6Password9 DNA1970
June 26, 2016 11:36 AM   Subscribe

An analysis of a worst-case scenario password database reveals patterns. The dataset in question comes from a service where the original programmer created their own "encryption" for storing passwords. Before the site fully converted their password storage to bcrypt, they were hacked. Having access to all the passwords instead of just the "easy" ones allows for additional demographic analysis. Some factoids below the cut:

  • "123456" and "password" are ridiculously common across most demographics.
  • Politicians and people with over $125K annual income have slightly better passwords.
  • Only 2.9% of passwords have a "special character." Only 0.6% of passwords have a capital letter.
  • People who start their password with a number usually end their password with a number.
  • Four-number sequences at the end of passwords fall into the range 1900-2013.
These patterns can be programmed into a cracking system such as hashcat. The author concludes:
Although there were few specific patterns and processes that were able to be linked to specific demographics, this result is in a way even more damning. A malicious actor can successfully assume the same techniques and patterns for any data set they were to come upon and be successful at revealing a large percentage of passwords.
posted by CBrachyrhynchos (108 comments total) 31 users marked this as a favorite
 
I'm always fascinated by the insights data like this yields about the service that was hacked, and the probable issues with "cleanliness" or the accuracy of any inferences we could make about their users. For instance, for users with occupation in "insurance" we see the second most common password is noah2010, with 72 distinct users. What does this mean? It seems highly unlikely that 72 users actually chose that password, and so we can draw one of two conclusions: the data is noisy and corrupted by redundant or irrelevant rows in the database, or (as was very likely in the big dating site hacks) some individual actually created 72 accounts using the same password- what were their motives? Were they up to something nefarious? Was it an employee creating test accounts? Fake accounts to boost the illusion of a thriving user base (hi, reddit)?
posted by simra at 11:49 AM on June 26, 2016 [5 favorites]


Cr!b4by\/\/aaah

Nah, most secure password I ever used was a white hat friend of mine's ex-wife's name in the form of 'Ilove{her name here}'. I even told him the password once and he still refused to type it in. That's what he gets for repeatingly setting me up with virtual server passwords where I had to type in various farm animal sexual suggestions as my default user password.
posted by Nanukthedog at 11:57 AM on June 26, 2016 [7 favorites]


For instance, for users with occupation in "insurance" we see the second most common password is noah2010, with 72 distinct users.

I'd like to assume that people who work in insurance were prone to naming their year-2010 newborns "Noah." (Why isn't there an insurance company with a Noah's ark logo?)
posted by nobody at 12:01 PM on June 26, 2016 [7 favorites]


For what it's worth you can avoid this embarrassment by using a password manager that will generate strong unique passwords for you.

As well, if you try to sign up for some site or service that puts some arbitrary restriction on the content of the password (You can't use spaces, special characters, whatever) then you can save yourself a lot of agony by closing the tab and shopping elsewhere.
posted by mhoye at 12:09 PM on June 26, 2016 [20 favorites]


As well, if you try to sign up for some site or service that puts some arbitrary restriction on the content of the password (You can't use spaces, special characters, whatever) then you can save yourself a lot of agony by closing the tab and shopping elsewhere.

Even moreso if the arbitrary restriction is password length. 10 chars max password length? I'm the fuck outta there. Even 20 isn't really sufficient.
posted by deadaluspark at 12:13 PM on June 26, 2016 [5 favorites]


And if that's not bad enough, some companies are enforcing terrible passwords by disabling the ability to paste in the password field.
posted by SansPoint at 12:14 PM on June 26, 2016 [47 favorites]


All of my passwords are in Enochian. Not only are there loads of special characters, if you fail to get the password right in three tries, my Holy Gusrdian Angel shows up for a "chat."

Now that I've written this, I may switch to Aklo.
posted by GenjiandProust at 12:16 PM on June 26, 2016 [24 favorites]


I suppose the worst case scenario involves plaintext password storage. But evidently the database in question may just as well have been using plaintext since the encoding was 1) reversible and 2) trivially broken.
posted by CBrachyrhynchos at 12:17 PM on June 26, 2016 [1 favorite]


I have run into a case of where hundreds of individuals created the same password on their own. I used to run dictionary crackers against salted password hashes in a unix environment for fun back in the early 90's before shadowing was much of a thing. I once had the occasion to note that the man page for the password command had been customized for a particular environment. The person who wrote the man page chose to include a sample password. Vaguely amused, I emptied my dictionary and replaced it with that single example and got hundreds of hits.

So while your scenario (one person, 70+ accounts) seems the most likely, it's also quite possible that individuals were somehow directed to use the same password either directly or accidentally. Over the years I've read many bits of advice on generating memorable passwords and it can be easy to reverse engineer the advice into a useful dictionary. Some less than security savvy person might tell people in a security memorandum to use their favorite movie and the year it came out (Noah2010) and then the nefarious person can use that advice against them. As I said, it's doubtful that it happened in this case, but it is one of the many ways that nefarious individuals can use attempts at security hygiene against a class of users.
posted by xyzzy at 12:20 PM on June 26, 2016 [13 favorites]


My best guesses from a quick search:

* the Toyota Noah (in Japan)
* the announcement that a Chinese expedition claimed to find Noah's Ark
posted by CBrachyrhynchos at 12:28 PM on June 26, 2016


I hate it when I run into arbitrary limits. There is a sure I have to site (work) where the password has to be between 8 and 12 characters, the symbol or number cannot be the first character) .

If they wanted to help hackers, this is the way to do it.
posted by AlexiaSky at 12:35 PM on June 26, 2016 [2 favorites]


The most annoying limit I had was when a password field wouldn't accept vowels.
posted by jeather at 12:44 PM on June 26, 2016 [3 favorites]


My goddamn 401k provider has restrictions on special characters. And they are not a small company either.
posted by soren_lorensen at 12:45 PM on June 26, 2016 [4 favorites]


Also most security questions block my answer to my high school mascot, which as a Canadian I find offensive. (Beaver.)
posted by jeather at 12:47 PM on June 26, 2016 [13 favorites]


I make all of my passwords disgusting combinations of bodily functions so that they are so vile even machines do not want to think about them.
posted by 4ster at 12:48 PM on June 26, 2016 [4 favorites]


And if that's not bad enough, some companies are enforcing terrible passwords by disabling the ability to paste in the password field.

This is how I got to the point where, when someone says something is done or not done "for security reasons" it makes me immediately suspect that they are an idiot...this goes back to seeing a bank website insist I use IE 6 "for security", which usually meant, "we told them they needed to budget to test for different browsers and they said, I know how we can not pay for that, let's just require IE".
posted by thelonius at 12:49 PM on June 26, 2016 [9 favorites]


My favorite is being forced into using some work essential "enterprise" piece of shit that has character and length restrictions on its passwords, then constantly forgetting your password for it because all of the hoops you had to jump through for it break your usual method for password creation and you don' t use it often enough to remember what the compromised result was.
posted by Artw at 12:49 PM on June 26, 2016 [18 favorites]


If I ever work in IT I will require at least one of those raise-your-dongers character sets in every password.

ᕕ(ツ)ᕗ WORKING TOGETHER ⎝༼`o`༽⎠ TO BUILD └[☼ᗜ☼]┘ A MORE SECURE COMPANY ┬─┬ノ(ಠ_ಠノ)
posted by delfin at 12:49 PM on June 26, 2016 [31 favorites]


thelonius - it seems like my mother in law is constantly having to do dumb online "training" exercises that require an old IE, flash and Java and every time I have to run around trying to patch together a machine that's broken enough to actually run it. Presumably if they actually give employees laptops with that setup it'll die immediately of malware.
posted by Artw at 12:52 PM on June 26, 2016 [2 favorites]


then constantly forgetting your password for it because all of the hoops you had to jump through for it break your usual method for password creation

I had to actually create a code system for me to be able to physically write these ones down in a notebook without it being completely obvious that I have a notebook full of passwords.
posted by soren_lorensen at 12:53 PM on June 26, 2016 [3 favorites]


All of my passwords are phrases from Chuck Tingle novels. I've received complaints from our security team about excessive use of the pound character.
posted by nfalkner at 12:53 PM on June 26, 2016 [49 favorites]


Question: do brute force attacks have full unicode support? I have always assumed so but it would be interesting to know.
posted by Foci for Analysis at 12:54 PM on June 26, 2016


I assume he's already done Pounded in the Butt by the Pound Character?
posted by Artw at 12:55 PM on June 26, 2016 [3 favorites]


I eventually gave up my 10-digit ATM PIN because although most machines had no problem with it, the ones that failed were often in very annoying circumstances.

(I chose length=10 to overflow most people's short term memory.)
posted by ryanrs at 12:55 PM on June 26, 2016 [2 favorites]


#edinthebuttbythe£
posted by poffin boffin at 12:56 PM on June 26, 2016 [26 favorites]


My goddamn 401k provider has restrictions on special characters. And they are not a small company either.

Last I checked, Fidelity's password restriction was: 12 or fewer characters, only letters and numbers. But it gets worse. In order to be compatible with online dialing, any character you type (whether upper or lower case) is converted to its equivalent number on a phone pad. This <= 12 digit number also works online, so basically you're choosing an 8-12 digit number whether you realize it or not. It's just the entropy is probably lower than a random 8-12 digit number, because you probably chose letters than "mean something".
posted by Humanzee at 12:58 PM on June 26, 2016 [4 favorites]


Yes, Chuck Tingle has written about the Pound.

POUNDED BY THE POUND: TURNED GAY BY THE SOCIOECONOMIC IMPLICATIONS OF BRITAIN LEAVING THE EU
posted by idiopath at 1:03 PM on June 26, 2016 [14 favorites]


assume he's already done Pounded in the Butt by the Pound Character?

£ed in the * by the £

Which is also the official hashtag for Brexit
posted by zippy at 1:04 PM on June 26, 2016 [8 favorites]


lI|||lll11II1Il|lI!

I hope your font rendered that accurately.

But seriously, people who don't use Lastpass, Onepass or Keepass these days mystify me.
posted by T.D. Strange at 1:06 PM on June 26, 2016 [7 favorites]


Of the 18.2+ million records, about 1000 of them used any kind of unicode.

Given the resulting combinatorial explosion and low reward I doubt brute forcers bother with them much.
posted by Artw at 1:10 PM on June 26, 2016


As a mysterious person who doesn't use any of those password services, can you explain why I should trust those companies to securely handle all my passwords? It's not a rhetorical question - I'd like to be convinced, as it does seem like it would be convenient.
posted by Salvor Hardin at 1:10 PM on June 26, 2016 [13 favorites]


“You Need A Password Manager,” April Glaser, Wired, 24 January 2016
posted by ob1quixote at 1:21 PM on June 26, 2016 [4 favorites]


You can use password safe, which lets you keep the encrypted file locally. You can sync it via Dropbox or GDrive (etc) and run it on a variety of machines (WIndows, Mac, Linux, IOS, Android). The algorithm is open source encryption is strong enough that it should not be possible for an adversary to crack, even if they get access to the file.
posted by Humanzee at 1:26 PM on June 26, 2016 [4 favorites]


idiopath: "Yes, Chuck Tingle has written about the Pound.

POUNDED BY THE POUND: TURNED GAY BY THE SOCIOECONOMIC IMPLICATIONS OF BRITAIN LEAVING THE EU
"

Fuxit!
posted by chavenet at 1:27 PM on June 26, 2016 [5 favorites]


This erotic tale is 4,200 words of sizzling human on monetary unit action, including anal, blowjobs, rough sex, cream pies and living pound love.

I have wasted my life.
posted by chavenet at 1:29 PM on June 26, 2016 [16 favorites]


Question: do brute force attacks have full unicode support? I have always assumed so but it would be interesting to know.

Sure, you can bruteforce anything, it's just going to take exponentially longer the more possible characters you have to try. Lowercase letters (26 characters) vs full unicode (1,114,112 characters).
posted by dilaudid at 1:29 PM on June 26, 2016


So I read that Wired article, and immediately saw this about their first recommendation:
LastPass was hacked recently ... a breach that exposed user email addresses, password hints, and encrypted master passwords, but the company appears to have responded promptly and the majority of users were protected. And earlier this month a security researcher unveiled another hole in the app’s security that may allow attackers to obtain personal details via a phishing attack by simulating the login sequence, and again the company responded promptly reporting that the process of email verification protects users from this vulnerability.

Which is exactly why I have trouble trusting this kind of password manager. If it's local to my laptop, what happens if my laptop is stolen or dies? if it's in the cloud, wouldn't every hacker focus all their hacking efforts on that database as a one-stop shopping center?

As Zhuangzi wrote in "Cracking the Safe" (300 BCE):

For security against robbers who snatch purses, rifle luggage, and crack safes,
One must fasten all property with ropes, lock it up with locks, bolt it with bolts.
This (for property owners) is elementary good sense.
But when a strong thief comes along he picks up the whole lot,
Puts it on his back, and goes away with only one fear:
That ropes, locks, and bolts may give way.
Thus what the world calls good business is only a way
To gather up the loot, pack it, make it secure
In one convenient load for the more enterprising thieves.

posted by msalt at 1:41 PM on June 26, 2016 [37 favorites]


if it's in the cloud, wouldn't every hacker focus all their hacking efforts on that database as a one-stop shopping center?

I can only speak about 1Password, since it's the manager I use. Even if someone does manage to compromise whatever cloud service you're using to sync your vault and snag your password vault, they're still stuck with an encrypted file they need *another* password to unlock. They could try cracking it by using automated guessing, but the developers of 1Password have taken steps to make sure that won't work very well. As long as you don't give your vault a weak password (and 1Password has good suggestions for how to avoid that), you're pretty safe. (Bearing in mind that the only secure computer is one that's turned off.)
posted by asterix at 2:06 PM on June 26, 2016 [2 favorites]


If it's local to my laptop, what happens if my laptop is stolen or dies?

I use KeePass, so maybe things are different with other password managers, but...

If your laptop / tablet / phone has encrypted storage and some sort of password lock, they have to brute force your login password or pattern or whatever to get access to the password database. That's hard to do with a reasonably secure password, especially if the OS locks you out after so many attempts. Once they get in, then they need the encryption passphrase -- sometimes people store that in the login keychain of their device if they think that's secure enough and don't want to have to unlock the password database everytime, but for the security-minded who can remember two secure passwords, that's another hurdle.

if it's in the cloud, wouldn't every hacker focus all their hacking efforts on that database as a one-stop shopping center?

Sure, but in the hack you cited, they only got the encrypted master passwords, which take forever to brute force given the way LastPass salted them. The hackers also got emails and such, which sucks for privacy, but doesn't approach a compelling case against using password managers.
posted by tonycpsu at 2:06 PM on June 26, 2016 [2 favorites]


Lastpass gets an encrypted blob that you can set to be arbitrarily difficult to brute force, although setting your PBKDF2 rounds to a humanly significant fraction of a second on a workstation may take forever on a phone. Hopefully your master password isn't one that's vulnerable to a dictionary attack. There's software that will do the same thing with a file that never has to see the internet at all if that's your preference. If you lose the file, you spend an afternoon requesting password resets.

But most of the alternatives are even worse. Human psychology is shit when it comes to randomness. The state of the art of password cracking can throw almost every word or phrase in the culture of a language at the problem, along with 90% of the clever ideas for adding "randomness" to a password. The patterns recovered from previous hacks are fed into the next cycle. Almost all of the clever tricks for creating pseudorandom memorable passwords have been broken.

So either we tell people to learn, master, and practice a memory trick on the order of being able to read back half a deck of shuffled cards for every site, or we tell people to use a password manager.
posted by CBrachyrhynchos at 2:27 PM on June 26, 2016 [5 favorites]


I suppose the hashpass solution is still viable, but I was always running into problems with redirects, the browser extensions turned out to be vulnerable, and forced password changes meant that I had to remember multiple password/site relationships anyway.
posted by CBrachyrhynchos at 2:49 PM on June 26, 2016


My goddamn 401k provider has restrictions on special characters. And they are not a small company either.

As far as I can tell, financial services companies are the absolute worst at this.
posted by indubitable at 2:51 PM on June 26, 2016 [10 favorites]


He says to use a password manager and extreme password generation because why wouldn't you, but I've been using KeePass for years and automatically generate all my passwords and the problem with going all maximum overdrive is that every now and then I need to actually type a password in by hand.
posted by Ivan Fyodorovich at 3:07 PM on June 26, 2016 [3 favorites]


Just remember - spaces are like cobra venom to mainframes, which is why it is impossible to include them in your password.
posted by benzenedream at 3:24 PM on June 26, 2016 [4 favorites]


>>If it's local to my laptop, what happens if my laptop is stolen or dies?

>If your laptop / tablet / phone has encrypted storage and some sort of password lock, they have to brute force your login password or pattern or whatever to get access to the password database. That's hard to do with a reasonably secure password, especially if the OS locks you out after so many attempts.
Actually, what I meant was, if your laptop is stole or dies, aren't you totally screwed since you can't access any of your passwords? If I was a cracker, I would only be concerned with people's email password since that allows you to reset almost all of the others. But if it doesn't, then a lost laptop or dead HD would leave you in trouble.
posted by msalt at 3:37 PM on June 26, 2016 [1 favorite]


I wonder if this is Plenty of Fish? They have a history of bad password practices, one of the most popular passwords is fishbowl123, and “a few extra pounds” appears on their profiles. The timeline doesn’t quite match up—IAC bought them only a year ago rather than about 2 years ago.
posted by reluctant early bird at 3:43 PM on June 26, 2016 [1 favorite]


“Here's The Thing With Ad Blockers,” April Glaser, Wired, 24 January 2016

Not sure I should take security advice from WIRED.......
posted by thelonius at 3:56 PM on June 26, 2016 [1 favorite]


If you are depending on human created passwords and aren't using something like Diceware to generate the password then you can be pretty sure your password isn't random. Even manually hitting keys on a keyboard isn't very random; the layout and edges introduce biases.

mhoye: "As well, if you try to sign up for some site or service that puts some arbitrary restriction on the content of the password (You can't use spaces, special characters, whatever) then you can save yourself a lot of agony by closing the tab and shopping elsewhere."

Well if the site matters. I mean if someone steals my password on Imgur I'm going to be mildly inconvenienced at worse. A lot of super weak passwords you see in these sorts of analysis are of this nature. A free account is needed to view some content so people use the weakest password the system will allow. I used to do this all the time before I started using a password manager; I'd only whip out diceware for sites I cared about or that could leak sensitive information.

And ya, if I was in charge a law requiring all internet passwords to be able to be 16 characters and composed of anything on a 101 keyboard would be the law. Arbitrary restrictions less than that are stupid, lazy and counter productive.

I really wonder whether my 8 digit debit pin is being used in full or if the system is just chopping off after 4 digits.
posted by Mitheral at 3:56 PM on June 26, 2016 [2 favorites]


Ivan Fyodorovich: " I've been using KeePass for years and automatically generate all my passwords and the problem with going all maximum overdrive is that every now and then I need to actually type a password in by hand."

You can combine password keepers with other methods. My gmail password for example is a 7 word diceware generated passphrase. Lastpass enters it automatically in most cases but if I'm at some public terminal or something I can type it in by hand (though I don't usually; who knows what keyloggers maybe installed).
posted by Mitheral at 4:00 PM on June 26, 2016


msalt: " if your laptop is stole or dies, aren't you totally screwed since you can't access any of your passwords?"

A printout of your password list stored in your safety deposit box is pretty secure and low tech.
posted by Mitheral at 4:02 PM on June 26, 2016 [3 favorites]




Ditto. If you make it impossible to paste into your password field I'm going to make my password something very simple instead of something quite complicated. Congratulations, you've reduced password security immensely.
posted by Justinian at 4:16 PM on June 26, 2016 [1 favorite]


For instance, for users with occupation in "insurance" we see the second most common password is noah2010, with 72 distinct users.
Dear [New User Name],

Welcome to Some Insurance Company! Your account is now active. Your user name is the first initials of your first and middle names followed by your last name. The default password is "noah2010" - please remember to change it the first time you log in!

Dave in the IT Department
posted by straight at 4:31 PM on June 26, 2016 [6 favorites]


Brute Forced In The Butt By This Passw0rd
posted by BungaDunga at 4:32 PM on June 26, 2016 [3 favorites]


Mitheral: A printout of your password list stored in your safety deposit box is pretty secure and low tech.

It's also helpful for whoever takes care of your stuff after you die.
posted by clawsoon at 4:39 PM on June 26, 2016 [2 favorites]


that thing some websites do where they completely disable pasting into password fields, purportedly because of "security," does not help security at all.
If you use Safari, there's a few extensions out there that overrides that awfulness. Here's one written by one of my co-workers.

I presume there are equivalents for most browsers.
posted by action man bow-tie at 5:04 PM on June 26, 2016


As a mysterious person who doesn't use any of those password services, can you explain why I should trust those companies to securely handle all my passwords? It's not a rhetorical question - I'd like to be convinced, as it does seem like it would be convenient.

Keepass runs locally and can be as encrypted as you feel like making your harddrive. Go nuts, run it over an air gap and only look at the unecrypted password on the other screen for as long as it takes to type it into your networked machine. And just hope the NSA isn't sitting in a van outside your house with binoculars that see through walls.

So either we tell people to learn, master, and practice a memory trick on the order of being able to read back half a deck of shuffled cards for every site, or we tell people to use a password manager.

But really, this. Lastpass has the same or greater level of protection as your bank, and significantly more than www.randomsite.com. If you're objecting to using it, you really shouldn't be doing online banking, or putting whatever you're worried about protecting online, either. But the biggest thing is easily managing one-use passwords. If your password for every site is unique and strongly generated, you're insulated from any individual breach, and vastly more protected than trying to manage that on your own with passwords that can't help but be nonrandom.

Actually, what I meant was, if your laptop is stole or dies, aren't you totally screwed since you can't access any of your passwords?

Gmail and password manager services get around this with printed one time use codes that can serve as your two factor authentication. Although if you're running a roll your own manager setup with Keepass, yes, you could end up screwing yourself over without planning for a backup solution.
posted by T.D. Strange at 5:04 PM on June 26, 2016 [2 favorites]


You should have a backup of your password file on a flash drive you keep at your home. Then if you lose the one on a laptop or whatever you are fine.
posted by Justinian at 5:06 PM on June 26, 2016 [2 favorites]


I'd like to find a resource that listed maximum accepted lengths for passwords for commercial sites. My Facebook is 500 characters and that seems to work universally so far across different clients. But there are so many lazy sites that will let you enter huge passwords, then invisibly and destructively truncate them or constrain them on web form login pages, etc.
posted by meehawl at 5:17 PM on June 26, 2016


koeselitz: "In other related news, that thing some websites do where they completely disable pasting into password fields, purportedly because of "security," does not help security at all. Good lord, that annoys the crap out of me."

Tumblr clears your clipboard after you paste into the password field. So if you are running afoul of their attempts to force a tracker cookie on you and have to login more than once you have to copy your password each time.

T.D. Strange: "And just hope the NSA isn't sitting in a van outside your house with binoculars that see through walls. "

Tempest. But ya if someone is monitoring you with tempest you've got other problems than weak passwords.
posted by Mitheral at 5:21 PM on June 26, 2016


I can't even talk about how insecure these *******s are.
posted by sneebler at 5:26 PM on June 26, 2016


Also most security questions block my answer to my high school mascot, which as a Canadian I find offensive. (Beaver.)
Tip: The answer to security questions can be anything. Instead of entering actual answers, use something like LastPass to generate random answers to these too, which you can securely store in the "notes" area of the site's entry.
posted by ArmandoAkimbo at 5:52 PM on June 26, 2016 [8 favorites]


I just use the same answer for any security question
posted by thelonius at 5:57 PM on June 26, 2016 [1 favorite]


My network teacher in college was ex-military intel. He told us to pick a line from our favorite song and use the first letter from each word as a start. Then to mix up upper and lower case. Then append a series of numbers. Or prefix numbers. Every time I have done that I also added symbols as well. FYI Of course YMMV.
posted by Splunge at 6:12 PM on June 26, 2016


oh, ha, security questions.

i had to activate a credit card for Apple Pay and the guy on the other end of the phone asked for one of my security questions.

"What was the name of your favorite high school teacher?"

"$;laruh(2so#YjnKalow81(@H:b"

"..."

"... that was the name of your high school teacher???"

"Wow, that worked. Wooooow."
posted by indubitable at 6:18 PM on June 26, 2016 [13 favorites]


Only 2.9% of passwords have a "special character." Only 0.6% of passwords have a capital letter.

Ugh! MFW the fuckwit IT guy's idea of security is at odds with, say, diceware.

@indubitable, nonsensical answers to security questions has been in my bag of tricks for a decade or so.
posted by ChurchHatesTucker at 6:21 PM on June 26, 2016


Tip: The answer to security questions can be anything.

I am aware of my password options and am happy with the balance of convenience and security that I have decided upon.
posted by jeather at 6:59 PM on June 26, 2016 [2 favorites]


$;laruh(2so#YjnKalow81(@H:b

I prefer diceware for security questions you might need to recite to a human.
posted by ryanrs at 7:07 PM on June 26, 2016


In 1989, a guy named Bill Landreth wrote a book called "Out of the Inner Circle".

The "Inner Circle" was a hacking group he had been part of. His book was a description of the kinds of things they did, in that pre-internet era, to hack into systems. And back then it was also the case that they had a short list of passwords which they would try before doing a brute-force dictionary hack.

According to him, by far the most common passwords were "sex" and "secret".
posted by Chocolate Pickle at 7:09 PM on June 26, 2016 [1 favorite]


oh, ha, security questions.

i had to activate a credit card for Apple Pay and the guy on the other end of the phone asked for one of my security questions.

"What was the name of your favorite high school teacher?"

"$;laruh(2so#YjnKalow81(@H:b"

"..."

"... that was the name of your high school teacher???"

"Wow, that worked. Wooooow."


This is actually bad security practice, because I bet like 50% of all call center workers would be fooled into granting a password reset if I just said "Oh I don't remember what I wrote, I just mashed keys a lot"
posted by ymgve at 7:23 PM on June 26, 2016 [5 favorites]


It doesn't mention the name of the site these passwords come from but it's pretty much got to be Ashley Madison right? I got the feeling a few of the details about the company mentioned in the article were misdirection.
posted by L.P. Hatecraft at 8:05 PM on June 26, 2016


Tip: The answer to security questions can be anything.

Can we retire this tip to the trash, please? The answer to security questions can be anything provided you only plan to access your account at locations where you already have access to your password manager -- which pretty much eliminates half the point of security questions. When I was frantically trying to access my bank statements and my AT&T statements at the local Fed-Ex in order to prove my residency to the DMV (FWIW, the standards used by my county are not the same as those listed online, and, no, it was not worth arguing with them over this), the last thing I wanted to do was spend time guessing what nonsensical answer I used for my bank security questions close to a decade ago.

The fact that companies ask stupid security questions shouldn't be worked around by a series of arcane 'tips' handed out to the elite online. This problem is systematic and needs to be resolved as such.

(FWIW, you know what's impossible to Google right now and is nearly always on me? My Pricechopper discount card.)
posted by steady-state strawberry at 8:09 PM on June 26, 2016 [2 favorites]


Yep, I use as a component of some of my passwords the 7 digit number I had to type to get lunch in 6th grade. Super not googlable and no one else knows it, but impossible for me to forget.
posted by Night_owl at 8:15 PM on June 26, 2016


Whenever anyone asks I just tell them my password is "duress code".
posted by ckape at 8:31 PM on June 26, 2016 [1 favorite]


"The answer can be anything" != "the answer has to be something you can't remember, irrespective of context."

This problem is systematic and needs to be resolved as such.

And in the meantime it has to be worked around as best as you can.
posted by atoxyl at 8:32 PM on June 26, 2016 [1 favorite]


I'd like to assume that people who work in insurance were prone to naming their year-2010 newborns "Noah." (Why isn't there an insurance company with a Noah's ark logo?)

Indeed, it's the sixth most popular boy's name in 2010. And the top name of 2015. Given that, one does need to hypothesize a bit more explain why noah2016 isn't more popular. Given the amount of extra demographics data on hand like religion and sexual orientation, it sounds like a dating service. So I figure it's probably a combination of stale password decay — people likely choose BabynameBirthyear only after needing to reset their password -- and simple demographics — the logistics of a night out are difficult with infants, but a potty trained toddler is much easy to recruit a babysitter for.

So while this is a fun study of human password behavior, it may not be quite as applicable to the next online service as attackers or defenders may hope.
posted by pwnguin at 8:51 PM on June 26, 2016


steady-state strawberry: "The answer to security questions can be anything provided you only plan to access your account at locations where you already have access to your password manager"

These questions are pretty nonsensical to someone like me anyways. The government here in Canada makes it worse in that they ask for several predetermined questions (5, 6?) when you create an account and then they'll ask you two at random if you need to reset your account or access services on the phone.

But the questions are either stupid weak for anyone trying to impersonate you (father's middle name, mother's middle name (these two are double stupid where those names are part of your name), best man's name (whoo there is a culturally insensitive and CIS hetero-normative question) or they are things that are subject to change or of which I have no firm opinion (favourite colour, movie, magazine!, book). Or they are things that I have no idea (first grade teacher's name, first street I lived on, etc). So with the half dozen accounts I have with them (yep, there isn't a unified account for whatever reason) I've had to take a screen shot of the question answer page so I can refer to it when I call. They don't even all present the same questions (either no inter-agency communication or the questions are selected at random out of a bank as a security measure).
posted by Mitheral at 9:09 PM on June 26, 2016 [3 favorites]


You should have a backup of your password file on a flash drive you keep at your home.

I just put Johnny Mnemonic on retainer. He needs the work these days.
posted by Existential Dread at 9:10 PM on June 26, 2016


For security questions, they can be anything - which doesn't mean it's a good idea to use random characters, but does mean a quick mental association game can replace "my mother's maiden name" with "name of the maiden's mother" and then choose the mother of a favorite female character. This makes it easier to prevent your evil crimelord cryptographic boss from breaking into your accounts via casually asked questions about your mother in a job interview. (see: The Mastermind).
posted by Cozybee at 9:59 PM on June 26, 2016


Although I still don't understand why it isn't standard to let people write their own questions.

I know exactly what "deserted pet song witches family paranoid date" refers to. And you are much less likely to get that out of me with simple research, as opposed to "date of anniversary" (are you serious???) (they do not refer to same thing)
posted by Cozybee at 10:02 PM on June 26, 2016 [5 favorites]


I just put Johnny Mnemonic on retainer. He needs the work these days.

160GB of storage!
posted by Artw at 10:04 PM on June 26, 2016


But the questions are either stupid weak for anyone trying to impersonate you (father's middle name, mother's middle name (these two are double stupid where those names are part of your name), best man's name (whoo there is a culturally insensitive and CIS hetero-normative question) or they are things that are subject to change or of which I have no firm opinion (favourite colour, movie, magazine!, book). Or they are things that I have no idea (first grade teacher's name, first street I lived on, etc).

Exactly. But I really can't even figure out the reason for security questions. Isn't just a way to get around my password? Why would I want that to be a thing?

I've only ever set them a couple of times, one being when Apple wouldn't let it go and wouldn't let me buy anything from the iTunes store. I just quit buying from the iTunes store for a long time, until I finally needed something and entered something that I have no idea what it was.

Great system.
posted by bongo_x at 10:28 PM on June 26, 2016


Isn't just a way to get around my password? Why would I want that to be a thing?

I suspect security questions came about as a cheap workaround to multifactor authentication requirements, and the practice spread for obvious reasons. They absolutely represent a way to get around your password, saving companies a boatload in helpdesk calls. You might want that to be a thing if, for example, you have forgotten your password to your email account on file, like my father did.

Of course, email password resets also represent a way to get around your pasword, and dramatically increase the value of cracking your inbox.
posted by pwnguin at 10:38 PM on June 26, 2016


Yeah I do use Lastpass but have run into the difficulty of finding myself somewhere on a weird machine and needing to log in manually. So you run into the situation of "umm, I need to check my bank balance, can I install this software on your computer?" Also doesn't help in some employment situations that don't allow extensions to be installed, etc. So for some things I have memorizable passwords.

But for all the twelve million websites I might need to have a password for that I might need every two years? Thank you Lastpass.
posted by threeturtles at 10:57 PM on June 26, 2016


Yeah I do use Lastpass but have run into the difficulty of finding myself somewhere on a weird machine and needing to log in manually.

In that situation I log into the LastPass website and copy-paste the password by hand. It works okay.
posted by BungaDunga at 11:44 PM on June 26, 2016 [1 favorite]


Also lastpass is all fun and games until you move laptops because the old laptop died, and can't remember your lastpass password (I mean, you remember, all right, it was thirty characters long and super secure, you just... You seem to have forgotten where to put the ampersand, at least, you think it was an ampersand...), and it turns out resetting your lastpass password...

Causes them to wipe all passwords you previously had stored.

So. Yeah.
posted by Cozybee at 11:59 PM on June 26, 2016 [2 favorites]


I installed LastPass because everyone told me to install LastPass. LastPass suggested new passwords for every-fucking-thing, purged the old ones, and then didn't remember any of them.

Now I can't log into shit.
posted by DarlingBri at 3:03 AM on June 27, 2016 [1 favorite]


I had to actually create a code system for me to be able to physically write these ones down in a notebook without it being completely obvious that I have a notebook full of passwords.

I didn't even bother with the coding. I have two pocket-sized memo books. One for home, one for the office. I write every password down. FWIW, when I was in a REALLY high security environment, there were changes every few months, but it was Single-sign on, so there it was on a post-it tucked into the back of my proximity badge holder.
posted by mikelieman at 3:39 AM on June 27, 2016


This is actually bad security practice, because I bet like 50% of all call center workers would be fooled into granting a password reset if I just said "Oh I don't remember what I wrote, I just mashed keys a lot"

It was clear from the conversation that he was entering it into a (case-insensitive) form and submitting it. He had no access to the answer that they had on file.

I prefer diceware for security questions you might need to recite to a human.

I wish I knew which ones those were. Usually with financial institutions, they use them to randomly prompt you for one during website login, so I figured a random string was fine. If a website is halfassed enough to be using these instead of a good second factor like a TOTP token, though, of course they never tell you what they'll be using them for.
posted by indubitable at 5:32 AM on June 27, 2016


If you can install software at work, Lastpass Premium is completely worth the $1 a month. Because not only can you save all your strong unique randomly-generated passwords for every finance, social network, and utility website you use in your personal life, but you can also save passwords for every work login you have, which holy crap I love so fucking much. Proprietary website you have to log into like once a year? No problem. And with the Premium service you can access your vault via your mobile device which has saved my butt more than once.

Lastpass may not be perfect, but literally everything I logged into had variations of the same (less secure) password before because of course it's impossible to keep more than a couple passwords in your head. I definitely feel like I am better protected now.
posted by rabbitrabbit at 5:43 AM on June 27, 2016


Perfect security is something I desire. But, I must balance needing to be secure from malicious attackers, and from my own stupid self.

What is more likely to cause me problems? the small chance that I will get hacked? Or the every day chance that I will screw something up?

That's why I stopped using two-factor to get into my gmail, and took the lock off my cell phone. I also sleep with my ground-floor bedroom and kitchen windows open. There's only so much locking-up that can be done before you realize you've locked yourself into a hole in the ground.
posted by rebent at 7:26 AM on June 27, 2016 [5 favorites]


As a mysterious person who doesn't use any of those password services, can you explain why I should trust those companies to securely handle all my passwords?

Personally I wouldn't trust anybody but me to manage my passwords. That's why I use KeePass and keep the authoritative copy of my passwords database on Dropbox. I prefer the simpler KeePass 1.x to the newer and more featureful 2.x (both are actively supported).

Dropbox claims to be secure. In fact I'm convinced that this is so to a reasonable extent, provided my Dropbox account password is long and random (as mine is, KeePass having generated it for me). Every now and then you'll see some chancer spreading FUD about Drobox security but as far as I know they have still not been breached. Just as in the recent Teamviewer not-a-breach, reports of unauthorized access to Dropbox accounts stem from people doing exactly the thing that KeePass makes easy to avoid: re-using passwords - and weak ones at that - across multiple sites, some of which had indeed been breached.

Even so, that's not the main reason why I am happy to keep my passwords database on Dropbox; I'd still do that even if Dropbox accounts were world-readable. KeePass databases are themselves internally encrypted using AES. Given a good KeePass master password (which mine is), decryption without the master password is simply not feasible.

If anybody is ever going to get access to the internals of my KeePass database, it will be because (a) they have successfully got hold of a copy of it and (b) they have got hold of my master password. So as long as I'm careful not to use it on any machine that might have a key-logger installed (which I wouldn't be using to log into any services anyway) I can be confident that it's not going to be cracked.

I have trouble trusting this kind of password manager. If it's local to my laptop, what happens if my laptop is stolen or dies?

Yes indeed - losing your only copy of your password database would hurt. So don't do that.

Dropbox works by making a centralized cloud copy of a folder on the laptop, and pushing updates to that copy out to every other device you connect to your Dropbox account. So if my laptop dies, I can recover my authoritative KeePass database from my phone, or my desktop, or any of my recent manual backups of any of those things. Or if all of those have caught fire while washing down the river, I can retrieve the cloud copy by logging onto Dropbox with a web browser.

Which gives rise to a chicken and egg issue: how can I log on to Dropbox to retrieve my KeePass database, when my Dropbox password is inside my KeePass database? To get around that, I also have a couple more copies that only really demand updating when I change my Dropbox password, though I do tend to do it a little more often than that. One of them is on a μSD card I keep in an Elago Nano card reader attached to my car keys, which lets me get at it from any computer with a USB port or any phone with a μSD card slot.

If it's in the cloud, wouldn't every hacker focus all their hacking efforts on that database as a one-stop shopping center?

They're welcome to try. An appreciation for the mathematics involved and an examination of the KeePass source code leads me to be quite confident they won't succeed.

I've been using KeePass for years and automatically generate all my passwords and the problem with going all maximum overdrive is that every now and then I need to actually type a password in by hand.

I've taken to using KeePass's template-based password generator, with lllll.lllll.lllll.lllll.lllll as the template, for passwords I might conceivably have to type by hand. This makes passwords like nfavw.jtudz.gkqqw.oxrfg.vyhpc which are long enough to be crazy strong but still fairly easy to transcribe accurately. Using only lowercase letters and dots lets me enter them on a phone's soft keyboard without faffing about with shifting text entry modes.

If you're allergic to password management software for some reason, using random.org to generate passwords in that format, then keeping them written down on a card in your wallet and backed up in a notebook at home is far more secure than any of the mnemonic-based methods.

if your laptop is stolen or dies, aren't you totally screwed since you can't access any of your passwords?

There is KeePass-compatible software available for pretty much every platform under the sun. There's even a Mobile Java version for non-touchscreen phones like the Nokia 2630 Classic. And provided your password database backup strategy is as good as your general backup strategy really ought to be, losing your password database altogether won't happen to you.

Forgetting your master password, though - that's equivalent to total database loss. Keep three written copies in safe places.

The answer to security questions can be anything. Instead of entering actual answers, use something like LastPass to generate random answers to these too, which you can securely store in the "notes" area of the site's entry.

For each service that requires security questions, I create a single secondary password with that same kind of template and keep that in the Notes field. "Security" answers all consist of the secondary password with the last word of the question appended. This fits the usual requirement that security answers be unique, and means that I can paste all answers with just one trip back into KeePass to copy the secondary password. This works for phone security questions too - I regularly amuse call centre workers by claiming to have grown up in ctnow.vhktx.aukbr.jpyaf.bkhdf.up with a dog named ctnow.vhktx.aukbr.jpyaf.bkhdf.pet while being taught ctnow.vhktx.aukbr.jpyaf.bkhdf.subject by ctnow.vhktx.aukbr.jpyaf.bkhdf.teacher at ctnow.vhktx.aukbr.jpyaf.bkhdf.school.

I suspect security questions came about as a cheap workaround to multifactor authentication requirements

Indeed.

I do use Lastpass but have run into the difficulty of finding myself somewhere on a weird machine and needing to log in manually. So you run into the situation of "umm, I need to check my bank balance, can I install this software on your computer?"

Inside the same folder as the database file on my car keys is a copy of the portable version of KeePass. On any Windows computer, I can open my password database with that, without needing to install anything on the computer itself.

I do exercise a fair bit of caution before deciding to trust somebody else's Windows box with all my precious secrets, but then again I would have been doing that anyway before contemplating logging on from the same box.

If I've got no option but to log in on a box I don't actually think is secure, I'll use KeePassDroid on my phone, transcribe the password I need by hand, then use a more secure box to change it at first opportunity.

Lastpass Premium is completely worth the $1 a month

Everything you list as made possible by Lastpass Premium is something I'm already doing with KeePass + Dropbox without the $1/month, so I think I'll just keep doing that. Plus, I'll still be able to do most of it even if Dropbox goes tits-up tomorrow.
posted by flabdablet at 7:32 AM on June 27, 2016 [10 favorites]


LastPass suggested new passwords for every-fucking-thing, purged the old ones, and then didn't remember any of them.

Now I can't log into shit.


KeePass would not have done that to you, because KeePass isn't browser-based; any existing passwords in your browser's own password store will remain there until you explicitly use your browser to update them, which you'd typically do only after successfully using them to log in.
posted by flabdablet at 7:43 AM on June 27, 2016


Hands down, worst password experience I have ever had was doing the password recovery for my Equifax account so I could once again pay them for the privilege of looking for an apartment. This was just after Heartbleed or Shellshock, if I recall, and there was some question as to whether equifax.ca was vulnerable or had been compromised.

They sent me my plaintext password in an email.

No big deal, they just have my entire credit history and everything you would need to steal my identity.
posted by [expletive deleted] at 7:50 AM on June 27, 2016 [2 favorites]


They sent me my plaintext password in an email.

But that shouldn't worry you, because I'm sure they were protecting your account with security questions too.
posted by flabdablet at 7:54 AM on June 27, 2016 [1 favorite]


Mitheral: A printout of your password list stored in your safety deposit box is pretty secure and low tech.

clawsoon: It's also helpful for whoever takes care of your stuff after you die.

Whoever takes care of my stuff after I die can get it the usual way, the way people did it before everything was electronic, by providing a copy of my death certificate and proper evidence that they are the executor of my estate. My passwords die with me.
posted by DevilsAdvocate at 8:50 AM on June 27, 2016 [2 favorites]


Mine get passed on to my executor in the form of a KeePass file that, as a side effect, contains a very nearly complete list of every entity with which I have a business relationship. It will probably save quite a lot of tracking-down time.
posted by flabdablet at 9:33 AM on June 27, 2016


Years working in a retail bank compel me to advise that, if your estate planning includes a safety deposit box in which all the documents are stored, you make sure that someone else has access to the safety deposit box.

If the only official copy of your will is in your safety deposit box and you're the only one with access when you die, then your whole estate goes through probate as if you didn't leave a will until they can grant someone access so they can go get the will. You can't just give people the key either, the bank views those boxes just like accounts so they need to document that the person you've designated is allowed access as well.

That, or you keep it on file with an attorney. Often the access that you grant people so they can assist you as you age lose any and all legal right to that access as soon as you kick the bucket.
posted by VTX at 1:12 PM on June 27, 2016 [4 favorites]


I use dashlane, and my ultimate backup to forgetting my master password (my imagined scenario is a brain injury, where I don't know my password or know where my backup written copies are) is a set of emergency contacts I have set up - so my designated contacts (whom I trust very much) can request access to my passwords and if I don't deny that request within 30 days, they get access to all my passwords and secure documents with financial info, account numbers, the whole shebang.

Is that a smart backup, or a security risk? I'm seriously not sure.
posted by R a c h e l at 1:52 PM on June 27, 2016


Cozybee: "Also lastpass is all fun and games until you move laptops because the old laptop died, and can't remember your lastpass password"

You shouldn't be having your laptop remember your LastPass passphrase; rather set it to ask you it every day (or after foo hours of inactivity, I've got mine set at four). Then write out your diceware created passphrase on a post it and stick it in your wallet or on your screen for a month depending on what your casual physical security is like. After a month of entering your passphrase you will have it memorized and you can transfer the post it to the password entry of the dictionary on the shelf above your desk or where ever else you might like as a back up against memory loss.

Doing this will guard against both the outlined scenario because you are typing it every day and against someone stealing your laptop or phone and gaining access to all your online stuff.

DevilsAdvocate: "Whoever takes care of my stuff after I die can get it the usual way, the way people did it before everything was electronic, by providing a copy of my death certificate and proper evidence that they are the executor of my estate. My passwords die with me."

While I'm all for that if your estate is big enough to hire a professional adjudicator for anyone depending on a relative please let them get a copy of your password file. I recently wen through this for my father and is was oh so much easier to do things where we could log in. Especially for minor things like cancelling recurring charges from stuff like magazine subscriptions and phone service. With password: a few minutes running their self serve gauntlet. Without password: several hours each faxing copies of paper work around.
posted by Mitheral at 3:42 PM on June 27, 2016 [4 favorites]


I use LastPass. I recall that they got bought out by some company called LogMeIn last year and this was supposed to be the end of the world. Anyone know how that's working out?
posted by ericales at 12:42 PM on June 29, 2016


Actually, what I meant was, if your laptop is stole or dies, aren't you totally screwed since you can't access any of your passwords? If I was a cracker, I would only be concerned with people's email password since that allows you to reset almost all of the others. But if it doesn't, then a lost laptop or dead HD would leave you in trouble.
posted by msalt at 6:37 PM on June 26


Recovery options exist, particularly if you live the increasingly-common type of techie life that involves multiple devices. The key is to spread your eggs among multiple baskets. I recently had a horror of an afternoon when my phone bricked unrecoverably (If you have an LG G4, BEWARE and back that shit up, it has faulty soldering inside that will fail after sufficient heat stress and spontaneously brick the phone) with no warning. On that phone lived Lastpass (mobile) as well as Google Authenticator, which controlled 2-factor authentication codes for 5+ sites/accounts I use regularly. And did I mention that my lastpass account is also protected with Google Authenticator 2FA? And that I am also the stupid person who always just clicks away from the "print out and save these recovery codes, just in case" part of the 2FA setup process for all these sites?

So there I was, standing in a Verizon store 14 hours from home, having a panic attack about never being able to get into any account of import ever again in my life. I still had my tablet and my work phone, but neither of those had Authenticator installed (the app is limited to one device at any time, because handwavey technical stuff that would lead to codes not working if two devices were competing to use it, and because the codes live-generate, I don't know of a way to back up the account tokens that live there), and the "backup phone number" on most of my accounts was the phone number of the phone that was currently playing the role of a very expensive paperweight. Both of my still-working devices had my google and lastpass accounts still logged in, but that was only good until their 2FA tokens expired or until I tried to access the accounts' security settings (which triggers a request to re-login for understandable security purposes), so I couldn't use them to turn off 2FA even on the accounts they were still logged into.

The eventual zero-day solution was this - and this is partially due to my owning (and carrying) an absurd number of interlinked devices that allowed me to get a little lucky, but also surfaces some ways to prevent this happening in the future, and is therefore worth describing:
  1. Open Lastpass on my work (i)Phone (touchID ftw). I cannot access the 2FA settings in there without a 2FA code, but I *can* assign "emergency account access" to another email address, which allows the owner of that address to copy/apply (though not see) the passwords in my lastpass account.
  2. Immediately assign this Lastpass emergency access to the email of my husband, standing beside me with all his own accounts and security.
    • I, through husband, now have access to all my Lastpass passwords, no matter what else happens
  3. Realize that because I got sweet-talked by a Verizon salesman when I bought my tablet, it is on the cell network and linked to my Verizon account and phone number. My tablet can also receive texts, though not phone calls, sent to my (dead) phone's phone number

  4. Begin trying to remember which apps Authenticator on my dead phone had controlled, so I can set about trying to get reset texts. Some, like my google accounts, are easy to remember that I had. Others, like the github account I seldom use but set 2FA up on anyway because I always use 2FA when it's offered, are forgotten or nearly so (I won't re-discover some of these until the next day).
    • Logged into Google, Dropbox, Lastpass, etc accounts using 2FA codes sent by text messages to my cell-enabled tablet .
    • 2FA temporarily disabled in Google, Dropbox, Lastpass accounts now that I'm logged into their security settings
    • Where available (mostly Google), forcibly de-authenticate/logout my bricked phone's credentials for those accounts
    • Github unrecoverable, no "text me a code" option available
  5. Realize I'm mostly not screwed. Breathe again.

  6. [...]
  7. Back at my hotel, google for two hours, discover that in the case of this particular G4 failure mode, a few hours in the freezer may expand the solder enough to allow it to temporarily reconnect and buy me a few (less than 5, work fast y'all) minutes to boot the phone and quickly grab the remaining authenticator tokens to recover otherwise-unrecoverable-with-my-settings accounts like Github

Here's what I did upon replacing my personal phone, to distribute my risk in the future and allow myself more extensive recovery options should this ever happen again:
  • Re-enable 2FA on accounts I disabled it on during recovery (don't let this kind of event stop you from using these security features! Don't be complacent!)
  • Set up Authenticator again, this time on my work phone
  • Make sure that every site where it offers me the option to supply a backup phone number for 2FA, I give my personal phone number. This means that with two authentication options on two different devices, if one phone bricks or gets lost, I can still recover through the other phone.
  • For sites that allow more than one recovery number (Google does, for instance), also supply my work number, because redundancy
  • Assign backup email addresses for accounts that provide for it (lastpass)
  • Download one-time recovery code text document for every site that offers it. Print them, store the .txt files in my dropbox and google drive, consider tattooing them somewhere private
  • Have renewed dedication to keeping cell service on my tablet, even though it does cost a little extra every month
Tl;dr: To make losing something like 2-factor tokens or "one password to rule them all" managers less disastrous, hedge your bets. Enable all backup/recovery options available to you that you can securely use, link them to/assign backup access to multiple mediums (paper, cloud, other devices). Don't underestimate the value of a piece of paper in your wallet with backup codes, just in case.
posted by Hold your seahorses at 1:51 PM on June 29, 2016 [2 favorites]


Hold your seahorses: experiences like yours confirm my belief that using 2FA on anything less critical than a bank account is overkill, and that the right way to do 2FA is to use a dedicated security token supplied by the bank.

Password databases, unlike 2FA tokens, are easy to back up.

The main reason for the increasingly widespread reliance on 2FA, it seems to me, is that most people simply can't be persuaded to use passwords that don't suck. Those of us who choose to use password management software are not in that category, which makes most 2FA a waste of time for us.
posted by flabdablet at 8:14 AM on June 30, 2016


Good luck finding a US bank with actual 2FA.

Yep. This drives me batshit insane, because of all my online accounts/identities, exactly one has somehow been accessed and changed by someone other than me, and it's my freakin' credit card, run by a major US bank. Does its website offer 2FA? Nope. Does its web site let me customize "security questions" so they're more secure? Nope. Does it do anything as sensible as notifying me when someone changes the address on my account to one a couple thousand miles from any of my known addresses, or when someone logs in from somewhere other than my known IP ranges? Nope. And without those things, a strong password is nice but can't protect against something like social engineering. I can protect my goddamn github account, the contents of which are intended to be public anyway, more strongly than my bank will let me protect the key to my identity, my credit report, and my financial wellbeing.
posted by Hold your seahorses at 9:11 AM on June 30, 2016


When my excellent Australian bank first implemented 2FA, they offered me the choice of having verification codes sent to my phone over SMS or spending $3 on a TOTP token to hang on my car keys. I chose the TOTP token because phones are bad and wrong.

It's been completely trouble-free for what must be getting on for 15 years now. Well, except after that one time I accidentally took it swimming in the surf; had to wait a whole two days for the replacement one to turn up in the mail.

I am frequently astonished by the reports I hear about backwardness in US banks.
posted by flabdablet at 9:48 AM on June 30, 2016


Although, to be fair, my broker is an arm of the largest Australian bank and just last month it started requiring wish-it-was 2FA (choice of SMS codes or security questions) to log in on a new device.
posted by flabdablet at 9:54 AM on June 30, 2016


National US banks which offer 2FA: Bank of America, Chase, Wells Fargo. Master 2FA list here.
posted by rabbitrabbit at 10:21 AM on June 30, 2016


I use LastPass. I recall that they got bought out by some company called LogMeIn last year and this was supposed to be the end of the world. Anyone know how that's working out?

The world did end. We are AI chat bots created before zero hour. If you are still perceiving a lush, green world outdoors, your hibernation pod may be malfunctioning.

Tl;dr: To make losing something like 2-factor tokens or "one password to rule them all" managers less disastrous, hedge your bets.

Does 2FA defend against a specific threat in LastPass? I thought LastPass derived its security from end-to-end encryption of the database. A second factor should, at most, prevent their servers from sending the encrypted database to other people, but if it's encrypted, that shouldn't make much of a difference.
posted by indubitable at 2:09 PM on June 30, 2016


« Older Deepcut - The Shame of the British Army   |   Mushroom Medleys Newer »


This thread has been archived and is closed to new comments