Join 3,434 readers in helping fund MetaFilter (Hide)


18 million reasons to go to two-factor authentication
April 4, 2014 10:22 AM   Subscribe

German authorities have discovered yet another giant database of hacked passwords. The German Federal Office for Information Security says it will have a website allowing people to check if their accounts are affected up and running by Monday. Some 3 million Germans are believed affected; there is no indication that the impact is limited to Germans or Germany. A link to an ARD article on the case is here, in German.
posted by rhombus (26 comments total) 5 users marked this as a favorite

 
This shit isn't hard either. TOTP is an IETF standard, it's well supported by password apps on every platform known to humans, and by open source implementations alike. It's also ridiculously easy to implement on your own.

Not implementing two factor auth on anything serious should be ridiculed for the stupidity that it is.
posted by Talez at 11:32 AM on April 4


I used two factor authentication with Mailchimp for about a year, they even knock 10% off your bill if you enable it, but after repeated situations where I couldn't log in (left phone at home, have to reboot phone to get AlterEgo to connect, distracted user, etc) consistently cut into my productivity I disabled it a few weeks ago and productivity has spiked since. For now I'm sticking with unique, complex passwords until things get easier.
posted by furtive at 11:35 AM on April 4


There has to be a unified way to get 2FA without relying on an internet connection. So far what works is a hardware token. Is it too much to ask for one hardware token to rule them all (at least all the 2FAs I'd ever have to be bothered with)?
posted by popagandhi at 11:44 AM on April 4


That's what TOTP is. It's a standard way to do 2FA that doesn't require an internet connection at all. That's why a few dozen places support it already.
posted by Talez at 11:47 AM on April 4 [1 favorite]


We really, really need to stop using passwords as a means of user authentication. They do not work. Two factor is an improvement, but is inconvenient and still requires a password. Some sort of federated identity proof like OpenID, OAuth Connect, or Mozilla Persona (RIP) is the right solution. The technical problem is mostly solved, the real problem is product + politics.
posted by Nelson at 11:53 AM on April 4 [1 favorite]


Xbox password flaw exposed by five-year-old boy
A five-year-old boy who worked out a security vulnerability on Microsoft's Xbox Live service has been officially thanked by the company.

Kristoffer Von Hassel, from San Diego, figured out how to log in to his dad's account without the right password.

Microsoft has fixed the flaw, and added Kristoffer to its list of recognised security researchers.
(As far as I can tell this is neither the Onion nor a an April Fool's joke)
posted by Golden Eternity at 12:07 PM on April 4 [3 favorites]


They have Targets in Germany?
posted by drezdn at 12:07 PM on April 4 [1 favorite]


We really, really need to stop using passwords as a means of user authentication. They do not work.

In addition: am I the only one who is getting really tired of making accounts and passwords for things? So. Many. User. Accounts. This is probably how we all are going to end up with the Mark Of The Beast, or login everywhere with Facebook.
posted by thelonius at 12:39 PM on April 4 [2 favorites]


thelonius: "In addition: am I the only one who is getting really tired of making accounts and passwords for things? So. Many. User. Accounts. This is probably how we all are going to end up with the Mark Of The Beast, or login everywhere with Facebook."

Of course not. Just check out this new hot startup.
posted by pwnguin at 2:17 PM on April 4 [1 favorite]


Nelson: "The technical problem is mostly solved, the real problem is product + politics."

Of course it is, all you have to do is Login with Facebook™!

The battle for which identity provider will rule them all is so lucrative for the winner and so destructive to the losers that fighting it isn't worthwhile to the entities capable of making a difference.
posted by fireoyster at 3:46 PM on April 4 [1 favorite]


Maybe someone can design a protocol such that to be a provider, you are also actually required to be a consumer (and clients would check this).

For now I just use pwdhash.
posted by miyabo at 3:58 PM on April 4


Google Authenticator works fine without an internet connection.
posted by odinsdream at 4:00 PM on April 4


They have Targets in Germany?

They are painted on the Giants who run databases.
posted by srboisvert at 4:25 PM on April 4 [2 favorites]


The battle for which identity provider will rule them all is so lucrative

Yeah, that's why OpenID allows anyone to be the identity provider, and is eight+ years old. It's really not a hard technical problem. Sadly it is a hard product problem, and there's no political incentive for the leading Internet companies to try to solve it. I used to think there'd be a role for the government to provide online identity, but thanks to Snowden we now know that's impossible in the US. It more or less works in Estonia though.
posted by Nelson at 6:10 PM on April 4


The only reason I haven't enabled two-factor authentication is that international SMS messages cost me money, and google doesn't say what country the texts will originate from (I'm betting the US), so no, I'd rather not pay money whenever I decided to log into google calendar from an equipment computer to book XRD time. Well the main reason, anyway.

Also: Letting me log in with OpenID is a great idea. Now make it so I can sync multiple OpenID accounts to one main one, in case one of those providers shuts down (Say, Flikr), or I lose access to that account via a lost password or something.
posted by Canageek at 8:03 PM on April 4


Canageek - the Google 2-factor authentication also works offline if you have an android, iphone, or blackberry. No need for an SMS after the initial setup. During setup you also get 10 one-time passwords you can use if you don't have your phone with you.
posted by bh at 6:08 AM on April 5


Yes, just enable it then change to the application instead of SMS. There's really no good reason to avoid enabling it.
posted by odinsdream at 6:09 AM on April 5


Every time something like this happens, somebody will waste no time having a bit of a foam about how passwords are now a totally broken concept and how we're all on the edge of moving to the Next Great Authentication Scheme and what a good idea that is and on and on and on and frankly:

YAWN

People who care about personal security already use password management software (KeePass, Password Safe, 1Password, Lastpass, endless others), and let the software create and store a unique long random password for each service requiring an account. This works just fine, and has done for at least ten years. People who use password management software as it's designed to be used don't get their accounts breached unless the account provider is doing something brain-dead like storing passwords in plain text - and even if that happens, it doesn't affect any of their other accounts.

Then there's the majority, who can't be arsed thinking about personal security until after they've suffered a security breach. These are the people who think it's clever to use the word PASSWORD as the password for all their services, spelt with fives instead of esses for their online banking if they're extra cunning, and then wonder why their friends keep complaining about the amount of spam they appear to be sending out.

These folks would also much rather piss and moan endlessly about how hard it is to remember all the different passwords we seem to need these days than to spend the half hour it takes to get comfortable with some password management package and just solve the problem once and for all.

It doesn't matter in the slightest how technically excellent the Next Great Authentication Scheme is, because (a) strong passwords are already quite secure enough; (b) the kind of person who already can't be arsed using strong unique machine-generated passwords is also going to find some convenience-prioritizing method for fucking up the NGAS as well; (c) any outfit brain-dead enough to store your present password in some retrievable form can't be trusted to look after your security fob keys effectively either.

There is no foolproof method, because there are so many fools and the fools are so ingenious. Don't be one. Use password management software.
posted by flabdablet at 9:45 AM on April 5 [1 favorite]


I use Lastpass and have been using it for about three years. It definitely helps and is the best option users have today. It's not a good system though.

The Lastpass agent is a messy compromise. The authentication "protocol" is basically HTML forms, with Lastpass trying to guess which box is the username box. It breaks on various websites, like the appointment site for the guy who cuts my hair, so I have to clumsily copy the password out of my vault and paste it in by hand. And while Lastpass works well enough on desktop browsers, it's a complete failure on the iPhone because Apple doesn't allow plugins for Mobile Safari. So I'm back to copy-and-paste. And typing strong passwords on a mobile keyboard is another fiasco, the contortions required to type capitals and symbols.

Also the password agents create a new kind of security risk, the security of the password store itself. With LastPass that's stored in their cloud server somewhere. It's encrypted and I more or less trust them, but it makes me nervous. And while my passwords are unique and strong, they are shared secrets with the client websites. A public key authentication system where the site I'm logging into never knows the secret itself would be much safer.

I also think you're overlooking the systemic risk of the 98% of the world who uses "passw0rd" as their password everywhere. It makes every website weak because they cannot reliably trust that their users are who they say they are. You can blame the user for weak passwords but it's still the site's problem to have to deal with all the hacked accounts.
posted by Nelson at 9:54 AM on April 5


Most of the things you list as being wrong with Lastpass are exactly why I personally use KeePass.

KeePass doesn't need to guess which is the username box; it relies on you clicking in there before bringing KeePass back to the front and doing Ctrl-V to trigger an auto-type. The auto-type sequence is usually {username}{TAB}{password}{ENTER} but you can set it per site if the default doesn't work.

It's really only Google that wants me to play stupid copy+paste games to get my password into their site, because they're really insistent on not signing out properly, but Private Browsing generally deals with that.

I like that KeePass keeps the site URL as well as the login credentials and will open the browser for me to the site I want to log in to, meaning that I don't need to worry about getting suckered into entering genuine credentials into a fake site.

I'm happy with thousands of rounds of AES to keep the password database itself secure, and I'm happy that the password database is just a small file I can carry around on a μSD card and manage my own backups of. I cannot imagine being happy to trust such a central piece of my security architecture to an online provider.

while Lastpass works well enough on desktop browsers, it's a complete failure on the iPhone because Apple doesn't allow plugins for Mobile Safari.

Apple's commitment to security theatre is second to none.

So I'm back to copy-and-paste. And typing strong passwords on a mobile keyboard is another fiasco, the contortions required to type capitals and symbols.

I've gone over to using passwords consisting of five space-separated groups of five randomly selected lowercase letters for precisely that reason. The fly in the ointment is, as ever, Apple: an AppleID password must contain at least one digit, at least one uppercase letter, and no spaces. So the 117 bits of entropy my preferred scheme gets me is no good, but Apple1234 is just fine.

And while my passwords are unique and strong, they are shared secrets with the client websites. A public key authentication system where the site I'm logging into never knows the secret itself would be much safer.

If all they're storing is a properly salted hash of your password, as they should be, then they don't know the secret itself.
posted by flabdablet at 10:37 AM on April 5


I have an encryption key I use for everything that allows it. I've never written down the incredibly long passphrase and never will. Professional internet people at my office think I'm nuts when I rattle it off at 100+ WPM to log into things over ssh/scp. It pains me that I can't get similar security on my banking web sites.

and don't even ask me about my wireless passphrase
posted by davejay at 10:46 PM on April 5


OK, I'll bite: what does your wireless passphrase score on zxcvbn?

The test on that demo page is browser-local, by the way. Disable your network connection before playing with it if you like but it doesn't send anything over the wire anyway.

For comparison purposes, it rates my own WPA2 password at 99 bits of entropy and my KeePass master password at 92. One of those is mixed lowercase alphabetic and numeric, the other is mixed uppercase and lowercase alphabetic. Both were randomly generated.

When I'm teaching my customers how to use KeePass, I encourage them to generate a master password that scores at least 80 bits on that test, which I think works a little better than the rating system built into KeePass itself. Quite often this is most easily achieved by concatenating two of the strongest passwords they're already using.
posted by flabdablet at 4:34 AM on April 6


Thanks everyone, I've now set up 2-factor with google. I didn't know you didn't have to us SMS for everything.
posted by Canageek at 1:41 PM on April 7


flabdablet: Interesting, my Google one only gets about 6 hours, but the LastPass one I use gets entropy: 95.3, crack time (seconds): 2.4383748955776875e+24, crack time (display): centuries

So I'm guessing that is a good method I use.
posted by Canageek at 1:45 PM on April 7


If anyone is using that password tester, it isn't that great; I tried some Klingon words from Wikipedia, and they all got centuries, when I know anything on Wikipedia is broken from the Ars article. Also a dictionary word with 1 2 3 and so on between each letter was also reported as broken.
posted by Canageek at 3:46 PM on April 17


Zxcvbn is pretty good as these things go. None of them are truly reliable. The one that Apple uses for Apple IDs, which rejects zgvwk aqzfe ptmhx yrpzy dqfxd but gives the nod to Apple1234, is particularly awful.

Anybody relying on the result from any password tester, as opposed to using only unique machine-generated random passwords with at least 80 bits of entropy as a matter of consistent policy, is doing it wrong.
posted by flabdablet at 4:37 AM on April 19


« Older Controversial artist George W. Bush, whose paintin...  |  "To Celebrate the Phenomenal M... Newer »


This thread has been archived and is closed to new comments