Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!


How do you secure your OVH/SYS/KS accounts?
New on LowEndTalk? Please Register and read our Community Rules.

All new Registrations are manually reviewed and approved, so a short delay after registration may occur before your account becomes active.

How do you secure your OVH/SYS/KS accounts?

vpslegendvpslegend Member
edited March 2015 in General

They do not have 2 factor authentication available. With the old OVH manager (Managerv3) you can secure your account with IP restrictions but only if you have static IP. I wonder why OVH pays no attention to this issue as this is 2015, not 1995. I thought 2 factor auth was a normal practice with larger hosting & IT related companies.

Comments

  • pbgbenpbgben Member, Host Rep
    edited March 2015

    I have a stupidly long password, and I get an email sent to a distribution list when a user logs in, receivers know what to do if an unrecognized IP connects... You are right though, We need two factor logins

  • 2FA isn't required if you have a good password. It really only protects against someone bruteforcing your password remotely which is not a problem for anyone on this site (cause they should know what a good password is).

    "If there is local malware on your computer it doesn't really matter wether you are using 2 separate devices to log in with two-factor authentication."

    "What this basically means is that there's no point for the malware to steal your credentials or two-factor token when it can simply steal your authenticated sessions."

    http://blog.authy.com/authy-for-pc

  • LastPass + 2 Factor (On LassPass) + Generated Password (35 Length)

  • Use a unique long password, made of multiple words. If needed, you could store that password in a software which supports 2FA - @nexmark 's solution.

    Also, related: http://xkcd.com/936/

  • WebProjectWebProject Host Rep, Veteran
    edited March 2015

    Blanoz said: Use a unique long password

    Use the following service: https://identitysafe.norton.com/password-generator
    I normally use at least 15 characters long passwords, the better example:

    JabeduCRAse6ram7wrEsTuwAF

    bremEThuVaSTaSawr8rufatHe

    tAp433reQEpheZURaXefajese

    will be impossible to guess

    Blanoz said: made of multiple words

    much better is not to use words, as it can be guessed.

  • @WebProject said:
    much better is not to use words, as it can be guessed.

    @7LhF@e1T;:uaMDbP!eM

  • Try feeding this to some crappy software like SolusVM, see what happens ;-)

  • @rds100 said:

    Thats why you change your passwords via command line.

  • WebProjectWebProject Host Rep, Veteran

    rds100 said: Try feeding this to some crappy software like SolusVM, see what happens ;-)

    The SolusVM generate very small - maximum 8 characters passwords

  • NeoXiDNeoXiD Member
    edited March 2015

    I'm just using the IP lock/restriction feature for my SYS account, that's more than enough. As my home connection and one of my servers both have a static IP, I just whitelisted those two and I'm all set. And ofcourse, I also use a looooong password. (KeePass ftw!)

  • @rds100 said:

    Virtualizor takes it like a boss

  • perennateperennate Member, Host Rep
    edited March 2015

    WebProject said: Use the following service: https://identitysafe.norton.com/password-generator I normally use at least 15 characters long passwords, the better example:

    You should never use an online service to generate passwords, especially when there are equally (or more) secure, open source desktop applications that do the same thing.

  • NeoonNeoon Community Contributor, Veteran

    apg -a1 -m 18 FTW

  • @Blanoz said:
    Use a unique long password, made of multiple words. If needed, you could store that password in a software which supports 2FA - nexmark 's solution.

    Also, related: http://xkcd.com/936/

    A bit related: http://xkcd.com/792/

    And I do not trust SolusVM nor any other software with my passwords.

  • @rds100

    Always a relevant XKCD (re: Solus passwords) https://xkcd.com/327/

    Thanked by 1rds100
  • Delimiter implemented Authy for customer 2FA. That seems to have been a good decision given that Twilio just bought them.

  • @MarkTurner said:
    Delimiter implemented Authy for customer 2FA. That seems to have been a good decision given that Twilio just bought them.

    I had to reread that sentence a few times, then Google Twilio, then reread the sentence again in order to figure out that Twilio did not buy Delimiter.

  • WilliamWilliam Member
    edited March 2015

    TheCTS said: I had to reread that sentence a few times, then Google Twilio, then reread the sentence again in order to figure out that Twilio did not buy Delimiter.

  • vpslegendvpslegend Member
    edited March 2015

    @NeoXiD said:
    I'm just using the IP lock/restriction feature for my SYS account, that's more than enough. As my home connection and one of my servers both have a static IP, I just whitelisted those two and I'm all set. And ofcourse, I also use a looooong password. (KeePass ftw!)

    @pbgben said:
    I have a stupidly long password, and I get an email sent to a distribution list when a user logs in, receivers know what to do if an unrecognized IP connects... You are right though, We need two factor logins

    @nexmark said:
    LastPass + 2 Factor (On LassPass) + Generated Password (35 Length)

    @Blanoz said:
    Use a unique long password, made of multiple words. If needed, you could store that password in a software which supports 2FA - nexmark 's solution.

    Also, related: http://xkcd.com/936/

    @WebProject said:
    much better is not to use words, as it can be guessed.

    Well even OVH's password recovery mechanism is highly exploitable. If someone knows your account email or OVH ID they can initiate password recovery using "forgot password" button which will then generate a new 8 letter password for your account & send it to your email. And I think I do not have to tell you folks that how easy it is to brute such smaller length passwords. Those who are concerned about security of their dedicated servers, VPS, domains etc with OVH should raise these issues with Oles & the new CEO if possible through twitter, email, forum etc as security is a big concern of today & considering OVH have a fairly competent in-house development team, implementing these security features should not be difficult at all. If your account has never been hacked does not mean it cannot happen at all. Raise your voice with the concerned as you pay them for the services they provide to you & it is their responsibility to provide you mechanisms to secure your accounts. I think OVH should implement the following things to improve security of their customers accounts:

    1) 2 factor authentication

    2) When someone clicks on "forgot password" button, the system should send an email with the link to reset your password rather than they generating an 8 letter password & send it you via email.

    3) Security questions

    What I am asking is need of the hour & not difficult for them at all to implement it.

  • @vpslegend said:

    They already have Two Factor Auth for their staff, I guess it shouldn't be hard for them to add it.

Sign In or Register to comment.