New on LowEndTalk? Please Register and read our Community Rules.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.
Comments
Totally agree!
My advice is to fucking get a reliably working and verifiably safe tls (plus OS plus core libraries plus properly developped applications).
Until then my advice is to a) properly and knowlegdeably configure and use tls (you'd be shocked to know how lousily configured most installations are, even at major corporations) and b) to use a reasonable channel and a reasonable protocol when doing 2FA.
Hint: Just transferring some additional bitstring via 2FA is not doing it properly.
Fact is, lots of attacks do come from script kiddies using password dumps of compromised sites. Email authentication slows them down since they have to guess the account name and password in both places.
Uhm, that problem is quite unrelated. The relevant question to ask wrt the problem you mention is "where do those dumped password lists come from"?
Answer: From ignorant, clueless organizations.
While 2FA might look like an enhancement it misses the point and looks at the symptom instead at the cause. Obviously, the sensible thing to do for those organizations is a) to make their users change passwords, and b) to fucking get their act together (preferably after having got a solid beating).
It really doesn't matter where they came from. They are out there and they create a practical risk that calls for mitigation.
Maybe when you're done with computer security you can transfer your attention to medicine. Treating symptoms is important.
Checking user passwords against compromise lists is worthwhile, but you don't know what systems will be compromised next, and normally you shouldn't store your users' passwords as plaintext. Also keep in mind that your users are your customers, i.e. you work for them and not the other way around. So there are limits to what annoying experiences you can put them through before they decide they don't need your service.
@willie
And how exactly does lousy 2FA via email help there?
I understand your equation "script kiddy with password (from dumped list) + 2FA = failing script kiddie"
but for one that does not mean that lousy 2FA is just great and somehow secure. Moreover that implies that Eve hadn't a chance yet to hack your computer and hence to get at your 2FA emails, too (maybe even earlier than you).
As for your "you work for the customer and not the other way around" I find that double failing. a) most customers will gladly prefer to change their password rather than being at risk, and b) that's a little late, no? From my point of view "working for ones customer" certainly includes to not handle and store their data ignorantly and carelessly in the first place.
That's a nice and helpful image for many less knowledgeable users. I mean it.
However, in the end design and implementation count. Trust me, there have been (and still are) plenty and frequent discussions in security circles about that and always, looking closer one finds that things have multiple sides. Example: "Something you have" may easily translate to "something that can be stolen" - and I'm not simply talking about some evil guy but also about, say, apple. What exactly makes us so sure that our fingerprints aren't somehow extracted and ending up at e.g. nsa.
Kindly note that I'm not talking about theory. There have been cases where fingerprints were "stolen" from a glass used by the target person and then successfully used.
Did I say it was great? It is empirically better than nothing, which is a start.
Not to be mean but do you have tenable evidence? Plus: That very attitude also is a major part of the problem in the first place.
Look: We had 95% of the math and the CS knowledge then (20 and more years ago). We also had languages that were provably better suited for the purpose, yet ssl was designed rather carelessly and implemented even more poorly. Why? "Hey, it's MUCH better than nothing".
And there we are at the point that gets me angry. Just look at the other thread (google and https): It's a theater. That's what we are talking about. https is "more secure than http" just like email based 2FA is better than nothing.
The target simply wasn't and isn't security for the masses. Nope, the target is a show, a basis to be able to say "See? We are oh so concerned about your security!"
There are places where they are really concerned about real security. The financial sector is an example and so is military, nsa & Co. But that's not for us mere mortals, not even when it's us who fucking pay for it! We get but a show and maybe, just maybe, occasionally an algorithm they are throwing out after decades of use.
2FA via email is but another security show. Yes, it's probably better than nothing - but not by much and it's FAR away from being secure.
Oh and: We have proof that they (not DO but e.g. nsa) do not want us to be secure because that would mean that we also were secure vs. them and they couldn't comfortably eavesdrop on us anymore.
I work in the financial sector. Attacks from script kiddies are a significant problem because they happen so frequently. If customer money gets stolen, the money doesn't care whether it was stolen by a script kiddie or by super genius Lex Luthor in his arctic hideout full of supercomputers. It's equally stolen either way. If you can somehow neutralize the script kiddies without hassling customers too much, then sure, Lex Luthor might still be out there, but that's better than having both of them out there.
Sorry for the late response. Yes, and thank you! Security is absolutely critical.
A few comments on 2FA in general:
Passwords can be stolen, or brute forced, or MITM.. but a password that can only be used once, that changes every few seconds, would require an attacker to physically have your token (Usually your phone, but Yubikey and other physical tokens are great also).
Recently, at a private forum, I touched on the topic with 2FA.
How enrages at the crypto exchange 2FA. When still it is necessary it only and without it in any way and when it is admissible at the exchange this authorization falls off and it is possible to sit for half an hour while it earns.
Also on the hosting. If you do not keep track of your servers and services, then no 2FA will save you.
The same applies to 3D Secure cards. I'm ordering 10 servers today in illiad and for every order it is necessary to wait for the sms as a card with 3d secure and it's such a slag and you can not disable it.
It came to the point that their payment gateway banned the card for 24 hours. If payment fails: Error payment.
And if I buy 100 servers? The fact that every time to enter sms from the code?
One other implementation detail is that any phone number should not take priority over real 2FA.
For example, in some services, it's possible to use a SMS or call to remove TOTP, which should absolutely not be possible.
Never use stuff that you ARE for authentication.
Identification, sure. Authentication, no. If it ever leaks you have no way of changing it. Identication only.
Apple recently enabled 2FA, most providers have that kind of 2FA already.
But some are missing premium 2FA.
I'd be interested to know how hosts here handle account recovery when the person loses their TOTP. It's a complicated problem.
My belief is technical countermeasure only for fallback (ex can you PGP-sign a message from a verified key that you pre-escrowed earlier?, etc) otherwise weak to human link / backdoor.
*Sigh*
Look- are you going to accept my spanksock- or not!?
They don't have that. Now what? Remember you live in the real world and are trying to run a business in said world. Not interested in Planet Megatroid solutions. What do you do when a real-world customer needs an account reset? They didn't register with PGP. What is a practical "etc"?
Even better than 2FA: Ask your provider to turn around himself exactly 7 times and to lift his left arm exactly during the 4th turn while holding a newspaper of today in his right hand. When done, he must in quick succession say the holy word "2FA" followed by no less than 3 1-digit prime numbers closing with his mothers maiden name.
While he does that you must say - very earnestly! - 3 times "rubicon!" ... and you'll be secure. Also helps against spectre/meltdown!
You let people pick their security needs, kind of like https://faq.nearlyfreespeech.net/section/login/losteverything
The defaults still let "most people" recover an account with some difficulty, but in the panel you can set it so that any social and photoshoppable methods won't meet requirements.
I take it you're not an Aadhaar fan.
2fa is fine until you have to log in often.
Turned 2FA on at namecheap. Shit is horrible when you have to actually login and find your phone for the sms.
Disabled it after 1 day...
You value convenience over security. All of us value convenience, but I'm not going to let it be my downfall.
Maybe you should also disable password for login..
That way "shit" maybe not so horrible.
Also I don't understand why do you used SMS on Namecheap for 2FA, when they have time based 2FA on their app.
I still need to bring out my phone. no ?
Yes, i'm sorry. But as I said, you should also disable the password login so you don't even have to type or click anything to login. That way will be a lot easier.
easier for you, but not for other people.
once again, 2fa is fine until you have to login often
They don't have standard TOTP if I remember correctly. I don't want to install a damn app that does something weird and maybe is spyware.
If you use a provider you must have some level of trust with them. So if you do not trust namecheap app, why would you ever use their services?
Anyway, it makes no point to speak on a individual provider. I started this thread in order for LET users to ask their providers to implement 2FA as a global measure.
I never think that there would be this kind of comments as I see here. I just think that this is something basic in terms of security and that would not cause any discussion....
At least for me there are no doubts: any way/tool to increase security is welcome. 2FA today is essential!
And on ALL providers I know that use 2FA it's an option. So you are not forced to use 2FA. But it should be available for who want's to use it.