapid-fire tries. Of course, in movies, the password is always the daughter's birthday, which the hacker happens to know. Sadly, that's too often the case.

Maybe unrelated? there's that gadget that break-in artists always have in movies, where they attach two clip leads to the alarm system or digital lock, and numbers flash rapidly on the screen, and then slowly, one at a time, numbers stick, and when it's done they have the combination. What's the deal with that thing? ???
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Online The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Stopped Going Outside
  • *****
  • Posts: 5374
Re: Changing passwords
« Reply #18 on: November 23, 2017, 02:13:03 PM »
The problem for me with two-factor using the phone is that I go places where I have internet access and want to access web sites, but where there is no cell service. Are there other commonly-used two-factor methods that do not depend on cell service or having USB on the device?

My two-factor authentication method does not require cell service or even Internet on my phone. If I have no internet access, it will generate a one-time authentication code I can enter at the LastPass two-factor prompt.

If you don't have cell or internet access, what are you accessing that needs a password?

If the WiFi network at school is down, for instance, I need to access the hardware over Ethernet to troubleshoot. I have no cellular service at work. It’s actually not unusual for me to have wired network access on my laptop but no WiFi or cellular data.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Offline daniel1948

  • Stopped Going Outside
  • *******
  • Posts: 5454
  • Cat Lovers Against the Bomb
Re: Changing passwords
« Reply #19 on: November 23, 2017, 03:23:49 PM »
The problem for me with two-factor using the phone is that I go places where I have internet access and want to access web sites, but where there is no cell service. Are there other commonly-used two-factor methods that do not depend on cell service or having USB on the device?

My two-factor authentication method does not require cell service or even Internet on my phone. If I have no internet access, it will generate a one-time authentication code I can enter at the LastPass two-factor prompt.

If you don't have cell or internet access, what are you accessing that needs a password?

If the WiFi network at school is down, for instance, I need to access the hardware over Ethernet to troubleshoot. I have no cellular service at work. It’s actually not unusual for me to have wired network access on my laptop but no WiFi or cellular data.

Okay. Got it. It still doesn't give me a way to have two-factor for me to access web sites from my tablet when I have no cell service. I quit traveling with a laptop years and years ago because of the weight, and a tablet does everything I need when I'm traveling. I've actually thought about setting up two-factor for my banking site and accepting that I won't be able to access it on some of my trips, but so far have not done that since it would mean I could not access my statements or pay bills. My utility bills get paid automatically, but there are still some I have to pay manually.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline arthwollipot

  • Stopped Going Outside
  • *******
  • Posts: 5794
  • Observer of Phenomena
Re: Changing passwords
« Reply #20 on: November 23, 2017, 03:38:13 PM »
Does it make those folks more secure to continually change their weak passwords? That is, does changing a weak password regularly, for another weak password, make you any more secure?
Yes, it does, a little bit. Not much, but a little.

I'm not worried that someone might guess the master password. I'm worried about a flaw in the password manager app that allows a hacker to gain control of the program.
Their entire business model is built upon security. If that's flawed, then the company is utterly fucked.

I have the same issue with people who have a problem with cloud services like Dropbox. What if it goes down and I can't access my files? It won't. If it did, the company was technologically incompetent and doesn't deserve to remain in business. It would be like hiring a house painter to paint your house, and they come along and paint half a wall and charge you a thousand bucks. They wouldn't stay in business very long, would they?

In essence, you trust a commercial venture to do their job. LastPass's job is to keep your passwords secure. They do that. If they didn't, they would be out of business faster than you could say "they didn't support their business model with technological competence".

Offline daniel1948

  • Stopped Going Outside
  • *******
  • Posts: 5454
  • Cat Lovers Against the Bomb
Re: Changing passwords
« Reply #21 on: November 23, 2017, 04:02:39 PM »
I trust some companies, but not others. I trust some companies (and people) in some things but not others. I have had friends, for example, who I would trust not to do me harm on purpose, but who I would not trust to drive my car because they are reckless drivers.

I use Dropbox to share photos. I do not depend on them to keep my files secure or backed up. I put photos there so I can give one link to friends, and my friends can always find all my travel pictures there, from oldest to latest, organized by trip.

The fact that LastPass has as its mission and purpose to keep passwords safe is no guarantee that they can do that job. Clearly The Latinist trusts them. But I don't feel I know enough about them to trust them. Honesty and competence are two very different things. A person can be honest but not competent, or the other way around. Or both or neither.

You assert that if they were not competent they would be out of business. Microsoft is proof that this theory does not hold. Very many incompetent companies thrive, for a while. Sometimes they collapse and take their customers down with them. Equifax is still in business!

I'm not asserting that LastPass is not competent. Just that I don't feel I know enough to put my trust in them.

Note also, that with a good-enough password, the odds are vanishingly small that when your account gets hacked, it was because the bad guys got your password. It was probably because they hacked the company you had an account with and got into your account without your password.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Online The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Stopped Going Outside
  • *****
  • Posts: 5374
Re: Changing passwords
« Reply #22 on: November 23, 2017, 04:05:38 PM »
The problem for me with two-factor using the phone is that I go places where I have internet access and want to access web sites, but where there is no cell service. Are there other commonly-used two-factor methods that do not depend on cell service or having USB on the device?

My two-factor authentication method does not require cell service or even Internet on my phone. If I have no internet access, it will generate a one-time authentication code I can enter at the LastPass two-factor prompt.

If you don't have cell or internet access, what are you accessing that needs a password?

If the WiFi network at school is down, for instance, I need to access the hardware over Ethernet to troubleshoot. I have no cellular service at work. It’s actually not unusual for me to have wired network access on my laptop but no WiFi or cellular data.

Okay. Got it. It still doesn't give me a way to have two-factor for me to access web sites from my tablet when I have no cell service. I quit traveling with a laptop years and years ago because of the weight, and a tablet does everything I need when I'm traveling. I've actually thought about setting up two-factor for my banking site and accepting that I won't be able to access it on some of my trips, but so far have not done that since it would mean I could not access my statements or pay bills. My utility bills get paid automatically, but there are still some I have to pay manually.

Sure it does. You install LastPass on your tablet.  When you need to log in, you tap the share sheet (middle button in Safari), tap LastPass, and use your fingerprint or password to authenticate with LastPass.  If your phone is connected to WiFi, a push message pops up on your phone, also over WiFi, and you use your fingerprint to authorize the LastPass login on your tablet and you’re in. If your phone doesn’t have WiFi, you manually open Authenticator on your phone, authorize with your fingerprint, then it generates a unique code that only your phone could generate that is good for just 60 seconds to verify the LastPass login on your tablet.  Once that’s done, it’s just one tap in LastPass on your tablet to fill in the username and password.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Offline daniel1948

  • Stopped Going Outside
  • *******
  • Posts: 5454
  • Cat Lovers Against the Bomb
Re: Changing passwords
« Reply #23 on: November 23, 2017, 05:43:52 PM »
Is that two-factor to get into the web site, or just two-factor to get into LastPass so that LastPass will send the single-factor password to the web site I want to log in to? I'm not sure I followed all that.

Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline Belgarath

  • Forum Sugar Daddy
  • Technical Administrator
  • Poster of Extraordinary Magnitude
  • *****
  • Posts: 11315
Re: Changing passwords
« Reply #24 on: November 24, 2017, 09:12:42 AM »
The problem for me with two-factor using the phone is that I go places where I have internet access and want to access web sites, but where there is no cell service. Are there other commonly-used two-factor methods that do not depend on cell service or having USB on the device?

On brute-force password guessing, I don't know if they do this, but a simple way to defeat this would be to enforce a one-second wait between guesses. Another that many web sites do use is that after three failed attempts, or some other arbitrary small number, the account is locked. I don't think that iOS uses either for access to phones and tablets. But I'm much less concerned about access to my devices than access to my banking site.

See, that's NOT how a brute force attack on a password works in general.  What happens is generally a weakness in the network infrastructure.  The attacker gets inside the server and downloads the password database.  Now you offline attack the password database using brute force.
#non-belief denialist

Offline Belgarath

  • Forum Sugar Daddy
  • Technical Administrator
  • Poster of Extraordinary Magnitude
  • *****
  • Posts: 11315
Re: Changing passwords
« Reply #25 on: November 24, 2017, 09:14:44 AM »
Has there been any recent study of fraud through brute-force password cracking versus phishing? Were I to enter the criminal life, it would seem phishing would be easier and have a high chance of success (maybe one sucker out of 1000 emails?).

I have seen some really good phishing emails that had to have had some success.

Most of what is going on today is spear fishing or phishing, but you still DO get brute force attacks when they get access to a huge database (such as the yahoo hack) because once you have the password database, it's more efficient to brute force, effectively playing the odds that someone's password will be 'Password1'

#non-belief denialist

Offline Belgarath

  • Forum Sugar Daddy
  • Technical Administrator
  • Poster of Extraordinary Magnitude
  • *****
  • Posts: 11315
Re: Changing passwords
« Reply #26 on: November 24, 2017, 09:20:27 AM »
Is that two-factor to get into the web site, or just two-factor to get into LastPass so that LastPass will send the single-factor password to the web site I want to log in to? I'm not sure I followed all that.

It can be both, depends o n the website.

It's two factor for LastPass.  Think of it this way.  Lastpass is a locked vault that you need two keys to get into.  One key is your password.  The other key is your random number from your phone app.

Once you're in LastPass you have access to your passwords for all the different websites that you've saved.  Now SOME of those websites (such as your bank) may allow a second factor too.  So when you use LastPass to get the password, you're still going to need to enter a second factor on those websites.  You'd go to your phone and open the second factor app and use the second factor specifically set up for that website (each website needs it's own unique second factor)

#non-belief denialist

Online The Latinist

  • Cyber Greasemonkey
  • Technical Administrator
  • Stopped Going Outside
  • *****
  • Posts: 5374
Re: Changing passwords
« Reply #27 on: November 24, 2017, 09:35:47 AM »
I am personally comfortable using single factor authentication with websites, since I am using long, random passwords that not even I know.  I use two-factor authentication to access LastPass.
I would like to propose...that...it is undesirable to believe in a proposition when there is no ground whatever for supposing it true. — Bertrand Russell

Offline daniel1948

  • Stopped Going Outside
  • *******
  • Posts: 5454
  • Cat Lovers Against the Bomb
Re: Changing passwords
« Reply #28 on: November 24, 2017, 11:48:36 AM »
Well, you guys have answered my original question. As long as I'm satisfied with the security of my passwords (different for each important site) there's no need to change them.

I should probably enable two-factor for my banking site.

Thanks.
Daniel
----------------
"Anyone who has ever looked into the glazed eyes of a soldier dying on the battlefield will think long and hard before starting a war."
-- Otto von Bismarck

Offline Belgarath

  • Forum Sugar Daddy
  • Technical Administrator
  • Poster of Extraordinary Magnitude
  • *****
  • Posts: 11315
Re: Changing passwords
« Reply #29 on: November 24, 2017, 01:47:32 PM »
I am personally comfortable using single factor authentication with websites, since I am using long, random passwords that not even I know.  I use two-factor authentication to access LastPass.

I add 2 factor on my financial sites, but not really anywhere else.
#non-belief denialist

 

personate-rain