MetaFilter: Code 128145
August 6, 2018 1:04 PM   Subscribe

As more and more online accounts are breached, two factor authentication or multi-factor authentication (also shorthanded by 2FA or MFA) is becoming the next stop in account security.

What is it?
Two factor authentication is just that, two factors that authenticate who you are. First factor is a password, usually the one you type in along side your email address or username, and one that you've usually generated yourself. The second factor is a one-time password (shorthanded OTP) that is generated by an app you have on your phone or tablet, or a code sent to you in an e-mail or text message. These OTP codes are just that, one time use, that if you don't use in the next 30 seconds (app codes) to 5 minutes (email or text codes), it won't work to get you in.

Why do you need it?
With data breaches happening with more frequency, more security on accounts you have is better. Passwords are getting breached, whole data sets are getting stolen. Any extra way to make sure you are you is a net benefit. If you've ever ended up in a data breach (which you may check for here), you know it's pins and needles making sure everything is OK, and probably rushing around to 50 different websites to change the same password you use for all of them. 2FA gives you at least a little extra security while you're working on making the rounds to change your passwords, or for accounts you care less about, you may even bypass a password change altogether.

Okay, you've convinced me about 2FA, how do I start?
For good 2FA, you need to control both ends of the 2FA handshake as you can. First, see if the account you want to protect with 2FA has support for it. Twofactorauth.org has a search function to see if the website you want protection on supports some form of 2FA. On the site, there are columns for SMS, Phone Call, Email, Hardware Token, and Software Token. In order of preference, Hardware Token and Software Token go first, as it doesn't necessarily depend on something tied to another account that can get compromised.

For a Software Token solution, use the Authy app on your phone. It's free, allows for backup to their cloud, and has access on multiple devices simultaneously, including Windows, MacOS, ChromeOS, Android, and iOS. You can use it anywhere that has support for Google Authenticator as well, so it's far more global than what most websites will tell you directly. For a hardware token, there's Yubikey. Tie your Yubikey to the account in question, and you're off to the races. Sites supporting the hardware token are less prevalent than the Software token, but physically controlling the device means it is guaranteed to only be used by you, unless stolen. These solutions are the best in case you break your phone, as with Authy, you can log in on your new phone, and with Yubikey, it doesn't depend on your phone at all.

There are also options for SMS and Phone Calls. These methods are also very reliable to use for 2FA, but if your phone account gets compromised, there are cases where other actors can gain the other side of the 2FA handshake. Reddit went through a breach just last week where some very old user accounts were compromised, and if they had 2FA with SMS enabled, your phone number was also exposed. This can leave you vulnerable for a SIM-swap scam or a port-out scam, where someone hijacks your phone number by trying to get it ported to a cell phone account they own in order to authenticate themselves as you via SMS or an automated call.

Also, as you're setting up 2FA on all your sites, you will often see backup codes mentioned, and an offer to print those off. Collecting those as you go is a good idea, as there may times when you're away from everything and need a log in. These are pre-generated and authenticated codes that will work once each to answer for the OTP login. Often, when logging in with one, it will give you the option to disable 2FA, as it may be that you've lost all other means of authentication, and for right now, leaving it off is the best idea. Also, these codes are useful if you're in distress and you have given someone one of these, and you can communicate your password some other way. Yes, the other party will still need your real password along with one of these codes, but you could pre-arrange that information to be somewhere specific in case it was needed. Also, be on the lookout as providers offer things like Google's Inactive Account Manager that will assist by giving others access to your accounts or data if a certain amount of time passes.

Anything else?
While we're talking about accounts and security and best-practices, consider using a password manager like 1Password or LastPass (If you go to LastPass' website at work, you may get their business offerings. You want LastPass free or Premium under the Personal header.) to store your passwords in, offer to let those manager programs generate unique and secure passwords for you, and use a Master Password on the manager program unlike any other password you've used before (or use an independent password generator to make you one!). This would also allow the passing of passwords on in a distress situation, as all you would need to provide would be the master password, and the 2FA code for access to all the passwords you had stored.


With special thanks for asperity, slipthought, and the rest of MeFi Chat who gave me ideas for how to flesh this article out and to proofread it.

(Previously), (Previously-ly)
posted by deezil (83 comments total) 114 users marked this as a favorite
 
I audit and change all my passwords regularly using LastPass' security audit which highlights stuff like breached sites in your list of pwds.

I continue to be surprised by how many sites still limit your password length and/or don't allow special characters. Just insane...
posted by Hairy Lobster at 1:13 PM on August 6 [15 favorites]


Don't get lazy with backup codes. I had my phone unexpectedly wiped recently and it was a near thing. If I hadn't called my roommate and had him log into my laptop and turn off 2fa on my primary gmail I might have lost it forever.
posted by macrael at 1:17 PM on August 6 [11 favorites]


@Hairy Lobster

My healthcare provider's website not only has a MAXIMUM PASSWORD LENGTH of EIGHT?!?! -- but if you enter a longer password (Ie if you use a password manager) it doesn't throw an error. Nossir, that's too convenient -- it truncates the bastard. I locked my account so many times because it only tells you of the eight character maximum after you type in the first letter of the password so I never saw it as I was pasting it in.
posted by robotmachine at 1:20 PM on August 6 [8 favorites]


SMS isn't great for 2FA since the messages can be intercepted or a hacker can hijack your phone number to a new SIM card by convincing your cell carrier that they are you. Reddit had a breach within the past week because of this.
posted by exogenous at 1:22 PM on August 6 [9 favorites]


Anyone have an opinion on whether it's safe to use 1Password to store both passwords and TOTP tokens? It's very convenient, but it seems transparently a bad idea to put both factors into a single database.

This post is great, thanks. One addition: U2F and Yubikey is the new hotness in 2FA. It uses a secure hardware token and requires extra software support. But it's super convenient and also is resistant to phishing attacks in a way othe 2FA options aren't.

SMS 2FA is indeed vulnerable to hijacking, but it's better than no 2FA at all. Use it if it's your only option.
posted by Nelson at 1:23 PM on August 6 [6 favorites]


My bank has a fixed password length of 4 digits.
Yay security.
posted by signal at 1:23 PM on August 6 [9 favorites]


Aaand not to abuse the edit window, I see that these points were made below the fold in the post. Sorry!
posted by exogenous at 1:23 PM on August 6


I assume most Mefites know this, but I don't want to make an ass out of u and mption.

If a website can tell you your old password instead of just forcing a reset, you should not use that website.
posted by infinitewindow at 1:23 PM on August 6 [27 favorites]


My challenge now is that I want to update my iPhone (or even have its battery replaced), but with no guarantee that the 2fa will get saved or even that I'll get the same iPhone back, I need alternate 2fa generators (on alternate devices).

I'm making progress making sure my 2fa codes are on on-computer generators (which, I know, breaks the security model). Both Authy Desktop and Typing DNA (a Chrome extension) can do it. But there are some sites that are do not play fair or friendly with Authy Desktop or Typing DNA (for setting up 2fa).

I don't want to turn off 2fa while I get the thing upgraded or battery replaced.
posted by kalessin at 1:25 PM on August 6


(By not playing fair or friendly, I mean some 2fa-supporting sites only provide QR codes for the secret, and don't tell you the actual secret that you can copy/paste into the code generator, if for instance screen or browser page scanning fails to have the application/plugin detect the QR code graphic.)
posted by kalessin at 1:27 PM on August 6


I see that these points were made below the fold in the post

To expand on them a bit, here's a thread from former British intelligence officer Matt Tait (@pwnallthethings):
It's been long known that SMS based 2FA is weak and actively targeted by criminals. We also know 2FA based on codes (eg SMS based 2FA) aren't strong against phishing attacks that trick you into revealing your passcode, because the phisher can also trick you into revealing your 2FA code.

E.g. see this graphic here describing APT28 (Russian Intel) doing that.

But good news everybody! It turns out we *can* systematically eliminate phishing. Google hasn't had a single one of their 85,000 employees phished in over a year. How? Hardware based security keys.

If you wonder why I keep telling you to get a security key, this is why. It's the most reliable technical defence against phishing—and phishing is the most popular attack method for breaking into accounts.

For folks using Gmail or Google for business, check out "Google account security checkup". And for folks working with sensitive data (incl journos, politicos & staff, execs, software developers, admins etc) search for "Google advanced account protection".
posted by Jpfed at 1:28 PM on August 6 [15 favorites]


Any plans for 2FA here on MeFi?
posted by reductiondesign at 1:29 PM on August 6 [6 favorites]


Anyone have an opinion on whether it's safe to use 1Password to store both passwords and TOTP tokens? It's very convenient, but it seems transparently a bad idea to put both factors into a single database.


Bad idea. It doesn't completely nullify the benefit of the second factor, but it means there is a single breach that could grant access to your account. I would keep them separate -- at the very least, use a different 1Password vault with a different master password.

Small edit: I just looked into this and I don't think it's possible to choose a different master password for a second vault. I'm not sure if there's any security advantage to using a second one.
posted by So You're Saying These Are Pants? at 1:30 PM on August 6 [1 favorite]


I figured I'd drop this in a comment rather than to editorialize in my own post, but I use LastPass and Authy to get the job done over here. The reddit breach spurred me to get all the accounts I could over to using 2FA, and did it while drinking a beer and sitting in MeFiChat on Saturday night (rousing time it was!).

Password boxes that won't let you go as long or as complicated as you need are the WORST. Program better, don't force bad practices.

I forgot about including that Google link, that's a damn good one, and I meant to.

Nelson: I did put the YubiKey up there, but I don't know a ton about it, and I need to get one and play with it.

infinitewindow: I will agree with that, but they do it by checking the hash of the old one to the hash of the new one to do it (usually). That means they aren't updating the salt for the hash, which is not end-of-the-world, but isn't great either.

macrael & kalessin: great caveats to think of.
posted by deezil at 1:30 PM on August 6


Nelson, that's something that we've been thinking about lately at my company. The advice right now is to go ahead and put the codes in 1password. I mean, I know that I'm already putting my backup codes there so I've already put the eggs in the basket. I don't have another reasonable place to stash backup codes right now besides 1password, really. I'm still using an app for code generation because I like that they only exist on my phone and my phone is more secure than my Mac, but again, with the backup codes that might be more performative than anything else.

kalessin, you can use backup codes to bridge the gap, there.

As for hardware tokens. I just signed up for Google Advanced Protection, which is ok so far. My only issue with it is that it doesn't support safari on my mac, and I can't sign into the system wide google account there because of that.
posted by macrael at 1:31 PM on August 6


Also to Nelson: Nope, I don't give anyone both sides of equation with 2FA.
posted by deezil at 1:32 PM on August 6


I rotate my passwords quarterly, and have a scheme that makes each site unique. I also do two-factor where possible (including a YubiKey).

Question: I can't seem to find it, but can MetaFilter do two-factor?
posted by MrGuilt at 1:36 PM on August 6


Any plans for 2FA here on MeFi?

MFA surely.
posted by ActingTheGoat at 1:37 PM on August 6 [2 favorites]


Yubi keys are great but now that my computer only has USB-C ports I usually can't be arsed to find the dongle and so I just get out the app.

A couple other notes:

[Authy] is free, allows for backup to their cloud

This is actually why I recommend avoiding Authy. If your Authy password is compromised, it's trivial to log in and verify 2FA on any other account. I think it's best to keep 2FA codes behind something physical. The login motto is "something you know, and something you have" --- eg, your password and your phone (or other hardware token). Authy putting 2FA codes in the cloud breaks this model.

My favorite app for 2FA code management is actually Duo but they just got bought by Cisco so we'll see how long that lasts.
posted by So You're Saying These Are Pants? at 1:38 PM on August 6 [1 favorite]


oh lord if anyone wants to hack my mefi account to post coherent and legible comments please go right ahead
posted by poffin boffin at 1:38 PM on August 6 [27 favorites]


I'll put up with 2FA for online banking and the like, but for metafilter, discord, github, youtube, adsense, mastodon, slashdot, and so on? Nah. No thank you.

Meanwhile, twitch.tv has started telling me every time I go there to verify my email address, then saying "Oops! We can't send mail to [your address], please try again later" when I try to do so. I suppose the niggling cruftmongers that apparently run the place have decided it's okay to discriminate against fine email services like mailinator.com just because it's unlikely I'd notice any spam they sent me.
posted by sfenders at 1:42 PM on August 6 [7 favorites]


Be aware that the LastPass authenticator app also stores backup codes on the cloud, if you're a Premium customer. They didn't used to, but do lately (not sure when they started).
posted by kalessin at 1:42 PM on August 6


I rotate my passwords quarterly

FYI This used to be considered best practice, but the current NIST recommendation [pdf] is to avoid changing passwords unless there's indication of compromise:
Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).
However, verifiers SHALL force a change if there is evidence of compromise of the
authenticator.
Technically this guidance is for sites, not users, but I think the same principle applies.
posted by So You're Saying These Are Pants? at 1:43 PM on August 6 [5 favorites]


Also regarding separate vaults, it's really hard to keep two separate ones in LastPass. I do for my Mom, but I can only do it if I log into her vault only via the web, and only using incognito. Otherwise the LastPass browser extension syncs the identity and messes up which vault I'm working with.

It would be easier to do, ofc, with a local password vault manager. For 2fa vaults though? All I've ever seen is one 2fa vault per device.
posted by kalessin at 1:45 PM on August 6



I rotate my passwords quarterly

FYI This used to be considered best practice, but the current NIST recommendation is to avoid changing passwords unless there's indication of compromise


Truth be told, that is my standard (only change my list when there is a report of a breach (but I change everything if one is breached)). Unfortunately, that works out to quarterly in practice.

One other thing I do: for sites that require I create an account for no clear reason (like retailers), I just create something one-time for them--it's not in my system. If a year from now I have to go back into it, I do the password reset ritual.
posted by MrGuilt at 1:46 PM on August 6 [2 favorites]


These days, I ask my kids to MFA before I tuck them in at night...
posted by Nanukthedog at 1:47 PM on August 6 [1 favorite]


Vulnerabilities with cell-phone based 2FA go deeper than “an attacker can spoof your phone” – if somebody has set up a fake login page for you to type your username and password into, they can easily pop up an authentic-looking window for your 2FA code, and then use that code to log into the actual service before it expires.
posted by Holy Zarquon's Singing Fish at 1:51 PM on August 6 [3 favorites]


My challenge now is that I want to update my iPhone (or even have its battery replaced), but with no guarantee that the 2fa will get saved...

They won't get saved. Move them to the Authy app, or put them in something like 1Password.
posted by odinsdream at 1:52 PM on August 6 [1 favorite]


Vulnerabilities with cell-phone based 2FA go deeper than “an attacker can spoof your phone” – if somebody has set up a fake login page for you to type your username and password into, they can easily pop up an authentic-looking window for your 2FA code, and then use that code to log into the actual service before it expires.

Isn't this just as true with 2FA apps like google authenticator? This attack vector is part of what the yubikey protects against.
posted by So You're Saying These Are Pants? at 1:53 PM on August 6


SMS 2FA is indeed vulnerable to hijacking, but it's better than no 2FA at all. Use it if it's your only option.

It can be worse, since recover-accounts workflow sometimes runs via SMS, so if you can hijack SMS, you can just "recover" yourself into someone's account.
posted by BungaDunga at 1:54 PM on August 6 [1 favorite]


Proper 2FA should be considered mandatory for at minimum online accessible bank accounts and your email account(s). The bank should be obvious why, but if anything your email account is even more important. How many sites do you use that allow for password resets via email? Pretty much all of them.

So getting into your email account basically means any site that isn't itself protected by 2FA is now available to the fraudster. And they're getting smarter all the time. I've regularly seen people fall for google docs lookalike notification emails 'someone has shared a document with you' - you click on the link, it takes you a veeery similar looking site to google that wants you to re-enter user+pass, and oops, now they have your google account. or microsoft 'need to verify your account' emails that look very convincing. 'never follow a link from an email' is a nice idea, but impractical these days.

Two factor properly done generally means something you know, and something you have. If the 2nd code can be hijacked in transit, i.e. it's not entirely generated locally, it's vulnerable. Phone apps can be spoofed, so they're better than send-an-email 2FA or SMS, but a hardware key is best if possible for your key stuff. Not that anything is entirely bulletproof, in the end.
posted by Absolutely No You-Know-What at 1:56 PM on August 6 [1 favorite]


I'm a teacher. The worst security practices I encounter tend to be on websites where I submit letters of recommendation for my students. For example, one such site, immediately after I created an account, e-mailed me my login and password in plaintext, you know, for my records. This went to my work e-mail, of course, so the risk wasn't theoretical; the IT guy could and did read anyone's mail. I pull this story out when explaining to people why they shouldn't reuse passwords.

The most appalling site, though, -- and this was in 2017 -- was one which had me enter the text of a recommendation letter into a non-password-protected form whose URL was personalized only by a 4-digit number. By repeatedly adding or subtracting 1 from that number, I could see all other recommendation letters that had been submitted by anyone, for anyone. It looked like I could edit them, too, though I didn't test this for obvious reasons. A student in possession of any recommender URL could write their own letter. I wrote to the program and got a response saying "Huh, now that you mention it, that is problematic. We'll fix it next year." So it turns out there are organizations for which one-factor authentication would be a major security upgrade.
posted by aws17576 at 1:56 PM on August 6 [25 favorites]


Ask MetaFilter supports DTMFA authentication.
posted by mbrubeck at 1:57 PM on August 6 [38 favorites]


I love Lastpass and I use google authenticator on my phone.

I wish MFA hardware tokens came in cute colors and patterns and stuff, like the key caps and keys one can get at the hardware store, or like cell phone charms. Right now, tokens look boring, and they all look like the kind of thing twenty-something guys in tech who own Bitcoins would carry. More tokens that look like they were designed by Lisa Frank and/or Nintendo please.
posted by bagel at 1:57 PM on August 6 [10 favorites]


I haven't used 1password for this purpose, but you can do 2FA right in 1password.
posted by adamrice at 2:02 PM on August 6 [1 favorite]


I have 2FA on everything, but everything is SMS. Is there any way to make this safer when the websites themselves don't appear to offer any 2FA option besides that?
posted by schroedinger at 2:13 PM on August 6 [3 favorites]


Password managers seem necessary, but they also seem like you are moving from many individual failure points to a singular key failure point.
posted by zennie at 2:27 PM on August 6 [3 favorites]


you are moving from many individual failure points to a singular key failure point.

You absolutely are. The tradeoff is that the password manager folks are busy working on this full time, it's the only thing they need to get right. You are trusting the team to responsibly deliver what they say they are delivering, i.e. strong encryption.

The other assumption is that if something big breaks and encryption as a whole is compromised, there's going to be a lot worse breaches than the credentials to my tiny bank account.
posted by So You're Saying These Are Pants? at 2:31 PM on August 6 [2 favorites]


My factors go to 11.
posted by It's Raining Florence Henderson at 2:39 PM on August 6


There is also the option of using an offline password manager like KeePass. Although it's certainly less convenient in many respects.
posted by AndrewInDC at 2:47 PM on August 6 [1 favorite]


I have an old version of 1Password that's offline. I'm not sure why you say it's inconvenient.
posted by AFABulous at 2:50 PM on August 6


offline password managers are inconvenient for those of us who are the sort of snake people that live in clouds and use multiple internetting devices every day, especially smartphones.

Sent From My Pocket Computer
posted by bagel at 2:56 PM on August 6 [6 favorites]


I use it on my iPhone - it syncs the encrypted vault through dropbox and works fine offline. I use it if I'm (e.g.) at a library computer and want to log in to a site.
posted by AFABulous at 2:59 PM on August 6 [1 favorite]


The point is that someone needs to have my physical phone or laptop AND know my master password (or steal my thumb).
posted by AFABulous at 3:02 PM on August 6


Obviously less convenient, but you can use 1Password on a desktop and smartphone and sync (encrypted, obvs) databases over wifi, which reduces your exposure further.
posted by adamrice at 3:22 PM on August 6 [3 favorites]


1. Yubikeys are great, Yubico Authenticator is also good. And maybe makes desktop 2FA more convenient and secure.

2. Really really take backup access seriously. Due to a complex set of circumstances, I completely lost an AWS account. I had changed address, phone number, and country since setting it up, but I had not updated them with AWS. I started using it for work, and set MFA in the root account: app on my phone. I never log in as root, naturally. So it takes a while to realise that the sudden death of my phone has left me completely unable to. And Amazon need to call me on a dead Russian cellphone, or receive notarized proof that I live at a certain address in Russia. And I don't. We are at an impasse, and AWS tech support make it clear that there is no way I can get access. They will continue billing me for services on that account until the card (which I can't edit) stops working.*

Don't be like me: make sure you have a plan for when your 2FA is gone. I have 2 Yubikeys, one on my keyring, and the other in a known location. I register both with any sites I use.

* This Kafkaesque nightmare is actually the correct policy on their part, and I have no complaints with how they handled the situation.

posted by Wrinkled Stumpskin at 3:41 PM on August 6 [8 favorites]


I use KeePass for managing my passwords and have clients for it for all my machines (phone, ipad, desktop). I mail myself the latest database whenever I change things (and tend to change passwords from a single machine), so assuming (I know, big assumption) that the authors are honest and the encryption is decent, I should be good (crosses fingers).

I also just retired from a company that provided phone and sms based 2FA. (telesign, if you're curious and I no longer have any relation to the company, so it's not a plug). We were aware of both SMS problems and phone problems (SS7 and others), but our customers really wanted the convenience, so we gave them what they wanted. We worked hard at security, but there are always potential flaws on several levels. Even so, it was better than no 2FA and far better than some of the security practices I've seen from companies that should know better.
posted by Death and Gravity at 3:52 PM on August 6


...Vulnerabilities with cell-phone based 2FA go deeper than “an attacker can spoof your phone” ...

Way, WAY deeper. I don't want to link or describe in too much detail, because somehow it's still not in in widespread use, in at least the population of attackers that I see. Security-through-obscurity though it is, I see no reason to point out the details on a popular website in a way that could help change that.

Nevertheless, any form of MFA that doesn't involve a one time out-of-band challenge and response--basically a hardware token or a mobile app--is already broken, and broken in a way that the attacker only needs to use clever phishing pages to exploit. They don't need to go anywhere near hacking the phone system.

I think apps that create a custom PIN for the user to type at the login page are just as bad, but we don't use them at my org so I haven't checked in detail.


Despite that, even pathetic SMS-based MFA is 10,432 times better than no MFA at all. My small user population hasn't seen a single MFA-bypass attack (that we identified) ever. I've only heard about them in conjunction with state-level actors (Though they're so simple that will surely change. Soon). We see scores of normal attempts to phish user credentials to our cloud services every week, attempts that would be blocked by even the simplest MFA. And I'm sure we're not identifying all of them.

If you use a cloud service for anything at all security-critical, set up the best MFA they have right away. If you haven't spent hours making sure an email account isn't critical, it is. If their best is plain passwords and plans, walk away now.

If the best your personal service offers is phone-based or SMS-based auth, enable it anyway. Like, immediately. Tomorrow morning, if you you just have to. Before breakfast. Use it carefully. And light the vendor up about fixing this before every sckript-kiddie in the world gets wise. Also start making plans to migrate away from that service soon if they don't shape up. And plans to migrate away instantly, or nuke your account altogether, if a world full of skiddies gets a nice pre-packaged exploit to play with and the good attacks go feral overnight.

Oh, and if you have an organization's worth of security-critical or confidential information in a popular cloud service that doesn't offer any kind of multi-factor, or it does and you haven't mandated use? Unless you have a tiny population of the world's most savvy users, you're already breached. Sorry. Neither your luck nor your awareness training was that good, it's just that your (or the vendor's) breach detection was that bad. Lock it as tight as you can now and go looking for the mess once that's done.
posted by CHoldredge at 4:54 PM on August 6 [3 favorites]


Oh, and if you're trusting all your credentials to a single cloud service vendor? Well, it's your threat model, your trade-offs, your neck, and your call--though your bank and credit card and their liability insurers may disagree.

But if you're doing that without enabling the very best multi-factor protection they offer, knowing it backwards and forwards, and mapping out the remaining risks in excruciating detail? Well then dog below help you, because heaven above can't.
posted by CHoldredge at 5:12 PM on August 6


Just this past weekend I received a pair of U2F keys (one a cheapo-generico U2F-only device under 10GBP, the other a significantly fancier Yubikey Neo) and set up Advanced Protection on my primary gmail account. Google, very diligently, requires you to have TWO different hardware tokens to turn that on - one you carry generally, one you keep safe-as-possible at home in case you lose the first. The only wrinkle I encountered was forgetting that my Android tablet doesn't have NFC, so I had to dig out a USB-C-OTG adaptor to re-authenticate gmail on my tablet.

I've been running TOTP 2-factor with the Google Authenticator app on my phone for a while now and will generally set that up for any service that supports it. I've been using LastPass for a while and am strongly considering returning to paying for LastPass Premium to get Yubikey protection on that (at the "cost" of making it much less usable on that NFC-less tablet).

One of my banks has used a nice hardware card-reader second-factor widget for YEARS (very cleverly, my bank card itself is the something-you-have Factor and the free card-reader-gizmo is just an interface), now with the option to use their app instead - and the app alone cannot pay an unknown payee, and aggressively logs itself out if I even open the android task-switcher.

The other thinks that "type characters 1, 4 and 6 from your password, digits 2,3,5 from your Security Number, and we'll text you a code to set up a new payee" is good enough. *shudder*. And they have the gall to push some "free PC/browser security" software at me every time I have to go log in. Yeah, that's not going to help if someone social-engineers my mobile network of choice (or has use of an Evil Insider) to SIM-swap me and steal that so-secure text message...
posted by BuxtonTheRed at 5:28 PM on August 6 [1 favorite]


I use a service and software product called Krypton that can do U2F/FIDO/hardware token second-factor through your phone and a browser extension. It functions as a "soft" token. Whenever a web site asks for the hardware token to be enabled/touched/verified, the plugin sends a notification to your phone. If you approve the request, software on your phone signs the response with the private key stored in the phone and sends the signed response back.

It's supposed to be secure because the Krypton mobile app has the secure processor in the device (newer iPhone and Android devices have this, which is why only newer ones are recommended) create a private key and do all of the cryptographic work so the key can't ever leave your device.

I wish loads more sites, particularly banks and credit unions, supported standardized OTP or U2F second factors. This "install yet another app and approve a notification" business is annoying. I don't mind installing the bank's app and getting approval/denial notifications through it, but I don't want to have to set up six different Symantec/Cisco/Twilio/Microsoft/Google verification apps alongside all of them.
posted by fireoyster at 6:31 PM on August 6 [2 favorites]


I use KeePass with an encrypted file key. I keep both the password database and file key synced between devices with SpiderOak.

Not sure how secure this is, but it’s certainly more secure than my old method of “forget every password and reset it every time you log in, making gmail the only password that really matters.” Of course, if someone wanted to reset any of my passwords...
posted by shapes that haunt the dusk at 6:34 PM on August 6 [1 favorite]


One more point about e-mail and 2FA: If your e-mail provider supports app-based or hardware token 2FA, set it up right now. If your e-mail provider doesn't support app-based or hardware token 2FA, switch. Yes, even if that means migrating away from a long-held e-mail address. (I recommend Fastmail.)

If you want to be more secure, in my opinion: If your e-mail address ends in a domain name that you don't own and control, switch. Go buy your own domain from a registrar that supports app-based or hardware token 2FA (I recommend Gandi; there are many others at the site listed in the post). You can aim that domain at your service provider of choice (again, I recommend Fastmail). But, that way, if something tragic does befall the e-mail account you were using, you can easily point your domain elsewhere and keep right on rolling.

The only US mobile phone provider (other than Google's Project Fi) I know of that supports app-based 2FA is Ting. I'm seriously considering moving my main number to them Just In Case. Failing that, I may sign up for a separate number and give that out to companies that demand a "real" (as opposed to, say, Google Voice) number for "2FA."
posted by fireoyster at 7:04 PM on August 6


macrael: " I don't have another reasonable place to stash backup codes right now besides 1password, really. I'"

A print out in your wallet (or even a file on a microSD card in your wallet) I find to be a reasonable, non online hackable place to store backup codes.
posted by Mitheral at 8:20 PM on August 6


fwiw both my father and my wife have experienced what appeared to be no-recourse lockouts due to failed and forgotten attempts to instantiate 2FA on their (well-known technology company) accounts. 2FA remains srs bsns and until I intervened both folks were advised by escalated support to abandon the 1/2 2FA'd accounts. Usability factors are lacking.
posted by mwhybark at 8:31 PM on August 6 [9 favorites]


KeePass, LastPass, and similar password safes use a key-strengthening algorithm that should make dictionary and brute-force attacks difficult to pull off. Of course, that's assuming that there's not a hole where you can trick the program into giving up credentials while it's unlocked. LastPass had a couple of vulnerabilities due to security holes in JavaScript that were patched.

But as the old joke goes, "I don't need to run faster than the bear, I just need to run faster than you." Most of the worst offline attacks are not interested in you as a person. They're interested in any account they can get with a "dictionary." That dictionary is likely to contain not only the most frequent 99.9% of words in the English language, it will also have every password previously leaked and published, along with song lyrics, bible verses, and quoted passages from books and other media. The cracking software can be expanded with rules to cover l33t and other variations such as putting digits at the front or back of your password.

Since database leaks seem to happen on a monthly basis these days, I've just gone to assuming that any service where I have an account will be compromised. Even in the worst case scenario and plaintext passwords are leaked, (it has happened) a unique, random password like "s8;WQPsDYD}Dt,#d" (usually I go longer) doesn't provide the attacker with anything that can be used against other services.
posted by GenderNullPointerException at 8:40 PM on August 6


fwiw both my father and my wife have experienced what appeared to be no-recourse lockouts due to failed and forgotten attempts to instantiate 2FA on their (well-known technology company) accounts. 2FA remains srs bsns and until I intervened both folks were advised by escalated support to abandon the 1/2 2FA'd accounts. Usability factors are lacking.

Well we have no real universal PKI which is what the endgame really needs to be here. Every person needs their own key backed by a government with full biometrics. We know we can one-way hash the biometrics so the government can't get them back out for nerfarious purposes. All we need to do is have the PKI government backed a'la passports.

In a fully universal PKI I get a smart card authenticated by my biometrics by the government with my citizen private key. Even the government doesn't know what the private key is, the government is only CA. I can authenticate everything as me. I can bless devices to act as a 2FA proxy, I can sign emails or payments with it, I can encrypt all my data, I can travel with it. If I lose it, damage it, or it's stolen, I report it to the authorities and they immediately mark my public key as revoked and have a pointer to my new public key corresponding to the new private key they issue to me on a new card.

I basically want an iPhone secure element on a freaking smart card.
posted by Definitely Not Sean Spicer at 8:44 PM on August 6 [1 favorite]


offline password managers are inconvenient for those of us who are the sort of snake people that live in clouds and use multiple internetting devices every day, especially smartphones.

Can anyone answer me... I've always thought that the most obvious secure solution would be to take an old smartphone, install a password manager on it, and then perhaps some sort of hardware modification so that when it's connected to another device via USB it appears as a USB keyboard. (So you pick a password from the manager's UI and it's typed in a keyboard-buffer-stuffing sort of way into the connected device. And presumably you'd disable the phone's radio components to make it mostly air-gapped except for the one-way keyboard-emulation connection.)

Is there any standard way of refitting an old smartphone for this? Or even a device you can buy new which works this way? I've gone looking periodically over the years but evidently it isn't obvious, it's just me. (Or else I do really poorly with the search keywords.)
posted by XMLicious at 9:08 PM on August 6


Just "log in with facebook" that's what everybody's doing these days, surely we can trust the facebook?

/s
posted by some loser at 9:19 PM on August 6 [3 favorites]


Password security is achieved through a combination of measures which actually enhance security (like encryption, 2 factor authentication and password entropy) and those human factors which allow the system to be run in real life (re-set procedures, password lifespan, password creation rules, creation hints). Many system designers still seem to believe these goals are orthogonal: they are clearly not.

We need a password certification scheme that can be awarded to a site as a result of the degree to which is complies with both of the main goals. All those crappy systems which people are citing above (and which are often deployed and maintained at great expense despite their shittiness) would fail or score poorly on this certification.

For sure - there are some applications where there is a need for something analogous to "Bio-safety level 4" - systems where it is legitimate to make people go through elaborate rituals because we are doing so in order to protect something akin to Ebola in information terms. But almost always this is not the case.
posted by rongorongo at 1:18 AM on August 7


Can anyone answer me... I've always thought that the most obvious secure solution would be to take an old smartphone, install a password manager on it, and then perhaps some sort of hardware modification so that when it's connected to another device via USB it appears as a USB keyboard. (So you pick a password from the manager's UI and it's typed in a keyboard-buffer-stuffing sort of way into the connected device. And presumably you'd disable the phone's radio components to make it mostly air-gapped except for the one-way keyboard-emulation connection.)

Yes, you can do this, though I'm not convinced it's worth the effort. The hard bit is emulating a USB keyboard - you'd need a custom driver on the phone, which requires a non-standard kernel and root on android, and you couldn't on iOS. So the next-best-thing is an inputstick which allows your phone to pretend to be a USB keyboard via bluetooth. With a plugin (android only) you can then 'type' your password directly from Keepass2Android. You can also use USB Remote to use the soft keyboard for manual entry, or via the clipboard for say an authy or google authenticator code (this is the only way to do it from iOS I know of; you'd have to copy and paste from say 1password which is less convenient). It's not a super-reliable solution (check the review comments on the keepass plugin), but it does work.

The problem is, I think you're tackling the wrong problem. Strong encryption at rest, ala keepass on a normal smartphone, or lastpass, or 1pass etc can only be broken in one of three ways.
1) you pick a weak master password that's particularly vulnerable to dictionary attack, or are socially engineered to give it up
2) the coder of the strong encryption app really messed up
3) they somehow get the private key via a side-channel attack (on the OS storage etc, etc)

Between keystore on android and secure enclave on iOS, or TPM backed on desktops, which leverage hardware security, 3 is increasingly proof against even nation-state level attacks, so is not a concern for our purposes (if you're realistically worried about personalized nation-state equivalent attacks, you've likely got bigger problems than advice from random people on metafilter can help with)

1 and 2 are definitely concerns, and shouldn't dismissed out of hand - pobody's nerfect - but with care and a good long password are not the main problem.

The problem is when the passwords are unencrypted or weakly encrypted. Such as when going via the keyboard, emulator or no. Malware on the PC you're connected to can very easily steal passwords as typed, whether on real or virtual keyboard. A browser plugin that never uses the keyboard in the first place is more secure. OK, your master password won't leak that way, but every site you actual use will.

The place your password is stored on the other end is also a huge attack surface. How many site-level breaches have we seen now? And they're not stopping. Even if they use strong encryption and good practise e.g. hash, salt, slow algo on the passwords at rest (and there is NO excuse now for this not to happen) there are just far too many attack vectors against a server on the internet. Software vuln in the OS, webserver, the site code, cross-site attacks etc etc etc. Hardware sidechannels such as SPECTRE, and then they listen in as the passwords are in transit through the server (HTTPS does diddly when they're sending a copy of everything typed in the login page elsewhere)

Assume every password you use is hacked, or will be hacked at some point and you're in the right mindset. Sure, take decent effort to protect them on your device, use long unique ones so they're not trivially broken by script kiddies and a raspberry pi (password managers help here of course), and be paranoid about goddamn email links, cos no point making it easy.

But passwords can be hacked, have been hacked, and will continue to be hacked. Assume the worst.

So the solution, for now, is a 2nd factor. Something they cannot steal in transit or from a database. Even then, if the bad guys totally own the place you're going there's nothing that can totally protect your data that's on that platform (unless it has its own encryption to which that server never has the keys, which is how password-database syncing is protected), but the main risk, for normal people, is automated bulk attacks, against the passwords, and us meatsacks in the chair. Good 2FA that can't be trivially intercepted (aka hardware key or 2FA app) will defend against those much better than a convoluted method to protect your password store.

And backups. Backups, backups backups backups. Including a way to get back in when you lose your phone or 2FA key. (backup codes, multiple devices with the 2FA keys etc). You all have a complete current backup of your 'oh shit, did I backup that thing before I dropped coffee on my laptop', yes? Good...
posted by Absolutely No You-Know-What at 3:15 AM on August 7 [1 favorite]


Deezil, when I want a PSA done right, I'll be giving you a call. Fantastic work!

I set myself up with yubikeys a few years ago now, and it's mostly been very stress-free as a way of severely beefing up security. (Phone out of battery? No problem! Phone broken? Who needs phones?) Fastmail supports yubikeys, which is great, and when it figures out yubikeys are going to be a little difficult (like logging into something on a smartphone) then it just does the SMS code thing.

Much as I would never, ever consider going back to email without 2FA, I would say it's more than critical for password managers like Lastpass. Really, if you keep your passwords safe like that, 2FA ought to be very, very mandatory.
posted by Juso No Thankyou at 5:09 AM on August 7


Between keystore on android and secure enclave on iOS, or TPM backed on desktops, which leverage hardware security

Ah, well, see I don't have any computers with a TPM, but I have old smartphones.

Are there really not any concerns related to copying and syncing the password manager's store around to multiple devices if the master password is strong enough? That would be the thing I'd be trying to avoid—to be certain my KeePass file is on my keyboard-emulator device and my backup locations and no where else—as well as the simple convenience issue which bagel referred to, when you use multiple computers or devices.

(In any case, yeah I've looked into the pieces I'd need to put together and I'm not going to put all the effort into cutting a path through the jungle and being the first one to work it all out, if turning an old phone into an air-gapped password store is not a thing people normally do.)
posted by XMLicious at 6:34 AM on August 7


Are there really not any concerns related to copying and syncing the password manager's store around to multiple devices if the master password is strong enough? That would be the thing I'd be trying to avoid—to be certain my KeePass file is on my keyboard-emulator device and my backup locations and no where else—as well as the simple convenience issue which bagel referred to, when you use multiple computers or devices.

It's a tradeoff based on the principle that if PBKDF2 and AES are broken, we are in very deep shit all around.

I think one alternative could be something similar to Master Password where you regenerate individual passwords as needed using master password and a set of constants including the site name.
posted by GenderNullPointerException at 7:00 AM on August 7


I really like the hashpass/masterpassword concept in theory. In practice, I ended up with a couple of frustrations:

1. Implementations didn't handle subdomains or having multiple accounts on the same domain well.
2. What do I do with a forced password change? How do I remember which iteration of password changes I'm on?
3. Different systems have different password requirements.
4. How do I keep track of passphrases that I use for shared accounts?

So I suppose you could build a password manager that just stores some metadata about the site with a unique salt each time you deal with a forced password change.
posted by GenderNullPointerException at 7:18 AM on August 7


I don't really get the appeal of Authy as far as online storage of 2FA codes — it seems to undermine the entire purpose of 2FA. The whole point of the rolling code systems is to link them to a physical token or device, so that you can't log into the account without that physical object in your possession. If you put that into the cloud, you're really just tying the account with 2FA to your Authy account, which presumably is protected with a password... so really all you're getting is a second password. Not true 2FA anymore. (Or if the Authy account has "real" 2FA, then you are basically consolidating all your accounts behind one login... but it's not clear to me why that's a superior user experience to just having multiple accounts in your Google Authenticator or whatever app on your phone.)

If you're concerned about accessing your 2FA'd accounts in the event that you lose your phone or hardware token, a paper-code backup system seems like a better route. Google (IIRC) lets you print out a nice wallet-sized one that you can cut out, which doesn't have your account details / username on it (plus your password is still required), minimizing the risk if you lose your wallet. That preserves the physicality of the second authentication factor while still giving you a backup. And you can always print two copies of the backup codes and keep one in your wallet and one in a safe place at home, for further safety. (If you generate a new set of codes the old one becomes invalid, but you can print the same set of codes twice if you want to.)

It's certainly better than just a username+password but if you're going to go for two-factor, it seems like you might as well not immediately undermine it.
posted by Kadin2048 at 8:02 AM on August 7


I'm starting to feel like this isn't worth the trouble. I just wanted to play Tetris!
posted by thelonius at 8:06 AM on August 7 [3 favorites]


You absolutely are. The tradeoff is that the password manager folks are busy working on this full time, it's the only thing they need to get right. You are trusting the team to responsibly deliver what they say they are delivering, i.e. strong encryption.

I use KeePass with a long, unique and never-shared master password and I trust the developers to have got the task of encrypting it and its associated database right. Keepass does not seem to offer a means of using MFA to protect this master password itself however - that seems a potential oversight because a keylogger running on my PC could simply grab this string as it is typed. That is a slight worry. (The mobile iOs app that I use with Keepass can use touchID in lieu of a typed password - which seems like a more secure solution).

(A special form of damnation should rain down on those app designers who prohibit a suggested password from being pasted into a field in an application: meaning that I can generate a super long and complex string with Keepass but then have to manually transcribe it (twice, without error) into obfuscated fields before it can be accepted. Skype is a high profile offender in this respect.)
posted by rongorongo at 8:49 AM on August 7 [1 favorite]


Are there really not any concerns related to copying and syncing the password manager's store around to multiple devices if the master password is strong enough?

Oh, there are absolutely concerns about it; but are they big ones? I'm afraid answering that is a wall 'o' text, skip to the end if too much.

Security attacks basically fall into 5 categories.

1) personal, social engineering. They gather a bit of basic information about you, and use that to try and scam you. This ranges from 'this is microsoft tech support calling you about the viruses on your computer' cold calls, 'this is your boss (with a faked sender address), I need you to transfer $randomsum to this account, I'm in a hurry' emails, to some really quite clever scams.

Ultimately tech can't save you from these, because most people will handover passwords, 2FA generated codes, PIN codes, whatever if sufficiently convinced. 48% of people gave their password to an interviewer in exchange for chocolate. As a sysadmin, I would bet a large sum that a high percentage of those would have been their genuine most-used password. If it's really IT Support (and we're not just Bob's nephew who's Good With Computers) we already have more rights than you do to do stuff to your computer and your account, and the only time we might need your password is when you are entirely incapable of setting a new one and remembering it for 30 seconds, after like 3 attempts and we need to check if there is something systemic going on, or if it's um just you. Just be reasonably suspicious (don't tell anyone your passwords and never 2FA auth codes), and you'll be fine. Pay attention to the stuff you put into the public sphere via say, facebook.

2) personal, tech attack. This is someone coming after you personally, with significant amounts of information about you, with proper tools and knowledge. You can delay them and slow them down, but with sufficient effort and/or funding, they will almost certainly get you, most likely by compromising one or more of your personal devices. Unless you control large sums of money, or are famous, or a target of the NSA/FBI/MI6 etc (the aforementioned nation-state attack) the odds are (currently) vanishingly low this will ever be a problem for you. If it might be, get real defensive infosec training. And insurance.

3) automated, social engineering. Usually as a precursor to find out if you're fairly gullible (nigerian prince etc) or to catch you up in the 4th type of attack. Only directly a risk if you're a qanon type or likely to believe without question what that nice man said on the internet.

4) automated, tech attack. The biggie, where your choices can make a distinct difference. The obvious ones first. Apply patches. Have a firewall (who doesn't, these days). Use a password manager with a good master password. Be deeply suspicious of email links. Don't install random shit, particularly from that website you just got redirected to by a spam email. Uninstall flash and adobe reader if possible. Use a good adblocker (the amount of malware attacks via adservers is just nuts). Stop using IE FFS.
If a website helpfully sends you your password in the clear via email, do not - under any circumstances - give them money.

And also where password managers and 2FA auth sit, and whether syncing is a risk. I'll come back to that in a minute.

5) black swan events. The big brains have made a fundamental mistake somewhere, and we're all hosed. Us sysadmins have nightmares about these. Spectre and meltdown were a small baby black swan, and yes, sysadmins and infosec guys around the world shit bricks about it, and still are. A suddenly revealed fundamental flaw in one of our thought strong encryption algorithms would be a giant, massive black swan and probably destroy the global banking system within days. Try not to worry about it (unless you're a sysadmin obvs), the mainstream media are terrible at telling the difference between these and ordinary everyday security problems.
AI -personalised direct tech attacks could be a black swan, quantum computing will be a black swan if we're not prepared.

Anyway. Back to syncing password app vaults. There's not much you can do about type 2 and type 5 attacks, as an individual without better advice than I can fit in a metafilter comment. If you're important, or really paranoid, get real infosec training from a professional. Most risks to password managers fall into one of those two, which includes fingerprint-locking your phone and/or password database.

For type 4 attacks, modern devices are more secure than older devices, and security updates are *important*. Android in particular has a short support cycle (2 years or less) on most phones, so consider carefully if that 5 year old galaxy is really a good place to store all your passwords, given I can take full control of it just by standing next to you with a small backpack. It's not a *huge* risk, but it's a risk I personally wouldn't take. I wouldn't use a service I'd never heard of, and didn't have a proper security incidents reporting method. Hiding info about breachers for any length of time is a really bad sign, because that's time you could have used to change passwords etc. Stick to the big names, and you'll be fine. There is a small risk having your 2FA and passwords in the same app. I personally wouldn't take it, but it's much better than no 2FA at all. There is a smaller risk having them on the same device, I'm personally OK with that level of risk even though I am pretty paranoid. This one could be argued either way.

Password databases from proper password manager apps are really secure. Not bulletproof (type 2 or type 5, you're still probably hosed) but with a good strong password you Never Reveal, they're pretty safe. Remember, they only have to slow the bad guys down long enough for you to change your passwords (and with 2FA on a given account, even them knowing that account password is fairly safe). I'm not going to go posting mine on facebook, but even should it get into the hands of the bad guys (bar say the NSA) they're not getting in any time soon given it's also locked via 2FA. The sync services reputable password managers have add an additional layer of security on top of that again. If you wish to mitigate this last risk, then separate the password db sync from the password db app, i.e. use keepass2, but sync the database between devices using a different, 2FA protected service such as dropbox. Now they have to get past at least two different passwords, at least one 1 set of 2FA plus all the anti-automated attacks big services use. That is a really, really low risk.

The biggest risk of a password manager is that the device you're using it on is compromised by malware that is being controlled by a person - at that point all bets are off, as they can do everything you can, and see everything you do. Even then, the biggest risk is to individual passwords, not the password manager. Judicious use of good 2FA (i.e. not SMS) mitigates even this risk massively, as does keeping the thing up to date and not being a muppet.

With something like Authy, syncing the 2FA db between devices and keeping them on the same device as the password db is a small risk - but still a much smaller risk than not using 2FA at all, and really really small compared to using the same password for everything with no 2FA. Turning off multi-device support in authy after you've added it to all the devices you need means that even if they get the authy 2FA db, they can't use it.

SMS 2FA though, is arguably weak enough now that I wouldn't really call it 2FA. It's more like having two passwords. It's better than not, but you know, I wouldn't use it for anything with money or sensitive info in it unless there was literally nowhere else to go and nothing better available.

Again the biggest risk at that point is they take control of your device - but that's still a far smaller risk than not using these services at all, especially if you follow the usual boring security advice I've reiterated above. Authy on multiple devices has the big advantage that if you lose your phone, you're not locked out - and the big problem with google authenticator (or other single 2FA devices) is that you're much more likely to accidentally lock yourself out of your own accounts than anyone will ever bother to come after your 2FA. Easy to use 2FA is so much better than 'Pssword12345' for everything, it really is.

The additional benefits of being that extra bit paranoid and taking extra steps are not nothing, but if it's sufficiently a pain that you avoid using it, then it's a bad trade off. People's bad habits and inertia are the biggest weakness of all, and tech defences can only go so far.
posted by Absolutely No You-Know-What at 9:02 AM on August 7 [4 favorites]


2FA is causing my team some headaches at work (in fact I'm overhearing a conversation about it right now). The security benefits are obvious, but it creates a barrier to adoption that is hard to avoid. We have to think about users who aren't technically adept, or who may have limited resources -- e.g. users who don't have a cell phone and who might only have access to the internet at the library.
posted by sevenyearlurk at 9:27 AM on August 7 [1 favorite]


I've been using Roboform for many years as my password manager. I like it but everyone seems to mention only Lastpass or the other "*pass*" names. Anyone know of any reason why I shouldn't use Roboform?

Also I'm now managing a development support team and the policies for admin/shared accounts aren't great. I'm curious what the best practices are there. I've looked at Vault Enterprise, for example.

Also YES to 2FA. I need to move to a hardware key for sites that have it, but for now I use a combination of Authy and SMS-based. Amusingly, I feel paranoid about installing my password manager on mobile devices in case the device is stolen by someone who knows or gets the master key. Which means there's a lot of "hang on let me go see what my password is" at home. I don't do banking on my phone.
posted by freecellwizard at 9:33 AM on August 7 [1 favorite]


See, these two statements seem contradictory:

Android in particular has a short support cycle (2 years or less) on most phones, so consider carefully if that 5 year old galaxy is really a good place to store all your passwords, given I can take full control of it just by standing next to you with a small backpack. It's not a *huge* risk, but it's a risk I personally wouldn't take.

versus

Password databases from proper password manager apps are really secure. Not bulletproof (type 2 or type 5, you're still probably hosed) but with a good strong password you Never Reveal, they're pretty safe.

If it's an unacceptable risk to have a copy of a password database on a phone with its antennas removed or its radio systems otherwise lobotomized, how the heck can it simultaneously be acceptable to make copies of the password database to every device you use and every intermediate system involved in syncing or copying? If you forget to properly decommission all of them or simply lose some, you'll end up with multiple systems past OS support which have a copy of the database.
posted by XMLicious at 9:39 AM on August 7


> Just "log in with facebook" that's what everybody's doing these days, surely we can trust the facebook?

That's actually a decent idea as long as Facebook isn't seen as a single monolithic entity, and that account security (that is, the login step) can be seen as separate from Facebook sucking up all data for marketing purposes. Swap in Google if you'd prefer.

Facebook and Google both support U2F, while many other sites (I'm looking at you, Amazon/AWS), do not. For a site where I wanted to have some sort of two-factor U2F protection that did not offer it, Facebook or Google auth allows for that. Yes, you are then trusting Googlebook not to login to that site and pretend to be you but that's for each individual to decide, considering the other information that Google/Facebook knows/holds.

If the choice is between that, and reusing the same single-word password and not a passphrase, I'm going to recommend Login with Facebook. I'd push a password manager and a strong unique per-site passphrase, but people are not always receptive to workflow modifications, and verynicheforum.com should not have the same password as used for banking.
posted by fragmede at 9:39 AM on August 7


2FA is causing my team some headaches at work (in fact I'm overhearing a conversation about it right now). The security benefits are obvious, but it creates a barrier to adoption that is hard to avoid. We have to think about users who aren't technically adept, or who may have limited resources -- e.g. users who don't have a cell phone and who might only have access to the internet at the library.

Yes, that is definitely a concern. Better to wall off critical systems and allow reduced access for other employees. For example if the only thing they are logging in for is to fill out their time card, who cares? It's not going to bring the company down if a password is leaked. Use enhanced security only where it really matters.
posted by JackFlash at 10:03 AM on August 7


If it's an unacceptable risk to have a copy of a password database on a phone with its antennas removed or its radio systems otherwise lobotomized, how the heck can it simultaneously be acceptable to make copies of the password database to every device you use and every intermediate system involved in syncing or copying? If you forget to properly decommission all of them or simply lose some, you'll end up with multiple systems past OS support which have a copy of the database.

Because the best attack against these databases are to get you to unlock them, and virtually look over your shoulder with a keylogger, clipboard logger, or other malicious code. Barring errors in design or implementation, offline attacks against the database itself are considered to be infeasible due to the use of key-strengthening algorithms. These limit the number of attacks a person can make against the key to 1000 per second or less using good hardware.
posted by GenderNullPointerException at 10:47 AM on August 7 [1 favorite]


See, these two statements seem contradictory:

Android in particular has a short support cycle (2 years or less) on most phones, so consider carefully if that 5 year old galaxy is really a good place to store all your passwords, given I can take full control of it just by standing next to you with a small backpack. It's not a *huge* risk, but it's a risk I personally wouldn't take.

versus

Password databases from proper password manager apps are really secure. Not bulletproof (type 2 or type 5, you're still probably hosed) but with a good strong password you Never Reveal, they're pretty safe.

If it's an unacceptable risk to have a copy of a password database on a phone with its antennas removed or its radio systems otherwise lobotomized, how the heck can it simultaneously be acceptable to make copies of the password database to every device you use and every intermediate system involved in syncing or copying?
The difference is between a password database in active use, vs one with the database at rest. A database at rest, such as on an old phone is a drawer with a flat battery is not a big risk because it has very few areas they can attack, they will take a long time, and they are by design really hard to break into under that circumstance. It's what they are best designed to resist. Plus they have to physically get the phone, and also want to try and break into the password db which is gonna be super unlikely. So that is very safe for a period of time even if under attack by a bad guy in possession of it. A good password and 2FA dramatically increase that period of time, and depending on Factors, tends towards hundreds of centuries or longer, but you never know for like certain certain. The same applies when it's a rest in a sync service storage - they have to compromise the storage service, which is easier than stealing it from your desk because they can try and do it thousands of people at once, but then they have fulltime protections, but anyway, they still have have to break the db without the master password. Which is really goddamn hard unless you have a super simple master password.

A device in active use with the password db without security patches (and active radio) is a risk, because for just one example, there is an exploit for bluetooth from last year that is goddamn horrific for devices that aren't patched for it because it allows someone to just quickly and silently take complete ownership of your phone. There's usually some horrific device/OS exploit a few times a year, and bread-n-butter stuff every week, and apple is far, far from immune from that as well but they at least issue patches for old devices for longer (I still use android though because $1000 for a phone is fuck you, Apple, personally).

Even so, to break in using that bluetooth exploit, someone has to a) be using that exploit within range and you need bluetooth to be on, and they need to attack your device in the timeframe and need to then use their silent access while connected over bluetooth to install some rootkit, so later via a remote connection over wifi get a record of what you were doing with the password manager and reuse it to bypass the safety of the password db, because now they have the master password because they recorded you typing it, and can come back later remotely via the internet, and see other passwords being used etc etc. That's where the risk comes in - seeing what you're doing with it when it's open, not the password db itself.

Putting that another way, the biggest risk to a password database is when the person with the master password is opening and revealing otherwise tightly locked up data (including the master password itself), when the device this is happening on is under the control of a bad guy and he can record it, and most successful attacks are against the user, or against flaws that have had patches issued for months or even years, but just not applied.

I sometimes joke that the only really secure system is one that is turned off, with no connections, that is in a locked safe and the only key was dropped in the ocean. A completely radio dead phone would be pretty safe as they'd need direct physical access to attack it - but as we discussed earlier, you'd need bluetooth enabled at least on your old phone to act as a keyboard - and yes, what you suggested using it as a password db on an old radio dead phone would be fine if you turned off bluetooth when you weren't using it because they're not getting into the device without physically nicking it, but then you've got to faff with a bluetooth usb dongle for the computer to pass through the keyboard and you couldn't use it on your real phone, and why not just use normal 2FA such a usb dongle which achieves even better security for just far less grief and is designed to be robust both at rest AND when in use (because it doesn't have all the attack surfaces a full-fat smartphone with radios and internet access out the wazoo has)

Put all together I personally wouldn't actively use a long unpatched device with internet access for any data I cared about, which would include but is not limited to my password db. At that point before I was referring to actively using it as a normal smartphone with wifi etc etc not as some oddball kinda-offline password storage device, sorry I wasn't clear.

You are also absolutely correct, you should deactivate devices you no longer use (or have lost, or sent off for repair) from your password manager and relevant 2FA, and any device-specific passwords that are no longer in use, and the best apps will actually remind you of this when you have old devices hanging around in there and ask if they should be cleared up. You should also secure wipe any device that you dispose of. If they're not in active use then a password or 2FA db is a tough nut to crack, but it's still a good idea to avoid risk if it's low effort to do, and you've probably got other stuff on there you wouldn't want being available to bad guys. I should have put that in somewhere, but I was afraid I was already going on for far too long as it was, which I think I've just done again.

Security is really hard, explaining risk is really hard, and trying to compare what risks are worth taking vs others is really really really hard especially when it's hard to quantify what exactly those risk actually are given there's soooo many factors and caveats and whatnots and even comparatively those caveats can change what is a bigger risk, and I think I may just be really overexplaining all this and going far too far down tiny absolute risk rabbit holes. Sorry.
posted by Absolutely No You-Know-What at 11:15 AM on August 7 [5 favorites]


(This is a total aside from the topic, sorry)

> I sometimes joke that the only really secure system is one that is turned off, with no connections, that is in a locked safe and the only key was dropped in the ocean.

Do you mean that this is an expression you're fond of, or are you the original author? Because if you're the original author, I must be familiar with your work from long ago...

posted by RedOrGreen at 11:28 AM on August 7


definitely not my joke, there are mary variants floating around infosec guys, probably for as long as we've had computers
posted by Absolutely No You-Know-What at 11:31 AM on August 7


I basically want an iPhone secure element on a freaking smart card.

That's ... that's a smart card. The iPhone secure enclave is basically a cryptographic smart card built into a phone. Long before Apple did that, the groundwork was done by the people who designed smartcards (particularly the "crypto cards" with on-card processors), which were meant to be part of a whole authentication infrastructure. The YubiKey and other USB 2FA devices are basically a smartcard-type chip permanently coupled to a USB reader and integrated into a single unit, as I understand it.

People I know were working in the field at the time, and reasonably expected smart cards to become the standard method for authentication. They weren't thinking about logins into online systems as much as we do today, and were mostly concentrating on finance and payment/PoS scenarios, but the idea of having a smartcard reader built into most user input devices wherever a user would need to prove who they were definitely existed.

I'm not quite sure what happened. Like email encryption, it seemed like such an obviously good idea that nobody really bothered to push it to make sure it went through, and then... it didn't. (At least not for online user authentication; they ended up in European credit/debit cards, SIM cards, and a bunch of other places by the early 2000s. Just not computers.)

I suppose the rapid growth of the Internet, coupled with the ease of just going down the username/password route when you're building a web site, led to a chicken-and-egg problem—nobody wants to deal with getting a smartcard, or worse yet being the central authority that issues smart cards, unless there's a demand for them; simultaneously, unless you have users with smart cards, nobody is going to use them as authentication vectors, and create the demand. (At least in the US, the biggest deployment of smartcards was within the Department of Defense, where they're called CACs. The DoD has the ability to thou-shall in a way that the civilian market lacks, circumventing the chicken-and-egg adoption issue. But even the DoD's purchasing power wasn't enough to get smartcard readers into every PC.)

I still think that a hybrid contact+contactless smartcard is, in many ways, a better solution than the USB keychain cards like Yubikey. You can do NFC for mobile devices from a card, and most devices with a traditional USB port can accept a card reader if needed. And the credit-card form factor works for PoS systems, which gets us closer to a single card for both identification and payment. You can even put a capacitive code pad for a PIN on a card pretty easily, if you want even more security (no entering your PIN into some grotty merchant terminal). Personally I think keychains will be dead long before the credit card form factor will, since the latter is amenable to being slid into a cellphone case (where it could also act as your phone SIM, if the phone supported contactless SIMs).

But maybe I'm just biased because I carry a wallet around, but not a keychain, ha.
posted by Kadin2048 at 11:41 AM on August 7 [3 favorites]


Do you mean that this is an expression you're fond of, or are you the original author? Because if you're the original author, I must be familiar with your work from long ago...

Spaf. Gene Spafford, professor of computer science at Purdue University. "The only truly secure system is one that is powered off, cast in a block of concrete and sealed in a lead-lined room with armed guards - and even then I have my doubts."
posted by scalefree at 11:52 AM on August 7 [4 favorites]


"I don't really get the appeal of Authy as far as online storage of 2FA codes — it seems to undermine the entire purpose of 2FA."

I understand that Authy arguably weakens the security of 2FA. But I think that additional weakness is fairly minimal, and a small price to pay to avoid literally having accounts locked down to one device. The more 2FA accounts of this type that you have, the more you'll probably value this. It's a giant pain to migrate from one device to another, and it's nice to have multiple devices you can use simultaneously. Personally, I'm not necessarily looking for the most secure solution, I also want something that's practical for me to use.

"Keepass does not seem to offer a means of using MFA to protect this master password itself however"

It does, although it's not a standard one. You can use a key file, either with or without a password, to unlock your database. This key file can be on an external USB key, if you have a way to get to it - this might not be optimal on a phone, but it is possible.
posted by me & my monkey at 12:46 PM on August 7


I sometimes joke that the only really secure system is one that is turned off, with no connections, that is in a locked safe and the only key was dropped in the ocean.

heh. You and every other infosec person ever.
posted by some loser at 5:09 PM on August 7


The 1990s version of the spaf quote I have saved on disk is "The only system that is truly secure is one that is switched off and unplugged, locked in a titanium safe, buried in a concrete vault on the bottom of the sea and surrounded by very highly paid armed guards. Even then I wouldn't bet on it."
posted by fings at 1:35 PM on August 9


« Older Dark gray t-shirt and blue jeans   |   Jean Shepard on the plane crash that killed four... Newer »


You are not currently logged in. Log in or create a new account to post comments.