Increase in hacked accounts posting advertising content

[rusty_shackleford]

The point is that notebooks can't be hacked

yea they can, most passwords people would keep on a notebook would be trivially bruteforceable

I guarantee my 30 character long passwords in keepass are far more secure than anything you write and have to manually type from a notebook

 

[Taluntain]

then I can't access anything that requires my phone to login

Authy allows you to generate a set of backup codes you can save to your computer to use in such a case. This is a non-issue.

I understand it fine. The point is that notebooks can't be hacked therefore do not require the use of a third party to secure your passwords. If you use a separate password for every site the most you will have to worry about is a single sites servers getting hacked and that one account getting compomised. With 2fa you are creating a weak point in which everything has the capacity to be compromised.

No, you really don't understand 2FA.

 

[rusty_shackleford]

Authy allows you to generate a set of backup codes you can save to your computer to use in such a case. This is a non-issue.

so instead of having the TOTP inside a password protected database, you have backup codes stored in a plain text file?

I'm confused as to why the phone is superior in this scenario.

 

[Taluntain]

so instead of having the TOTP inside a password protected database, you have backup codes stored in a plain text file?

Obviously you don't have them stored in an unencrypted place if you want them to be secure, same as with everything else. You can write them down and hide them somewhere too, they're strings of 9 numbers, so easy enough to manage.

 

[Ontopoly]

Just use a password manager so you don't have to reuse passwords and can pick secure passwords. 2fa is unnecessary unless you like being a faggot

 

[lefthandblack]

yea they can, most passwords people would keep on a notebook would be trivially bruteforceable

I guarantee my 30 character long passwords in keepass are far more secure than anything you write and have to manually type from a notebook

Nah, I just mash random keys and then go back and make sure that the password meets the prerquisites i.e number of characters, symbols, etc. So you end up with something like this:

Vb8&hKpEe7f54jll90*!

If they can hack that they can have it.

 

[rusty_shackleford]

yea they can, most passwords people would keep on a notebook would be trivially bruteforceable

I guarantee my 30 character long passwords in keepass are far more secure than anything you write and have to manually type from a notebook

Nah, I just mash random keys and then go back and make sure that the password meets the prerquisites i.e number of characters, symbols, etc. So you end up with something like this:

Vb8&hKpEe7f54jll90*!

If they can hack that they can have it.

"was that an i or a 1 or an l?"
yeah, have fun

 

[Melcar]

So basically this is a "Do you guys not have phones" thing?

 

[OSK]

Let me help some people out.

The classic example of 2fa is using an ATM. In order to authenticate yourself at an ATM, you need two factors: a PIN and a bank card. If someone gets your PIN by watching you punch it in over your shoulder, they can't withdraw your money because they need your card. If someone steals your wallet and gets your card, they can't withdraw your money because they need the PIN. They need both things. Having a strong password is only one factor.

 

[lefthandblack]

"was that an i or a 1 or an l?"
yeah, have fun

It's just a matter of following rules:
- All O's are zeroes
- All capital letters are underlined in the notebook
- A character like a 1 is written with the base line and the little angle at the top

 

[lefthandblack]

Let me help some people out.

The classic example of 2fa is using an ATM. In order to authenticate yourself at an ATM, you need two factors: a PIN and a bank card. If someone gets your PIN by watching you punch it in over your shoulder, they can't withdraw your money because they need your card. If someone steals your wallet and gets your card, they can't withdraw your money because they need the PIN. They need both things. Having a strong password is only one factor.

But the second factor requires a second device and if that device is missing, broken etc. you are locked out of ALL of your accounts that are relying on 2FA. All your eggs in one basket.

 

[rusty_shackleford]

"was that an i or a 1 or an l?"
yeah, have fun

It's just a matter of following rules:
- All O's are zeroes
- All capital letters are underlined in the notebook
- A character like a 1 is written with the base line and the little angle at the top

weird, I just need to press ctrl+c for my password

 

[OSK]

Let me help some people out.

The classic example of 2fa is using an ATM. In order to authenticate yourself at an ATM, you need two factors: a PIN and a bank card. If someone gets your PIN by watching you punch it in over your shoulder, they can't withdraw your money because they need your card. If someone steals your wallet and gets your card, they can't withdraw your money because they need the PIN. They need both things. Having a strong password is only one factor.

But the second factor requires a second device and if that device is missing, broken etc. you are locked out of ALL of your accounts that are relying on 2FA. All your eggs in one basket.

You're looking at it backwards. The primary concern of security is to keep unwanted people out, not let wanted people in. It's more preferable to lock out a valid user than it is to let in an invalid user. If you get locked out, either you're shit out of luck or, more likely, you now have to jump through a dozen hoops rather than two to authenticate.

 

[lefthandblack]

You're looking at it backwards. The primary concern of security is to keep unwanted people out, not let wanted people in. It's more preferable to lock out a valid user than it is to let in an invalid user. If you get locked out, either you're shit out of luck or, more likely, you now have to jump through a dozen hoops rather than two to authenticate.

I'll take care of my own security thankyouverymuch. In the unlikely event that one of my handcrafted passwords gets hacked I have lost precisely dick. If I lost a phone holding the keys to all of my accounts I would be very very pissed off at myself for relying on some garbage like 2FA.

My advice is for likeminded people, if they want it it's there; I really don't care either way, it will not affect me regardless.

 

[OSK]

I'll take care of my own security thankyouverymuch. In the unlikely event that one of my handcrafted passwords gets hacked I have lost precisely dick. If I lost a phone holding the keys to all of my accounts I would be very very pissed off at myself for relying on some garbage like 2FA.

My advice is for likeminded people, if they want it it's there; I really don't care either way, it will not affect me reguardless.

That's your choice, until it's not. Places are increasingly forcing 2fa on people because compromised accounts don't only affect end users. RPG Codex is dealing with the fallout of people not properly securing their accounts, and they might turn around and force 2fa on everyone so they don't have to deal with the spam.

 

[lefthandblack]

That's fine. My toolbox has wheels for a reason and I was looking for a job when I found this one.

 

[Melcar]

To Fuck Ass sounds pretty gay.

 

[Taluntain]

But the second factor requires a second device and if that device is missing, broken etc. you are locked out of ALL of your accounts that are relying on 2FA. All your eggs in one basket.

For all the people in this thread who find redding hard, let me repeat: "Authy allows you to generate a set of backup codes you can save to your computer to use in such a case. This is a non-issue."

Unless you're too retarded to store your backup codes in a safe place, you're not locked out of anything if your authentication device is missing, broken or whatever.

 

[Kruno]

Why are people retarded?

 

[Ranselknulf]

 

[Semiurge]

Best way would be to offer multiple layers of authentication. The first line of defence would be locking email and password changes behind authentication, without requiring it for every login. When you increase security from that point on, you lose some convenience. I ask again what does the built-in 2FA do when enabled? Is it designed to only work with authenticator apps, or is it email based?

 

[Ranselknulf]

Best way would be to offer multiple layers of authentication. The first line of defence would be locking email and password changes behind authentication, without requiring it for every login. When you increase security from that point on, you lose some convenience.

The modern best practices for safety include QR Codes and Biometrics.

I'd advocate for codex login's to require a QR Code app link to a digital finger print reader.

Please value our privacy men, and support my agenda.

 

[Camel]

I don't like smartphones

Get with the times, gramps.

Sent from my iPhone

 

[Chanel Oberlin]

Just change your password daily and use a random generator each time for max safety

 

[Taluntain]

Best way would be to offer multiple layers of authentication. The first line of defence would be locking email and password changes behind authentication, without requiring it for every login. When you increase security from that point on, you lose some convenience. I ask again what does the built-in 2FA do when enabled? Is it designed to only work with authenticator apps, or is it email based?

It prompts you for an authentication code once a month and probably at certain other potentially sensitive setting changes/triggers. It does NOT require you to enter a 2FA code every time you access the forums. It works with both e-mail and authentication apps, but e-mail is less secure and at least in my experience, prone to issues (e-mail not arriving, or having to wait for it, etc.). So I heartily recommend apps like Authy over e-mail.

Here's a how-to from another forum.