Please Enable Two Factor Authentication!

[GadgetGuru]

(Sorry if this doesn't belong here)

I just wanted to make a PSA to everybody about the importance of Two Factor Authentication. Two Factor Authentication is the practice of having two factors whenever you log in. One thing you know (a password) and one thing you have (a cell phone, USB Yubikey, one of those RSA keyfobs with the numbers that keep changing). This is important because a potential thief would need to know your password and physically steal something from you in order to access your online accounts.

Why am I talking about this? There's been a small string of Bitcoin robberies (Getting Hacked, Lessons Learned – AVC) where hackers have been able to steal a person's Bitcoins. This is the equivalent of somebody logging into your bank account and wiring all of your money away. It's absolutely terrifying.:jaw:

Spoiler: Article Notes

(Yes, I know that the article exposes some faults in some implementations of 2FA and can make you scared, but the takeaways are the important part. It's all about the small things you can do to help take you from being 10% secured to being 90% secured. Hackers go for the low hanging fruit. This is a tangentially related article, but it reminded me to double down on 2FA, which how I found out about IU's 2FA support.)

There's a couple takeaways from all of this:
1) Use a different password for everything. LastPass, 1Password can help immensely. Or, at the very least, use unique passwords for the important things. Email? Unique password. Bank? Unique password. IU account... Unique password (you can see where I have my priorities )
2) Turn on 2-factor authentication (2FA) with your cell phone for everything. This means when logging into a website, you type in your password, and then you type in a special code from your phone. Sometimes these codes are texted to you (that's not great, but sometimes necessary) and sometimes you have to use a special app like Google Authenticator (so much better). You can find instructions for many websites here: Two Factor Auth List

So, why am I talking about this to all of you? Because, one of the many reasons IU is awesome is that they support real 2FA! Serious props to IU for doing this (even if it was on accident).

How do you enable 2FA?
1) Just go to the "Your Account page" by clicking on your username in the upper right and then clicking on any of the boxes.
2) Click on Two-Step Verification on the left hand side of the screen.
3) Download the Google Authenticator app on your phone (iOS + Android).
4) Back on IU, click "Verification Code via App." Don't do Email confirmation. App based 2FA is by-far the most secure.
5) Follow the instructions. It'll involve using the Google Authenticator app to take a picture of a QR code, or typing a massively long string into the app. There's a verification process involved too, so you can't mess the process up and accidentally lock yourself out of your account.

Then, do this for every other site you have!

Just an additional note: This does mean that you'll need to open the Google Authenticator app every time you log into IU or other sites you've set this up. Logging in will take some extra time. And if your phone battery is dead, you're out of luck. I promise it's worth it to make you more secure. Every site you use should have this enabled.

Thanks for listening! If you have any questions, or are confused, let me know!

 

[WAJAS]

@Brian G. does this function work with DUO Mobile as well?

 

[GadgetGuru]

@Brian G. does this function work with DUO Mobile as well?

It should work with any app that supports TOTP (Time-based One-time Password Algorithm - Wikipedia)

That would include Duo, Authy, Google Authenticator and a bunch of others.

 

[WAJAS]

It should work with any app that supports TOTP (Time-based One-time Password Algorithm - Wikipedia

That would include Duo, Auth, Google Authenticator and a bunch of others.

Awesome. I already use this for most places, might as well add IU.

 

[CowMissing]

In addition, don't have the computer (if at a desktop) save your settings as this would defeat the whole purpose of the Two-Factor Authentication. Make sure you have to enter the passcode every time you log in. That's the only for sure way that you know your identity is being protected when entering a computer system.

 

[GadgetGuru]

In addition, don't have the computer (if at a desktop) save your settings as this would defeat the whole purpose of the Two-Factor Authentication. Make sure you have to enter the passcode every time you log in. That's the only for sure way that you know your identity is being protected when entering a computer system.

That's really great advice as well. To add onto that, I think it's okay to allow some of your personal devices to be "trusted" i.e. you don't need two-factor if you log in from that device. In that case, you've replaced your cell phone app as a second factor with your physical computer as a second factor. Same idea - a hacker would have to physically steal your laptop and know your password to log on.

No matter what, don't have sites log you in automatically and don't have your web browser remember passwords for you!

 

[CowMissing]

That's really great advice as well. To add onto that, I think it's okay to allow some of your personal devices to be "trusted" i.e. you don't need two-factor if you log in from that device. In that case, you've replaced your cell phone app as a second factor with your physical computer as a second factor. Same idea - a hacker would have to physically steal your laptop and know your password to log on.

No matter what, don't have sites log you in automatically and don't have your web browser remember passwords for you!

Great, advise as well! In addition, I recommend you have a password vault/manager where you store and encrypt all your passwords. The worse thing is to have an easy password that someone can figure out. A true password is one that you can't remember. A password vault/manager can generate very complex passwords for you. The password vault/manager is basically a database where you can store all your sensitive information and specifically passwords. Depending on the software most desktop computers can auto log you in via the password manager software. It's really a good tool to have. Most applications will save the file in the cloud and it will populate across all your platforms.

 

[GadgetGuru]

For password managers, I'd highly recommend either LastPass or 1Password.

 

[Joe]

I have two factor on several of my accounts and use 1Password. Do eeeet!

 

[GadgetGuru]

I have two factor on several of my accounts and use 1Password. Do eeeet!

Total tangent, but how do you like 1Password? I'm using a different password manager and thinking of switching.

 

[Joe]

Total tangent, but how do you like 1Password? I'm using a different password manager and thinking of switching.

I've been using it for many many years, it's great. The iPhone app is a godsend.

 

[DK745]

I have two factor on several of my accounts and use 1Password. Do eeeet!

I've been using LastPass and like it. If I can use two-factor anywhere, I do it. Even on Lastpass.

 

[GadgetGuru]

For anybody interested, I switched from Lastpass to 1Password.

* Their Apple device support blows LastPass out of the water in my opinion.

* Their security model seems saner and they have a lot of white papers + blog posts which LastPass doesn't.

* They also don't inject HTML into your browser and open themselves up to XSS attacks (as much).

iOS 11 is also going to have password auto fill support like Android, so password managers will work easier.

That's all for GadgetGuru's weekly security update! Man, I make my username sound like a cliche.

 

[WAJAS]

For anybody interested, I switched from Lastpass to 1Password.

* Their Apple device support blows LastPass out of the water in my opinion.

* Their security model seems saner and they have a lot of white papers + blog posts which LastPass doesn't.

* They also don't inject HTML into your browser and open themselves up to XSS attacks (as much).

iOS 11 is also going to have password auto fill support like Android, so password managers will work easier.

That's all for GadgetGuru's weekly security update! Man, I make my username sound like a cliche.

What are these services exactly? How are they safe as I assume the passwords are saved in the cloud?

 

[GadgetGuru]

What are these services exactly? How are they safe as I assume the passwords are saved in the cloud?

(The lawyer in me wants to point out that I'm a software engineer, but these opinions are my own and don't sue me if bad things happen. I do all of this stuff personally, but YMMV)

Let me quickly set the stage and then I can give a good explanation of what these services do. This might come across as too basic for you, but I don't know how much tech knowledge everyone has.

Here's the really common danger scenario. A site gets hacked and a list of all of their usernames and passwords gets leaked onto the Internet. This is what happens whenever a site gets hacked.

A bunch of hackers find that leaked list of usernames/passwords and grab a couple. Maybe they choose at random, maybe they target a specific person, who knows. But, they grab a username / password and start logging into any site they can think of. Most people use the same username and password everywhere. That means the leaked username / password can be used to log into email addresses, bank accounts, IU, Netflix... everything. A hacker can do a lot of damage to a person if they can log into all of their accounts.

There's three ways to prevent this from happening to you.

1) Have a different username + password for everything. If a username or password gets leaked, it only lets a hacker log into that one site that leaked the password.

2) Keep an eye on hacks. That way, when a password gets leaked, you know to immediately change it before a hacker can log in with that password.

3) Have a second physical factor. That way, a hacker needs both your password and a physical thing that you own to log into a website.

Two factor authentication solves the last one.

Password managers help solve the first two. They automatically generate passwords for you when you create accounts and then log into accounts for you automatically. You only have to remember the password for your password manager and then your password manager remembers the passwords for everything else. As for bullet two, many password managers get their hands on lists of site leaks. They can alert you if they notice one of your accounts was hacked and tell you to change the password*

There's a bunch of different password managers out there with LastPass and 1Password being the most popular. The basic idea of a good password manager is that you have one password called a master key. That master key encrypts your bank of passwords. The bank of passwords stays on your password manager's server (or your computer). The bank is only unencrypted on your local machine using your master key, which nobody (including the password manager company!) knows but you. If you forget your master key, you're screwed.

Encryption is just math. You don't have bad encryption, you just have bad math. The popular encryption standards (AES, etc) have been vetted by experts and are seen as good math. That means that you don't have to worry too much about the password manager company messing up their internal systems because you are relying on the math, which should be sound.

In the end though, diligence is important. Don't over rely on password managers or 2FA as a magic fix.

* I said that all of these password managers didn't know your usernames or passwords. If you let them look for leaks, they'll have access to your usernames only so they can compare your usernames to the lists of leaks. If the password manager company gets hacked, a hacker could get a list of all of your usernames. That's not the end of the world. Personally, I think that's not too bad considering bad leaks are.

EDIT: Some grammatical fixes and a better explanation of why password managers solve the two problems I mentioned.

 

[WAJAS]

(The lawyer in me wants to point out that I'm a software engineer, but these opinions are my own and don't sue me if bad things happen. I do all of this stuff personally, but YMMV)

Let me quickly set the stage and then I can give a good explanation of what these services do. This might come across as too basic for you, but I don't know how much tech knowledge everyone has.

Here's the really common danger scenario. A site gets hacked and a list of all of their usernames and passwords gets leaked onto the Internet. This is what happens whenever a site gets hacked.

A bunch of hackers find that leaked list of usernames/passwords and grab a couple. Maybe they choose at random, maybe they target a specific person, who knows. But, they grab a username / password and start logging into any site they can think of. Most people use the same username and password everywhere. That means the leaked username / password can be used to log into email addresses, bank accounts, IU, Netflix... everything. A hacker can do a lot of damage to a person from there.

There's three ways to prevent this from happening to you.

1) Have a different username + password for everything. If a username or password gets leaked, it only lets a hacker log into that one site that leaked the password.

2) Keep an eye on hacks. That way, when a password gets leaked, you know to immediately change it before a hacker can log in with that password.

3) Have a second physical factor. That way, a hacker needs both your password and a physical thing that you own to log into a website.

Two factor authentication solves that last problem. Password managers help solve the first two. They automatically generate passwords for you when you create accounts and then log into accounts for you automatically. You only have to remember the password for your password manager and then your password manager remembers the passwords for everything else.

There's a bunch of different password managers out there with LastPass and 1Password being the most popular. The basic idea of a good password manager is that you have one password called a master key. That master key encrypts your bank of passwords. The bank of passwords stays on your password manager's server (or your computer). The bank is only unencrypted on your local machine using your master key, which nobody (including the password manager company!) knows but you. If you forget your master key, you're screwed.

Encryption is just math. You don't have bad encryption, you just have bad math. The popular encryption standards (AES, etc) have been vetted by experts and are seen as good math. That means that you don't have to worry too much about the password manager company messing up their internal systems because you are relying on the math, which should be sound.

In the end though, diligence is important. Don't over rely on password managers or 2FA as a magic fix.

Thank you!!! I honestly don't know too much about this stuff as I'm pursueing an ME degree and not an SE or CE degree, so this was very helpful. I've been using 2FA for a while now (I use DUO.), but never thought to use those other services.

 

[GadgetGuru]

Thank you!!! I honestly don't know too much about this stuff as I'm pursueing an ME degree and not an SE or CE degree, so this was very helpful. I've been using 2FA for a while now (I use DUO.), but never thought to use those other services.

I just started using them personally. You can really go down a deep rabbit hole if you want to be perfectly secure and paranoid. Do your own research if you're interested just so you can feel safer. And good luck with the ME degree!

 

[Joel]

1password is the bees knees

 

[MrRoamer]

Does 1Password have a vault that you can go into/export/etc? I have used KeePass for the past 10 years or so and recently jumped on the LastPass bandwagon earlier this year. So far I like it, but I'm not too sure about the HTML injection since it can be a security hole that you don't even know about. Also my android integration seems weak at best, but luckily prior to switching over to it I also switched over to unique passwords for everything with varying complexity on those depending on data importance. ie my Inside Universal password is 256 encrypted but I'm using my go to super strong "password123" for my bank, and anywhere I need a pin I go with 54321 except for my luggage

Big props for this being a security option on the site and also to @GadgetGuru for bringing this up!! I would have never known about it.

 

[P@n!K_Sw1tC#]

My brain just 'spoded reading all of this. So Smart! :tongue: