Dumb problem all sites want both 2 factor and email recovery codes

[CleanSump]

You gave up privacy the first time you used a dial-up or went on the the commercial internet. If you ever had an email service, you have already opened an unclosable door. All data is recorded and cannot be deleted from the vaults.
To think otherwise is truly naive.

 

[alarmguy]

What am I missing here?
Why are we discussing MFA 2 and others as a secure way to login in this day and age?

No matter who steals your phone number and passwords, they can’t get in if you’re using passkeys
Anything is breakable, but passkeys are far superior

I just pulled this up quickly for the heck of it but there is so much on the subject. I only pulled this up because ….

“Passkeys represent a significant upgrade in safety over traditional passwords in several ways.”
https://www.mcafee.com/learn/what-is-a-passkey/

https://www.microsoft.com/en-us/sec...ey-day-advancing-passwordless-authentication/

https://safety.google/intl/en_us/safety/authentication/

 

[wwillson]

What am I missing here?
Why are we discussing MFA 2 and others as a secure way to login in this day and age?

No matter who steals your phone number and passwords, they can’t get in if you’re using passkeys
Anything is breakable, but passkeys are far superior

I just pulled this up quickly for the heck of it but there is so much on the subject. I only pulled this up because ….

“Passkeys represent a significant upgrade in safety over traditional passwords in several ways.”
https://www.mcafee.com/learn/what-is-a-passkey/

https://www.microsoft.com/en-us/sec...ey-day-advancing-passwordless-authentication/

https://safety.google/intl/en_us/safety/authentication/

Passkeys are awesome, FIDO2 keys are even better, but FIDO keys are more difficult to work with.

 

[Rmay635703]

You gave up privacy the first time you used a dial-up or went on the the commercial internet. If you ever had an email service, you have already opened an unclosable door. All data is recorded and cannot be deleted from the vaults.
To think otherwise is truly naive.

That’s why you data pack with misinformation, if you can’t make the intolerable stop you dassle them with bs.

A data set of conflicting motivations makes the data worthless. A data set with no financial info, is also quite worthless.

Thinking you are a victim and can do nothing is naive.
We decided on this and created our own monster , doubling down doesn’t make this better, as we continue to ignore it will only get worse.

Worth noting I know many folks who don’t use cell, pc or internet outside at their job. Not having an online presence is always possible.
A few of my relatives never had a bank account, the system makes it hard to opt out but it’s not impossible.

What am I missing here?
Why are we discussing MFA 2 and others as a secure way to login in this day and age?

No matter who steals your phone number and passwords, they can’t get in if you’re using passkeys
Anything is breakable, but passkeys are far superior

I just pulled this up quickly for the heck of it but there is so much on the subject. I only pulled this up because ….

“Passkeys represent a significant upgrade in safety over traditional passwords in several ways.”
https://www.mcafee.com/learn/what-is-a-passkey/

https://www.microsoft.com/en-us/sec...ey-day-advancing-passwordless-authentication/

https://safety.google/intl/en_us/safety/authentication/

There are claims already that those can be broken in seconds by emerging technologies, ai + quantum is said to obsolete security

 

[alarmguy]

....



There are claims already that those can be broken in seconds by emerging technologies, ai + quantum is said to obsolete security

Yes, in theory and I am sure it will come to reality someday. But according to every publication I have read still far better than the others. I suspect being passkeys are newer they will continue to be worked on by the giants - Microsoft, Google etc. However, the weakness is the browser if someone allows a rogue extension. But still no documented cases and not even close to the other methods of hacks. However is our media/ad revenue money making model, everything will sound bigger than it currently is. One thing is clear, the older methods are less secure.

Nothing is absolute, however that AI one day might actually make it.

"The new research is a proof of concept and not yet evidenced in the wild, but SquareX says “while passkeys appear more secure, much of this perception stems from a new technology that has not yet gone through decades of security research and trial by fire.”
https://www.forbes.com/sites/zakdof...eys-can-be-hacked-new-attack-breaks-the-myth/

 

[barryh]

Serious question for the experts about Brute force attack - and I'm not suggesting we rely on passwords without 2FA

Is that a real risk these days given every web site I login to will freeze the account after a small number of failed attempts. If this is the case in general why are people still trying to frighten us with the phrase Brute force attack.

 

[uc50ic4more]

Serious question for the experts about Brute force attack - and I'm not suggesting we rely on passwords without 2FA

Is that a real risk these days given every web site I login to will freeze the account after a small number of failed attempts. If this is the case in general why are people still trying to frighten us with the phrase Brute force attack.

I am not sure there are many of these brute force attacks that target an individual's credentials; guessing them over and over hoping that one strikes gold. Most are when a hacker, via some type of malicious software they were able to place on an enormous number of unsuspecting machines, directs 300,000 "visitors" to a web site with each requesting all of the site's page right now. There are very, very few infrastructures that can handle that kind of traffic and in almost all cases the platform grinds quickly to a halt. This actually happened to Canonical, the makers of Ubuntu, last week. The value for the hacker is that they can extort money from the victim for a much greater amount to stop the attack than they'd ever garner gaining access to your individual account.

As far as I am aware, the only party that's ever been prevented from accessing my accounts here and there because of too many failed login attempts has been me.

 

[loneryder]

You could switch to an MVNO of AT&T such as cricket(owned by at&t), consumer cellular, boost, red pocket etc.

I use Cricket here in WV because AT&T built more towers in WV than anyone else. They still have better service in this state. Cricket uses AT&T system and have as much priority as AT&T customers. Check it out.

 

[Pew]

Serious question for the experts about Brute force attack - and I'm not suggesting we rely on passwords without 2FA

Is that a real risk these days given every web site I login to will freeze the account after a small number of failed attempts. If this is the case in general why are people still trying to frighten us with the phrase Brute force attack.

Brute forcing isn't used too much anymore because most services will stop login attempts after too many failures. Usually passwords are stolen via other compromised websites/accounts or via phishing tactics like emails. Users reusing passwords are the biggest issue because they'll normally use the same [weak] password across multiple accounts; ie: the same password for their email and bank. Even if a password gets changed, it'll be something like Password123! to Password123!!. At this point the attackers can use a version of brute force to guess variations of the password from the leaked databases. Because of this, several NIST-800-63B revisions have removed the xx-days to reset password requirements:

NIST 800-63B 5.1.1.2
Length and complexity requirements beyond those recommended here significantly increase user frustration and the difficulty of using passwords. As a result, users often work around these restrictions counterproductively. Other mitigations (e.g., blocklists, secure hashed storage, machine-generated random passwords, rate limiting) are more effective at preventing modern brute-force attacks, so no additional password requirements are imposed.

Above is superseded by:

NIST 800-63B-4 Section A.5
Length and complexity requirements beyond those recommended here significantly increase user frustration and the difficulty of using passwords. As a result, users often work around these restrictions counterproductively. Other mitigations (e.g., blocklists, secure hashed storage, machine-generated random passwords, rate limiting) are more effective at preventing modern brute-force attacks, so no additional password requirements are imposed.

However because of compliance regulations, if you have to be PCI DSS 4.0 compliant then you are required by PCI DSS 4.0 8.3.4-8.3.9 to leverage MFA and password resets every 90 days.

The compliance regulations are tough, always changing every year, and an absolute headache when dealing with cyber security insurance claims. That's why these company's push their apps so they can ensure their compliance.

 

[wwillson]

Password crackers that take the hash of your password, which was stolen, and brute force guess passwords, hash them and compare to the hash of your password. They use dictionaries, leaked passwords, probabilistic rules, and AI/statistical models to prioritize likely guesses first. The good ones work with GPUs and can guess a terrifying numbers of hashes/second. They make human memorable password almost trivial to break. They can guess weak password systems like NTLM at a rate of hundreds of billions/second, often figuring out your password in < 1 second. Password systems like scrypt or Argon2 are vastly better and with a > 15 character password with multiple character sets are almost impossible to crack. If you rely on passwords, make them long, random and multiple character sets. The good passwords are the ones you can't possibly remember.

Yes, if your password hash is stolen, it is likely a password cracker has already figured it out. I just ran a count of the haveibeenpwned stolen password hashes and it now contains 2,048,908,128 unique hashes. Do not depend on passwords that you can remember, they are completely obsolete.

 

[PandaBear]

Yes that really sucks. I also noticed many email accounts would suddenly start requesting password again and then 2FA or another email to get a code when the phone wants the same.

My solution is always to do it at home with a computer I have always trusted and worked, and then gradually "authorize" them one at a time.

Some of the stuff requiring 2FA is ridiculous, like the Albertson / Safeway app that just show you discount coupons but they want you to use their app to pay with online order. So now we are dealing with this 2FA stupidity to get supermarket coupons as well.

 

[PandaBear]

I hope the day comes sooner-than-later that there is no "elsewhere" that allows simply for usernames and passwords. This is horrendously insecure and prone to compromise. 2FA mitigates darn-near every security threat imaginable unless you're one of my teenage daughters who lets their friends, and seemingly any random passerby, use their phone.

I am a web developer and I insist that all of my clients use 2FA. They grumble and whine about it but will also admit that there's never been a compromise of data.

When I set up a 2FA code for a new service I use an app on my computer as well as the available 2FA app on my phone (I know Google and microsoft each offer one, unsure about Apple) and set them both up at the same time.

I have seen people getting fake ID to reissue a sim when the owner goes on an oversea trip and then use that new phone sim's 2FA to get access to financial accounts and then sent the money out. 2FA is safer against online access security concern but not perfect against physical world hack either.

 

[uc50ic4more]

I have seen people getting fake ID to reissue a sim when the owner goes on an oversea trip and then use that new phone sim's 2FA to get access to financial accounts and then sent the money out. 2FA is safer against online access security concern but not perfect against physical world hack either.

Agreed: Like local-only OS exploits, if someone has your ID, your SIM, is inside your house or business, you have massive problems and data is only among them.