OT please explain
2 views
Skip to first unread message
Johnb - co.uk
Nov 15, 2021, 6:22:45 AM11/15/21
to Dixonarians
Could someone please explain
why modern security ideas (for eg gmail login), etc seem to think that involving two different machines using two different operation systems and two different radio pathways is actually safer than one direct access
I feel this fairly critically for most of them demand that I copy a code received as an SMS message by my smartphone - I live in an area where G4 G5 reception is not reliable and when I am sent a code which is viable for 10 minutes but may well take a full day to arrive then ...Aargh
It suddenly struck me that to involve 2 operating systems which in my case are both secure - (a)Windows 10 pro via internal wifi via phone landline cable on a fully secured laptop and (b) Android 10 on an equally secure smart phone but using the phone network - which I presume is a different radio path via at least a couple of transmission towers - would seem to me to be increasing the chance of interception.
Am I being stupid? - or what?
PS. I had to remove the phone from my online banking profile because my bank sent me a required notification by SMS which took 79 hours to arrive and cost me bank fees because I hadn't taken an action which I didn't know about (and of course banks are very unforgiving when it comes to their money)
why modern security ideas (for eg gmail login), etc seem to think that involving two different machines using two different operation systems and two different radio pathways is actually safer than one direct access
I feel this fairly critically for most of them demand that I copy a code received as an SMS message by my smartphone - I live in an area where G4 G5 reception is not reliable and when I am sent a code which is viable for 10 minutes but may well take a full day to arrive then ...Aargh
It suddenly struck me that to involve 2 operating systems which in my case are both secure - (a)Windows 10 pro via internal wifi via phone landline cable on a fully secured laptop and (b) Android 10 on an equally secure smart phone but using the phone network - which I presume is a different radio path via at least a couple of transmission towers - would seem to me to be increasing the chance of interception.
Am I being stupid? - or what?
PS. I had to remove the phone from my online banking profile because my bank sent me a required notification by SMS which took 79 hours to arrive and cost me bank fees because I hadn't taken an action which I didn't know about (and of course banks are very unforgiving when it comes to their money)
--
JohnhnyB
JohnhnyB
Hugo Kornelis
Nov 15, 2021, 7:08:53 AM11/15/21
to dixo...@googlegroups.com
Hi Johnny,
Passwords are generally nowadays considered a rather weak protection.
* They can be guessed (many people use the name of their spouse, or 12345678, or other simple things).
* They can be stolen / leaked when not secured properly by the service you use it for (there are very safe ways to store passwords, encoded via one-way encryption that cannot be reversed, but many programmers are too lazy / too stupid so they store passwords in clear text).
* They can be cracked (many people use rather short passwords that with current hardware can be cracked in just a few minutes, and many services still have insanely outdated requirements such as maximum password length or restrictions on symbols used)
* And finally, because many people use the same email and password on many sites, having a password on one website compromised actually gives hackers access to all those other websites. If a hacker somehow gains access to the email and password you use to log on to your local gym's website, they'll immediately try to see if that some combination also unlocks your Facebook and LinkedIn!
The ideal security protocol relies on three distinct checks (three-factor authentication): "something you know, something you have, something you are"). The password is what you know. What you have could be a physical key for entering a building, or a security badge or so. Or in the case of computer systems it will be your phone.
he third phase is typically only used in high-security environments, where they have the budget to use finger-print readers or iris scannners.
Further reading: https://dis-blog.thalesgroup.com/security/2011/09/05/three-factor-authentication-something-you-know-something-you-have-something-you-are/
If you live in an area where bad cell reception makes TFA (short for two-factor authentication) a challenge, you can check the settings of the relevant sites whether they allow you to disable this extra llayer of security. Many (not all) do offer their users this option.
I hope this helps.
Cheers,
Hugo
Passwords are generally nowadays considered a rather weak protection.
* They can be guessed (many people use the name of their spouse, or 12345678, or other simple things).
* They can be stolen / leaked when not secured properly by the service you use it for (there are very safe ways to store passwords, encoded via one-way encryption that cannot be reversed, but many programmers are too lazy / too stupid so they store passwords in clear text).
* They can be cracked (many people use rather short passwords that with current hardware can be cracked in just a few minutes, and many services still have insanely outdated requirements such as maximum password length or restrictions on symbols used)
* And finally, because many people use the same email and password on many sites, having a password on one website compromised actually gives hackers access to all those other websites. If a hacker somehow gains access to the email and password you use to log on to your local gym's website, they'll immediately try to see if that some combination also unlocks your Facebook and LinkedIn!
The ideal security protocol relies on three distinct checks (three-factor authentication): "something you know, something you have, something you are"). The password is what you know. What you have could be a physical key for entering a building, or a security badge or so. Or in the case of computer systems it will be your phone.
he third phase is typically only used in high-security environments, where they have the budget to use finger-print readers or iris scannners.
Further reading: https://dis-blog.thalesgroup.com/security/2011/09/05/three-factor-authentication-something-you-know-something-you-have-something-you-are/
If you live in an area where bad cell reception makes TFA (short for two-factor authentication) a challenge, you can check the settings of the relevant sites whether they allow you to disable this extra llayer of security. Many (not all) do offer their users this option.
I hope this helps.
Cheers,
Hugo
Op 15-11-2021 om 12:22 schreef Johnb -
co.uk:
--
You received this message because you are subscribed to the Google Groups "Dixonary" group.
To unsubscribe from this group and stop receiving emails from it, send an email to dixonary+u...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/dixonary/2e7fde0d-2354-1e8b-2b3a-628e429a7536%40john-barrs.co.uk.
Johnb - co.uk
Nov 15, 2021, 8:08:23 AM11/15/21
to dixo...@googlegroups.com
Thanks Hugo
I am still not convinced that spreading the threat over two different systems is a wise solution... I suppose that people are silly in their selection of passwords etc but if one isn't silly then (eg as used by my local doctors) having to enter 3 characters (#7, #9, #11) from a (minimum allowed of 12) means that I have to keep stuff on my machine in plain text so that I can locate which of 37 different 12-18 character one, two, or three factor security systems I require - to have to do it on two different systems is not only annoying but the chances of my errors are increased (and to be locked out because of my errors is a real PITA)
I do admit that I use simple and often similar short pwords for what I would call non-critical sites --- but my machine is heavily antimalware protected....sites involving personal data other than my name are heavily protected by long passwords and whatever else they require - I mean for instance , unless specifically allowed at this moment my webcam is disabled and key strokes are not submitted
reading the national news
1: the problems are not with complicated systems but with unthinking people (phone calls telling me my bank requires something <enter 1 here> or that my electricity company needs me to <hit 1> to confirm my account - these are all things that only education (and not having alzheimers!) can cure
or 2: even the big boys suffer from attacks which then compromise all of us
I am still not convinced that spreading the threat over two different systems is a wise solution... I suppose that people are silly in their selection of passwords etc but if one isn't silly then (eg as used by my local doctors) having to enter 3 characters (#7, #9, #11) from a (minimum allowed of 12) means that I have to keep stuff on my machine in plain text so that I can locate which of 37 different 12-18 character one, two, or three factor security systems I require - to have to do it on two different systems is not only annoying but the chances of my errors are increased (and to be locked out because of my errors is a real PITA)
I do admit that I use simple and often similar short pwords for what I would call non-critical sites --- but my machine is heavily antimalware protected....sites involving personal data other than my name are heavily protected by long passwords and whatever else they require - I mean for instance , unless specifically allowed at this moment my webcam is disabled and key strokes are not submitted
reading the national news
1: the problems are not with complicated systems but with unthinking people (phone calls telling me my bank requires something <enter 1 here> or that my electricity company needs me to <hit 1> to confirm my account - these are all things that only education (and not having alzheimers!) can cure
or 2: even the big boys suffer from attacks which then compromise all of us
JohnnyB
To view this discussion on the web visit https://groups.google.com/d/msgid/dixonary/407b8dda-ac9d-d476-9877-3a49c227ed07%40perFact.info.
Hugo Kornelis
Nov 15, 2021, 8:23:30 AM11/15/21
to dixo...@googlegroups.com
Hi Johnny,
My knowledge in this area is limited.
What I do know is that the extra safety provided is fairly simple. Suppose I somehow figure out your password and username (or email) for your Amazon account. Without TFA, that would give me access to your recent purchases and depending onwhat you have configured might even allow me to make purchases charged to your credit card.
With the additional TFA, I can get past the password prompt but then will be stuck at the prompt for the code that has been sent to your cell phone and not to mine. And you'll get that prompt and know that (1) someone got hold of your password so you need to change it; and (2) at least that someone did not get into your account.
As you mention, breaches can happen on many levels and in many places. You choosing a secure password, keeping it safe, and not sharing it with anyone only guarantees that you won't leak it. It can still be leaked if the company gets succesfully hacked.
Free security / password advice for all who are reading here:
A few years back, I got an email from LinkedIn apologizing for the inconvenience because they had their accounts data stolen. At that time I worked with perhaps four passwords that I had memorized and reused. A much needed wake up call for me. I changed all my passwords. I registered at clipperz.is (a free service), a service that helps to generate random passwords (typically 24 completely random characters, insanely hard to crack) and store them securely encrypted on their servers. Even if their servers get compromised, nobody will be able to decipher my information without knowing my passphrase. So the only gamble I took is that I trust the advertising and information given by clipperz.is (if they're a scam then I am royally screwed since I have ALL my passwords there!)
When I now sign up for a new service, I simply let clipperz.is generate a random password for that site only, and store it so I can always copy/paste it when I want to log on.
So now, if e.g. LinkedIn gets compromised again, the hackers will still have my logon data for LinkedIn but it won't work on any other site.
Cheers,
Hugo
My knowledge in this area is limited.
What I do know is that the extra safety provided is fairly simple. Suppose I somehow figure out your password and username (or email) for your Amazon account. Without TFA, that would give me access to your recent purchases and depending onwhat you have configured might even allow me to make purchases charged to your credit card.
With the additional TFA, I can get past the password prompt but then will be stuck at the prompt for the code that has been sent to your cell phone and not to mine. And you'll get that prompt and know that (1) someone got hold of your password so you need to change it; and (2) at least that someone did not get into your account.
As you mention, breaches can happen on many levels and in many places. You choosing a secure password, keeping it safe, and not sharing it with anyone only guarantees that you won't leak it. It can still be leaked if the company gets succesfully hacked.
Free security / password advice for all who are reading here:
A few years back, I got an email from LinkedIn apologizing for the inconvenience because they had their accounts data stolen. At that time I worked with perhaps four passwords that I had memorized and reused. A much needed wake up call for me. I changed all my passwords. I registered at clipperz.is (a free service), a service that helps to generate random passwords (typically 24 completely random characters, insanely hard to crack) and store them securely encrypted on their servers. Even if their servers get compromised, nobody will be able to decipher my information without knowing my passphrase. So the only gamble I took is that I trust the advertising and information given by clipperz.is (if they're a scam then I am royally screwed since I have ALL my passwords there!)
When I now sign up for a new service, I simply let clipperz.is generate a random password for that site only, and store it so I can always copy/paste it when I want to log on.
So now, if e.g. LinkedIn gets compromised again, the hackers will still have my logon data for LinkedIn but it won't work on any other site.
Cheers,
Hugo
Op 15-11-2021 om 14:08 schreef Johnb -
co.uk:
To view this discussion on the web visit https://groups.google.com/d/msgid/dixonary/d31f554f-39e4-d3f4-1549-047532d08802%40john-barrs.co.uk.
Judy Madnick
Nov 15, 2021, 8:33:18 AM11/15/21
to dixo...@googlegroups.com
Hi, Hugo,
I use LastPass for the same reasons you described. I don't always use their complicated passwords but do try to use passwords containing a combination of letters, numbers, and special characters. So far, so good!
Judy
Original Message
From: "Hugo Kornelis" <hu...@perFact.info>
Date: 11/15/2021 8:23:27 AM
Subject: Re: [Dixonary] OT please explain
Reply all
Reply to author
Forward
0 new messages