Originally published at: https://boingboing.net/2019/05/20/screw-security-nihilism.html
…
The big downer is getting service providers to support decent authentication methods.
In my case I think that the rough rank of security is 1. My Gmail account, 2. My personal SSH server, 3. My Steam account, 4. My bank account, 5. My doctor’s ‘patient portal’, and finally 6. My brokerage account.
Obviously, this isn’t desireable.
What is an “automated bot” in this context?
If it’s a script that’s just guessing login/password combinations, wouldn’t strong passwords be better (and simpler) protection?
I was wondering if you could provide more details or research on the following from the article:
like Google’s Authenticator, which has a by-design weakness that could potentially allow Google or someone with access to its systems to hack you; or stronger apps like Authy
I’ve tried to search for other research that shows Google Authenticator app allows for Google’s systems to access the contents of any given Authenticator app but have come up empty.
In my usage of the app, I’ve never been able to back up or transfer the data of the Google Authenticator app between devices which, to me, suggests that the secrets are stored on the device itself and the device alone. While Authy does offer a cloud backup solution which leads me to believe there must be some type of “shared” key that Authy does store on its servers.
Thanks for the article!
For Authy (which I personally use and recommend), you encrypt your seeds with a password on-device. That encrypted blob then gets sent to Authy. They can’t decrypt it (nor can you, if you forget your password).
It’s roughly equivalent to gpg encrypting a text file full of passwords, then putting that encrypted file in cloud storage. Like a password manager, it’s as secure as your master password is.
Ah thanks for clearing that up, makes sense.
This topic was automatically closed after 5 days. New replies are no longer allowed.