Addressing the recent user account hack scare

the_randomizer · Jan 12, 2017

Patxinco said:
He's telling us to do this:

Then where are they to be stored if not on any kind of devices?
https://www.yubico.com/support/know...articles/how-to-use-your-yubikey-with-google/

Because it sounds like you can't use your phone or PC to store them.

Edit: Oh, they cost money. Never mind. >.>

mathieulh · Jan 12, 2017

the_randomizer said:
Then what do you suggest, not use any kind of authentication? Because that's what it sounds like.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

That's not not what I suggest at all,

Use something you know:
- -A password, typically long, with lower, upper case, special characters and numbers,
I personally achieve this using mnemotechnics to recall long sentences in Japanese with characters stowed in between

Use something you own:
- -A Secure Access Module or a Hardware Security Module to store secrets to cryptography challenges used during
two factor authentications, would it be symetrical keys (OTP based) or private keys (PGP, U2F).
This exists in the from of a smart card, a (typically compatible with Android smartphones) NFC device (Yubikey NEO, SIGILANCE...),
a USB device (Yubikey 4, Yubikey NEO, Nitrokey...).

Contrary to popular belief and despite convenience mitigation, a smartphone application does not constitute "something you own"
because unlike SAM or HSM designed to be tamper proof and physically separated from your endpoint, your smartphone
usually being the endpoint itself and connected to a network, is not, making it therefore all the more practical for an attacker
to exploit the device and extract the keys stored within the apps, as such it becomes "something you know" compromising the
purpose of the two factor authentication, especially if all the factors are stored/used on the same device.

There is no such thing as good security, there is only bad security and worse security, security is only as good as its weakest link
therefore one needs to render his assets as secure as possible, making it time and effort consumming for an attacker to target him.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd9f1AAoJEKa4nBz3AlIIGbQH/35OHAPKBjoOJbOnzF5AsjXg
aYIxaN3kGvd/69pUrV9Tm0CAnJJwmZBOWpYaI8eUCJGQIth7flOyajHh15iMnJ1s
R4JW+yn1W15Ya63XPawcoQt4Fo+dzAdR+kKMYLnh6YtgC5Fsq3EPQt5414RGwfyp
6dQ1U137rqJFUoqGKFquazP2w0pWyD7x9lnOAZi8t82iL7u3x0J+pWjJuEr5pBKx
fcAjgZAHIWV3esooE1s3NB3ggMEwvCzX8Fkf2p4NSK+dI+C5CWbBR5SViAxqxoQn
3Eb0WTkOCunm3ggsQJWB7JlGNEe2r1ZR1FANnMMW8LKy/yh/kFUaUFgum8tkoyw=
=vBU3
-----END PGP SIGNATURE-----

the_randomizer · Jan 12, 2017

mathieulh said:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

That's not not what I suggest at all,

Use something you know:
- -A password, typically long, with lower, upper case, special characters and numbers,
I personally achieve this using mnemotechnics to recall long sentences in Japanese with characters stowed in between

Use something you own:
- -A Secure Access Module or a Hardware Security Module to store secrets to cryptography challenges used during
two factor authentications, would it be symetrical keys (OTP based) or private keys (PGP, U2F).
This exists in the from of a smart card, a (typically compatible with Android smartphones) NFC device (Yubikey NEO, SIGILANCE...),
a USB device (Yubikey 4, Yubikey NEO, Nitrokey...).

Contrary to popular belief and despite convenience mitigation, a smartphone application does not constitute "something you own"
because unlike SAM or HSM designed to be tamper proof and physically separated from your endpoint, your smartphone
usually being the endpoint itself and connected to a network, is not, making it therefore all the more practical for an attacker
to exploit the device and extract the keys stored within the apps, as such it becomes "something you know" compromising the
purpose of the two factor authentication, especially if all the factors are stored/used on the same device.

There is no such thing as good security, there is only bad security and worse security, security is only as good as its weakest link
therefore one needs to render his assets as secure as possible, making it time and effort consumming for an attacker to target him.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd9f1AAoJEKa4nBz3AlIIGbQH/35OHAPKBjoOJbOnzF5AsjXg
aYIxaN3kGvd/69pUrV9Tm0CAnJJwmZBOWpYaI8eUCJGQIth7flOyajHh15iMnJ1s
R4JW+yn1W15Ya63XPawcoQt4Fo+dzAdR+kKMYLnh6YtgC5Fsq3EPQt5414RGwfyp
6dQ1U137rqJFUoqGKFquazP2w0pWyD7x9lnOAZi8t82iL7u3x0J+pWjJuEr5pBKx
fcAjgZAHIWV3esooE1s3NB3ggMEwvCzX8Fkf2p4NSK+dI+C5CWbBR5SViAxqxoQn
3Eb0WTkOCunm3ggsQJWB7JlGNEe2r1ZR1FANnMMW8LKy/yh/kFUaUFgum8tkoyw=
=vBU3
-----END PGP SIGNATURE-----

Well I don't have the funds to get a secure USB flash drive, so yeah, but I'm not going to be totally paranoid about security either, as it's a waste of energy.

mathieulh · Jan 12, 2017

the_randomizer said:
Well I don't have the funds to get a secure USB flash drive, so yeah, but I'm not going to be totally paranoid about security either, as it's a waste of energy.

Slattz · Jan 12, 2017

mathieulh said:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

It all comes down to how much you value your security and online privacy.
To me, it's worth spending the money on a $60 secure dongle.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd9l4AAoJEKa4nBz3AlIIV8AIAIbnsAp6zjoeDF/T6YywoN9J
ogsfje9eizB6vRJ6qlqTjMD2/Pj9+kidypeLc9cqjizo25Jap3bYnelouvWmpeFp
XvyYL6NsdvPXCiyFRwm5fgLTK1HB4PuZtrvW5G/9IWexXllbYTt3EoBpwnMmjESY
nlsCOTTwRf1HA4nv467hXDPrkQxGQTofD6/IYUTqqdfVnh1YTuR1MRfLMjmoDgDJ
Wu4Ud1xkrdd+FW+QYrUG27c8R3u+WmvQK9wxFTu3G9UVYFeFSkCYCPe4iNey/iaj
P2gcJ4GI/dd+G8TobK4o0hkefKZHI+j5cRqq74GeWTy/f3YXVZXtoig6SrQQYH0=
=tqYk
-----END PGP SIGNATURE-----

No offense, but I don't think most people want to see the PGP stuff everytime you post, it's quite 'loud'... At least put the PGP signature in a spoiler or something.

mathieulh · Jan 12, 2017

Slattz said:
No offense, but I don't think most people want to see the PGP stuff everytime you post, it's quite 'loud'... At least put the PGP signature in a spoiler or something.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Is that better?

Kithron · Jan 12, 2017

Thank you for the information, changed my own password and enabled 2FA with my favorite app named Authy.

Slattz · Jan 12, 2017

mathieulh said:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Is that better?

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2

iQEcBAEBCAAGBQJYd9vPAAoJEKa4nBz3AlIIt9sH/0fkanJdxpPPfgSkuylrmZC1
ojzLgi2/MLekvmqyJqv2WxNWigXZT8bnhFYiwR5e5AIISBwTeE9dQAzWlgcaOP+h
I/UN38JPk0ql/5V5LIJ71/WuL205EJwiTx/I6/63R1BK4Oqzui9tOm/7hvWzLFKH
48CV57T68hs9nVtaRtmXwWnQkM2QR04a9FAukgTjKBXnalBr4edpsNYWsPTl+Ha4
jP7RrpIMk6+EfX9Z+msvQoYDcHq7WvHBSmj+vwVXzJdZn6HsPfq10AQXeyyIBjHj
GrBzoX9SY2dOVZsbbbyU0X4BN8+AKXK3SUN6Dph1chnR8AUncqdv/UIf+Hh7T7k=
=cNqZ
-----END PGP SIGNATURE-----

Yea, thats good

. Thanks for actually taking my advice, I honestly thought a fight would break out or something

mathieulh · Jan 12, 2017

Slattz said:
Yea, thats good . Thanks for actually taking my advice, I honestly thought a fight would break out or something

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

To be honest, as it is, it might be breaking the signature, someone would need to manually append the content
of the spoiler to verify the post.

I hope this is enough, I am aware the whole PGP metadata can be annoying, it would be much better if forums had
built-in PGP support.

tony_2018 · Jan 12, 2017

2 factor or nothing.

snails1221 · Jan 12, 2017

Temp hax

Deleted User · Jan 12, 2017

ItsKipz said:
A good idea to remember for secure passwords is that it's a lot harder to guess/brute-force a password that isn't in english. If you speak 2 languages, make your password in a different one/mix them.

Oohoho, NOBODY will guess my password if I make it in Esperanto!

....absolutely nobody.

Deleted-355425 · Jan 12, 2017

rekt.

Raylight · Jan 12, 2017

what if we log in through facebook?

shaunj66 · Jan 12, 2017

Raylight said:
what if we log in through facebook?

There's no need to do anything.

Raylight · Jan 12, 2017

shaunj66 said:
There's no need to do anything.

thank god

redrumy3 · Jan 12, 2017

I rarely log in and just usually lurk but thanks for letting us know! Appreciate it!

Gizametalman · Jan 12, 2017

Ugh... not again.
Could anyone please answer this question:

If somehow the "hackers" has my email (the one I registered with in GBATemp) do you think they could possible get all those OTHER sites which I've used the same email account?
You know? Lots of personal information, like bank numbers, phone, how I managed to escape from La Migra, how I dismembered a human and eat it... ok, kiddig with this one.
But seriously, do you think that may be possible?
Because, if so, I'll be deleting all the accounts that I have in different sites.
¬_¬

Joe88 · Jan 12, 2017

Gizametalman said:
Ugh... not again.
Could anyone please answer this question:

If somehow the "hackers" has my email (the one I registered with in GBATemp) do you think they could possible get all those OTHER sites which I've used the same email account?
You know? Lots of personal information, like bank numbers, phone, how I managed to escape from La Migra, how I dismembered a human and eat it... ok, kiddig with this one.
But seriously, do you think that may be possible?
Because, if so, I'll be deleting all the accounts that I have in different sites.
¬_¬

if you used the same exact password on all those sites sites than yes

Gizametalman · Jan 12, 2017

Joe88 said:
if you used the same exact password on all those sites sites than yes

Meh, I don't have any friends anyways...

The Temp's official fox whisperer

Well-Known Member

The Temp's official fox whisperer

Well-Known Member

Easygoing Fairy

Well-Known Member

Member

Easygoing Fairy

Well-Known Member

Well-Known Member

LOVE EVERYONE

Deleted User

Guest

Deleted-355425

Guest

Paranoid Temper

GBAtemp Administrator

Paranoid Temper

Member

Banned!

[λ]

Banned!

Similar threads

Popular threads in this forum