Two Factor Authentication

Captain

Captain

Final Approach
Joined
Mar 12, 2012
Messages
8,006
Location
NOYB
Display Name
Display name:
First Officer
We all know passwords are worthless, right? Today's cheap computing power can crack the longest strings of letters and numbers and symbols in seconds. And that assumes we use a real password and not just the word 'password', which we all do to some varying degree.

So I've been using Google Authenticator wherever I can. One such place is Mt. Gox where I manage my Bit Coins. To set it up I scan a QR code the site generates with my Google Authenticator app on my phone. Now the app generates a 6 digit time based code every minute. When I log into Mt Gox I enter the 6 digit code. So in order to log into my account you need to know my password AND have physical access to my phone. Secure right?

Found a problem. I dropped my phone and broke the screen and now can't get the code. So now I can't log on. Mt Gox's fix is to unlink the authenticar and suspend the whole account for a week.

Anyone see a problem with this? They do send emails to me when the process begins and another the day before the account is reinstated. Just seems like there should be a better / quicker way for me to confirm I am who I am. Ideas?
 
Captain said:
We all know passwords are worthless, right? Today's cheap computing power can crack the longest strings of letters and numbers and symbols in seconds. And that assumes we use a real password and not just the word 'password', which we all do to some varying degree.
Click to expand...
Eh? Most sites who care, will severely limit the rate or number of times a password can be tried to authenticate or throw up other blocks such as Capthcha (though the hackers are getting good at faking the latter). You don't even need "cheap computing power" to beat on a site that's too stupid to provide these blocks. Your 10 year MSDOS box will suffice.
So I've been using Google Authenticator wherever I can. One such place is Mt. Gox where I manage my Bit Coins. To set it up I scan a QR code the site generates with my Google Authenticator app on my phone. Now the app generates a 6 digit time based code every minute. When I log into Mt Gox I enter the 6 digit code. So in order to log into my account you need to know my password AND have physical access to my phone. Secure right?
Click to expand...
Only as secure as GOOGLE itself is.
 
Captain said:
We all know passwords are worthless, right? Today's cheap computing power can crack the longest strings of letters and numbers and symbols in seconds. And that assumes we use a real password and not just the word 'password', which we all do to some varying degree.
Click to expand...


A good password will include a couple of symbols thrown in also like... #$%&*-+()<>=:;,.!?/@"_. And the password is changed every 1-3 months.

Hackers will move onto to the accounts where people use "password" as their password. ;)

Like Ron said, if you have 5 attempts to log in that are wrong most accounts are locked.
 
Last edited:
Captain said:
Found a problem. I dropped my phone and broke the screen and now can't get the code. So now I can't log on. Mt Gox's fix is to unlink the authenticar and suspend the whole account for a week.
Click to expand...

Sounds like it is working as designed. The purpose of any security systems/method/process is not to give the authorized person access to their data; the purpose is to keep the unauthorized person from getting your data. Frustrating, I know.
 
I only use Google Authenticator for my google account itself, but I know that, at least in that circumstance, Google will let you create "offline" OTPs that you can print on a little wallet card for use in case of an emergency. I have no idea how to do it when you're using GA for a 3rd party site, but it's something it look into.
 
Geico266 said:
A good password will include a couple of symbols thrown in also like... #$%&*-+()<>=:;,.!?/@"_. And the password is changed every 1-3 months.

Hackers will move onto to the accounts where people use "password" as their password. ;)
Click to expand...

Yes, a favorite scheme I see some computer security folks use is a character substitution, like p@55w0rd. Get it? Then they make everyone change the post-it-note on the side of their monitor every month, so you wind up with something like p@55w0rd10 (it's October). One of my favorites from someone with a CISSP certification was 53cur1ty. Clever. Only everyone knows about this and you've only increased the search space for your dictionary attack. Re the lockouts, if you have acquired a database of encrypted data and have at least one good account with known cleartext, then you are well on your way to solving the remainder. With credit card numbers there are properties of those number sets that decrease the search space. You neither need nor want to log into your target. Now add the cavalier attitude most people and corporations have toward security. Good on the OP for being proactive.
 
JMichael said:
Yes, a favorite scheme I see some computer security folks use is a character substitution, like p@55w0rd. Get it? Then they make everyone change the post-it-note on the side of their monitor every month, so you wind up with something like p@55w0rd10 (it's October).
Click to expand...
Passwords have become very vulnerable, to the point where the amount of characters and rule needed to achieve even moderate security are impossible to remember.
Increasing password "security" rules essentially guarantee that passwords are written down, saved in phones, and other places where the network security is easily bypassed.

I am a strong proponent of PIV-type solutions, with card/pin or card/biometric authentication. Future security will require validation based on something you have (card, token) and something you are (fingerprint, iris, etc), rather than on two item you know (username, password).
 
Captain said:
We all know passwords are worthless, right? Today's cheap computing power can crack the longest strings of letters and numbers and symbols in seconds. And that assumes we use a real password and not just the word 'password', which we all do to some varying degree.

So I've been using Google Authenticator wherever I can. One such place is Mt. Gox where I manage my Bit Coins. To set it up I scan a QR code the site generates with my Google Authenticator app on my phone. Now the app generates a 6 digit time based code every minute. When I log into Mt Gox I enter the 6 digit code. So in order to log into my account you need to know my password AND have physical access to my phone. Secure right?

Found a problem. I dropped my phone and broke the screen and now can't get the code. So now I can't log on. Mt Gox's fix is to unlink the authenticar and suspend the whole account for a week.

Anyone see a problem with this? They do send emails to me when the process begins and another the day before the account is reinstated. Just seems like there should be a better / quicker way for me to confirm I am who I am. Ideas?
Click to expand...

You can't just use your new phone? I've implemented Duo Security on a high security payments applications I'm responsible for and there is an app on your phone that generates the mfa key. In the event of your phone being destroyed you can just reinstall the app on your new phone and reassociate it. You can also just have duo call the number and a computer voice tells you the code.
 
jesse said:
You can't just use your new phone? I've implemented Duo Security on a high security payments applications I'm responsible for and there is an app on your phone that generates the mfa key. In the event of your phone being destroyed you can just reinstall the app on your new phone and reassociate it. You can also just have duo call the number and a computer voice tells you the code.
Click to expand...

Yes I can. But to reassociate my new phone with the site requires me to scan a new QR code. They won't generate one of those until I unlink the current OTP and wait the week.

BTW, to others about biometrics...I'm not a fan as I see a big problem. If my password or GA is somehow cracked its bad, but I can then change it and lock the account back down. If my finger prints or iris is hacked now what? I can't get new fingers or eyeballs.
 
Captain said:
BTW, to others about biometrics...I'm not a fan as I see a big problem. If my password or GA is somehow cracked its bad, but I can then change it and lock the account back down. If my finger prints or iris is hacked now what? I can't get new fingers or eyeballs.
Click to expand...

The fingerprint and iris systems probably have the same problem that speech biometrics has, where on the false accept/reject curve do you place the passing criteria? Do you make the user keep running a finger over the sensor or do you settle for close enough? In an effort to make the interface user-friendly you may open it up for fingerprints dusted off a coffee mug. Not to mention the detached finger strategy.
 
When you registered didn't you get backup codes? You can usually use them to recreate your authenticator setup.
 
ChrisK said:
When you registered didn't you get backup codes? You can usually use them to recreate your authenticator setup.
Click to expand...

Ummmm, I don't remember seeing that option. There weren't any 'codes'. Just a QR code to scan with the app. I suppose I could have done a screen capture of the QR code. But then that would defeat the added security to some extent. Where do I store the screen shot? Guess I could have found a secure spot if I had looked.
 
Captain said:
Ummmm, I don't remember seeing that option. There weren't any 'codes'. Just a QR code to scan with the app. I suppose I could have done a screen capture of the QR code. But then that would defeat the added security to some extent. Where do I store the screen shot? Guess I could have found a secure spot if I had looked.
Click to expand...

I guess I've never used the authenticator except with Google itself. When I registered my device I got backup codes I could use (which I saved to my laptop) and a link when I log in that says use backup code. I once used a backup code to log in and set up authenticator again. The qr code was consumed so you wouldn't have been able to use that again.
 
Captain said:
Yes I can. But to reassociate my new phone with the site requires me to scan a new QR code. They won't generate one of those until I unlink the current OTP and wait the week.
Click to expand...

That's just dumb. They should allow 2 tokens for such case, which you should've pre-seeded in case one stops working.

BTW, it's absolutely not true that modern systems crack any password in seconds. The question is how it's hashed.
 
I cannot see how a brute force attack on any account that disables after X (most are 3 - 5) number of tries would work. Even if you KNEW COLD the 8 letters, numbers, and characters they used, you would run out of chances before you would run out of combinations. Plus, you have to start off with a userid, account number, or email address.
 
You don't have to have the best password, just don't have one of the worst... Understood?

It is like outrunning the bear, just trip a friend and you will be fine...
 
silver-eagle said:
I cannot see how a brute force attack on any account that disables after X (most are 3 - 5) number of tries would work. Even if you KNEW COLD the 8 letters, numbers, and characters they used, you would run out of chances before you would run out of combinations. Plus, you have to start off with a userid, account number, or email address.
Click to expand...

Well then I guess brute force attacks don't exist.
 
Captain said:
Well then I guess brute force attacks don't exist.
Click to expand...


Yeah, it isn't like anyone uses the normal login procedure for Brute force... That would take forever.
 
zaitcev said:
That's just dumb. They should allow 2 tokens for such case, which you should've pre-seeded in case one stops working.

BTW, it's absolutely not true that modern systems crack any password in seconds. The question is how it's hashed.
Click to expand...

The possible back-dooring of most popular SSL encryption algorithms by non-peer-reviewed seeds, which were supposed to have been random but instead relied on what may not have been random seeds and may have been planted by NSA, notwithstanding.

Most researchers agreed at least last week, that all the modern, popular, fast SSL algorithms were likely pre-cracked by NSA. Why waste CPU cycles and brainpower when you can just sneak fixed known numbers into the entropy pool. A whole lot of people who thought the seed data they received was peer-reviewed for randomness were pretty surprised to realize that no one else in their peer groups had actually done it.

Modern civilian systems definitely don't crack that fast. Custom built machines with piles of video professors acting as cheap alternatives to sourcing ASICs designed for tons of multiplication instructions , all running in parallel, make the base machine for an awesome cracking cluster farm orders of magnitude cheaper than custom built cracking hardware.

How much floor space in that multi mile long new data center in Utah do you suppose is allocated to the crypto cracking farms and how much to data storage? Sure would be interesting to know.
 
Take a screenshot of the QR code when you get it and encrypt in a secure location (or print it out). Then if when your phone breaks, just re-scan it.
 
Captain said:
Well then I guess brute force attacks don't exist.
Click to expand...

Not since the 1980s.

What does exist are brute-force attacks against the 'encrypted' login credentials either while they are transmitted across the internet or stored on the computers at both ends. For those attacks, it doesn't matter whether you used 8 or 12 letters, whether there was at least one uppercase and one special character included etc. Those rules are just stuff sadistic systems administrators think up to make your life as miserable as possible. In a system that locks out after 5 tries, anything beyond a 4 digit PIN will provide the same level of security.

Passwords get compromised because
- users tend to use the same one for multiple systems and one system has been compromised.
- users write down passwords
- users send passwords in regular emails that can be parsed by every computer along the way.
- the encryption between your device and the host has been breached and someone who filters all packages going to and from a particular host is able to piece together login credentials
- malware on the end users computer that sniffs for any user/password keystroke combinations (the best opportunity for that attack are the multiple occasions when a user has to change expired passwords)
 
Last edited:
The main reason behind two factor is to require more data to authenticate. If someone gets a keylogger on your system and steals your password they're still hosed unless they steal your phone too.
 
Captain said:
We all know passwords are worthless, right? Today's cheap computing power can crack the longest strings of letters and numbers and symbols in seconds. And that assumes we use a real password and not just the word 'password', which we all do to some varying degree.
Click to expand...

Um, no. Today's cheap computing power can't crack "the longest strings of letters and numbers in seconds".

First, nobody cracks passwords at the login screen of a service or webpage. Passwords get "cracked" one of two ways:

1) Social engineering. A clever conman calls up and weasels the password out of an unsuspecting user or sysadmin. (Yes, this happens.) Get a password with sufficient privileges and you can subsequently get other passwords.

2) Exploit system vulnerabilities that allow the downloading of files full of passwords, usually encrypted. Then, apply tools that use known encryption algorithms to compare the downloaded, encrypted passwords against huge lists of "common" passwords encrypted with the same algorithm, and look for matches.

As others have said, it's the "escape the bear" strategy. If someone downloads all the usernames and encrypted passwords for Bank of America remote banking users, and runs the cracking tools against the list, they're going to find hundreds or thousands of easy hits. Everyone who used the password "Yankees87" or "fido123" is screwed.

But the guy whose password is "X8&wd7#rYpd_!93%g78E" is going to be fine, because it takes a lot longer than "seconds" to crack passwords like that.

Can't remember X8&wd7#rYpd_!93%g78E? Don't want to type it in?

Then you need a password vault that helps automate the process. But pick one that's reasonably secure (i.e., use something like LastPass, and not the "remember my password" feature built-in to popular browsers), and use a master password that's not "Yankees87" or "fido123".

There are always vulnerabilities. If someone like the NSA or Mossad wants to get your data, they will, just like someone who wants your car bad enough will steal it.
 
Last edited:
Jim_R said:
There are always vulnerabilities. If someone like the NSA or Mossad wants to get your data, they will, just like someone who wants your car bad enough will steal it.
Click to expand...

They will but if you go through reasonable effort you'll have to be really damn high profile for them to do so as it's incredibly difficult even for them.
 
Lol. Any service that is still susceptible to brute force should be shut down because their developers are useless.

It's 2013. Two factor is only needed for the most secure of services.
 
I fully expect the "security" industry to recommend three-factor. (Password/Phrase, Fob/Card, Biometrics) soon. Whenever they decide they need more money.

I've been logging into my work laptop with a fingerprint reader for a couple if years now. They're fairly easy to trick but combined with the others, not bad.
 
You must log in or register to reply here.
Back
Top