Multi-factor security
September 10, 2014 6:24 PM Subscribe
The latest password hack has me wanting to beef up my password security, but I keep running into problems. What should I do?
I know that multi-factor protection is better than single-factor protection, and I want to make sure that my passwords are safe. But every time I start to go ahead and implement some better practices, I hit a wall.
Let's take, for example, multi-factor protection with Google. Whenever I try to go ahead with this, it seems to fight back whenever I try to access my accounts on anything other than the web interface. I use Mail.app on OS X and 2 iOS devices, and using the app-specific password always seems to work... for a little while. Then for some reason it stops, and I get frustrated trying to fix it and end up going back to single-factor for simplicity's sake.
The other thing I'm interested in are password managers, but I've never been able to pull the trigger. The trouble i have is that I'll use the password manager to suggest a nice password for me on my laptop, and then head over to another device and try to use the website's app. No go. I also get the impression that I can't use, say, LastPass's password features in Safari on my iOS device. I'm game to give the Apple one a try if I have to, but that doesn't solve the app issue. What's more, it seems really spotty as to whether or not it will suggest a password to me or if it will remember that it set a password for me. And, what happens if I ever want to pop on a friend's computer to check my email, but I have some long password that I can't remember?
I'm not a complete technological idiot. I'm generally pretty good. But this stuff for whatever reason continues to elude me. What should I be doing, and how can I make it as simple for myself as possible?
I know that multi-factor protection is better than single-factor protection, and I want to make sure that my passwords are safe. But every time I start to go ahead and implement some better practices, I hit a wall.
Let's take, for example, multi-factor protection with Google. Whenever I try to go ahead with this, it seems to fight back whenever I try to access my accounts on anything other than the web interface. I use Mail.app on OS X and 2 iOS devices, and using the app-specific password always seems to work... for a little while. Then for some reason it stops, and I get frustrated trying to fix it and end up going back to single-factor for simplicity's sake.
The other thing I'm interested in are password managers, but I've never been able to pull the trigger. The trouble i have is that I'll use the password manager to suggest a nice password for me on my laptop, and then head over to another device and try to use the website's app. No go. I also get the impression that I can't use, say, LastPass's password features in Safari on my iOS device. I'm game to give the Apple one a try if I have to, but that doesn't solve the app issue. What's more, it seems really spotty as to whether or not it will suggest a password to me or if it will remember that it set a password for me. And, what happens if I ever want to pop on a friend's computer to check my email, but I have some long password that I can't remember?
I'm not a complete technological idiot. I'm generally pretty good. But this stuff for whatever reason continues to elude me. What should I be doing, and how can I make it as simple for myself as possible?
Password managers have come quite a ways. I use 1Password. It syncs via Dropbox, and is fairly instantaneous, so the suggestion on laptop, use of iOS is handled. With iOS 8, 1Password will support an extension to allow entering passwords directly into mobile Safari, so that should be resolved within the next week or so. As rustcrumb said for Password Safe, you can reveal the password in the app, so you can either transcribe from your phone, or access it via dropbox.
I've never had the problem with Google's app-specific passwords, so can't help you there.
posted by neilbert at 7:42 PM on September 10, 2014 [4 favorites]
I've never had the problem with Google's app-specific passwords, so can't help you there.
posted by neilbert at 7:42 PM on September 10, 2014 [4 favorites]
The catch with LastPass is that you need LastPass Premium to use the iPhone app, which is basically the password manager with an integrated browser so it can fill in your passwords for you. You can get at your passwords through the regular site on mobile Safari (or any other decent browser; it's all Javascript), but it's a bit of a pain.
Not sure what you mean by the problems with using multiple computers. With LP, at least, it synchronizes seamlessly. You'll normally have to log in to your sites again, but it's just a couple clicks to do so since LP fills in your login information.
On your friend's computer you'd just go to the LP site and grab your password from there (assuming you trust that his computer doesn't have a keylogger or anything). The data is all decrypted in the browser, so once you close the tab it's gone.
I'm personally not quite sold on using 2FA. The way I see it is: As long as you're using a decently long randomly-generated unique password for each site -- which a password manager makes easy -- and the site is using HTTPS with valid certificates, you don't really have anything plausible to worry about short of the NSA (good luck) or the site in question getting compromised by another route (in which case 2FA won't help). If the site isn't using HTTPS, 2FA isn't going to help you one bit. (Security experts: Feel free to show how I'm wrong on this one...)
posted by neckro23 at 8:22 PM on September 10, 2014 [1 favorite]
Not sure what you mean by the problems with using multiple computers. With LP, at least, it synchronizes seamlessly. You'll normally have to log in to your sites again, but it's just a couple clicks to do so since LP fills in your login information.
On your friend's computer you'd just go to the LP site and grab your password from there (assuming you trust that his computer doesn't have a keylogger or anything). The data is all decrypted in the browser, so once you close the tab it's gone.
I'm personally not quite sold on using 2FA. The way I see it is: As long as you're using a decently long randomly-generated unique password for each site -- which a password manager makes easy -- and the site is using HTTPS with valid certificates, you don't really have anything plausible to worry about short of the NSA (good luck) or the site in question getting compromised by another route (in which case 2FA won't help). If the site isn't using HTTPS, 2FA isn't going to help you one bit. (Security experts: Feel free to show how I'm wrong on this one...)
posted by neckro23 at 8:22 PM on September 10, 2014 [1 favorite]
1password with file in Dropbox and extensions on my browsers. Two layer authentication for google with iPhone/iPad app to enable secure login. I do not login via Facebook or g+ except for one app.
I allow app specific passwords for google access such as, calendars. For syncing. Otherwise, everything is autopilot.
posted by jadepearl at 8:52 PM on September 10, 2014 [2 favorites]
I allow app specific passwords for google access such as, calendars. For syncing. Otherwise, everything is autopilot.
posted by jadepearl at 8:52 PM on September 10, 2014 [2 favorites]
I'm personally not quite sold on using 2FA. The way I see it is: As long as you're using a decently long randomly-generated unique password for each site -- which a password manager makes easy -- and the site is using HTTPS with valid certificates, you don't really have anything plausible to worry about short of the NSA (good luck) or the site in question getting compromised by another route (in which case 2FA won't help).
If someone compromises the site and steals username/pw combinations, then sells that info or otherwise releases it, someone could log into the site as you using your username/pw ("decently long unique" pw doesn't help if they've obtained the actual pw rather than trying to crack it). Except if 2FA was enabled, they wouldn't be able to.
posted by EndsOfInvention at 2:46 AM on September 11, 2014 [1 favorite]
If someone compromises the site and steals username/pw combinations, then sells that info or otherwise releases it, someone could log into the site as you using your username/pw ("decently long unique" pw doesn't help if they've obtained the actual pw rather than trying to crack it). Except if 2FA was enabled, they wouldn't be able to.
posted by EndsOfInvention at 2:46 AM on September 11, 2014 [1 favorite]
I don't trust 'cloud' password managers - I think no matter how good the security is, that's just too much of a juicy target. And given that admitting a security breach would basically mean the end of the business, would we ever hear about problems? Other opinions are also valid, of course.
Instead I have a KeePass DB file synced between my laptop and my phone via Google Drive (could easily be Dropbox, SugarSync, etc). It's secured by both a long password and a key file. The key file is not synchronised with any cloud service, I manually put a copy on my phone and another on my laptop. Thus even if my cloud storage is compromised, it's going to be impossible to brute-force the password. If my phone or laptop is stolen, the thief is likely to not also be a hacker-dood so they'd have to associate the .kbdx with the key file AND brute force the password which is likely beyond their capabilities.
I found once I had this set up, I started using it for all kinds of other secure information too - bank details, software licenses, etc.
The only systems I don't use KeePass-generated passwords on are those with 2-factor auth.
posted by dickasso at 6:31 AM on September 11, 2014 [1 favorite]
Instead I have a KeePass DB file synced between my laptop and my phone via Google Drive (could easily be Dropbox, SugarSync, etc). It's secured by both a long password and a key file. The key file is not synchronised with any cloud service, I manually put a copy on my phone and another on my laptop. Thus even if my cloud storage is compromised, it's going to be impossible to brute-force the password. If my phone or laptop is stolen, the thief is likely to not also be a hacker-dood so they'd have to associate the .kbdx with the key file AND brute force the password which is likely beyond their capabilities.
I found once I had this set up, I started using it for all kinds of other secure information too - bank details, software licenses, etc.
The only systems I don't use KeePass-generated passwords on are those with 2-factor auth.
posted by dickasso at 6:31 AM on September 11, 2014 [1 favorite]
Around the time I was thinking about starting to use a password manager like KeePass, I found SS64 on MeFi Projects. It's a simple little site, I can get to it from anywhere and save a local copy on a key and on my personal computers (which is nice because I can add things like MetaFilter to the default list - and it's not like I am any sort of coder or web designer, I just copy/pasted the code for one of the other lines and changed Amazon to Metafilter or whatever without having any sort of deep understanding of how the javascript or html work).
I also had my brother (who knows of such things) verify for me that the site is not sending any data anywhere.
posted by solotoro at 6:53 AM on September 11, 2014 [1 favorite]
I also had my brother (who knows of such things) verify for me that the site is not sending any data anywhere.
posted by solotoro at 6:53 AM on September 11, 2014 [1 favorite]
I highly recommend a password manager, but there are some things that won't be easy no matter which one you use. For example, most of them have browser plugins to auto-fill login information, and 1Password has its own browser for mobile use. But the problem is when another standalone app needs login information. The only thing you can do is launch the password manager and then copy/paste. I don't think anyone has a solution for that, since every app login is written differently.
A sort-of workaround for this is: any login I know I'll have to enter by hand often (like email when I'm away from home), I use a diceware passphrase to make sure it's something I can remember without having to pull out my phone and look up a complicated password full of symbols.
Nothing is ever going to be as easy as just using the same password for everything, but of course that's a horrible idea. Password managers take a little extra effort, but are much more secure.
posted by Sibrax at 11:55 AM on September 11, 2014 [1 favorite]
A sort-of workaround for this is: any login I know I'll have to enter by hand often (like email when I'm away from home), I use a diceware passphrase to make sure it's something I can remember without having to pull out my phone and look up a complicated password full of symbols.
Nothing is ever going to be as easy as just using the same password for everything, but of course that's a horrible idea. Password managers take a little extra effort, but are much more secure.
posted by Sibrax at 11:55 AM on September 11, 2014 [1 favorite]
Update with iOS 8... 1Password (and I beleive LastPass' app as well, but I don't use it so I can't say for sure) can be used in Mobile Safari as an extension. And 1Password can unlock via the fingerprint reader on the 5S and up. So now my login process for a site in Mobile Safari is:
- Load site
- Click "Share" button
- Select 1Password
- hold finger over home button to unlock
- select login to use (if there are more than 1 for the site)
- tap login button on site
Much easier than the app-switching method I needed before... which wasn't that bad to begin with.
posted by neilbert at 7:17 PM on September 21, 2014
- Load site
- Click "Share" button
- Select 1Password
- hold finger over home button to unlock
- select login to use (if there are more than 1 for the site)
- tap login button on site
Much easier than the app-switching method I needed before... which wasn't that bad to begin with.
posted by neilbert at 7:17 PM on September 21, 2014
« Older How can I help my little brother? Or should I? | Awesome day trips from Prague, Krakow, and/or... Newer »
This thread is closed to new comments.
posted by rustcrumb at 6:35 PM on September 10, 2014 [2 favorites]