Securing your Email is IMPORTANT!!

[+Warwagon MVC]

When it comes to securing your online accounts with a strong password and two-factor authentication, one of the most IMPORTANT online accounts to secure is your email.

 

When a password is forgotten on a website, the password reset link is usually sent to your email (or a code is sent to your phone if you have two-factor authentication turned on). If someone got a hold of your email password, they could go to sites around the internet, resetting your website passwords (by having reset links sent to your email account which they now have access to) giving them complete access.

 

In the case of Gmail (which is a google account), it may be used to sync your chrome browser. If someone gets access to it, they also get access to any saved passwords saved inside chrome for other websites.

 

Your email is 1 password you DO NOT want to reuse! When creating a password, NEVER use a word found in the dictionary all by itself. Pad it with something, add some punctuation. For instance, take the word microscope. That word used by itself is a HORRIBLE password, but padding it with more characters makes it dramatically more secure. Let’s put a date and some punctuation on the end of it. Now we have microscope1954*!# This is a MUCH stronger password.

 

Strong, secure password are hard to remember, I get that. So don’t feel bad about writing your passwords down, in fact I highly encourage it! I’m much less concerned about someone breaking into your house steeling your book of passwords, than I am about someone hacking your email account because you reused / used a weak password.

 

Online services such as Gmail, Outlook and Yahoo typically won’t let you use a horrible password without adding a capital letter and some numbers (but they will obviously let you reuse one). 

 

Most email providers also support two-factor authentication. When enabled, you must provide a second factor of authentication when logging into your online account after providing the correct password.

 

The two types of Two-factor for your email are typically

 

SMS : A SMS message (Text message) is texted to your phone with a one time use code - This is the least secure two-factor method, but it is still more secure with it than without it.

 

Authenticator: Once enable you scan a provided QR code into an authenticator phone/tablet app of your choosing (Example, Google Authenticator or the Microsoft Authenticator) with your camera and the app will then generate a 1 time code every 30 seconds. 

 

If you use the Authenticator method I recommend saving the QR code that you initially scan into the authenticator, so you can scan that same QR again into the same phone (should you have to reset it) or in to a new phone (should something happen to your current one).

 

Two-factor codes are typically required when the email site detects a new login from a browser or computer it has not seen before.

 

So just remember, if your email password is not unique, change it! If your email password contains a just a single dictionary word, change it! If your email provider supports two-factor authentication but it's not enabled, turn it on! Your email is the single greatest point of failure of your online identity.

[Steven P. Administrators]

Or use two-factor authentication, then you can have a weak ass password all you like, but you aren't getting in without the second step auth.

[+Warwagon MVC]

3 minutes ago, Steven P. said:

Or use two-factor authentication, then you can have a weak ass password all you like, but you aren't getting in without the second step auth.

Indeed.

[Circaflex]

12 hours ago, Steven P. said:

Or use two-factor authentication, then you can have a weak ass password all you like, but you aren't getting in without the second step auth.

That isn't true at all. 2FA isn't the end all and isn't a guarantee you are safe. 

[Steven P. Administrators]

Thread cleaned, please stay on topic.

[+Warwagon MVC]

2 hours ago, Steven P. said:

Thread cleaned, please stay on topic.

It's ok Steve, I don't mind if my threads go off topic, Off topic is still comments, comments still bump me to the front page, front page gives me views

[goretsky Supervisor]

Hello,

 

A properly-engineered, properly-implemented and properly-used multi-factor authentication system can greatly increase the security of account logins by providing resistance against brute-forcing, password-reset attacks and so forth.  Of course, if the second factor is vulnerable to phone (SIM or account) resets, token theft, biometric spoofing, and so forth, then a large amount of additional security layer is mitigated.

 

Regards,

 

Aryeh Goretsky

[sc302 Veteran]

On 7/24/2019 at 1:53 AM, Circaflex said:

That isn't true at all. 2FA isn't the end all and isn't a guarantee you are safe. 

Many security experts are saying that if you use 2fa you never have to change your password again. 

 

Right now, there is no known way to bypass 2fa or get the code/onetime auth key without having your device.  It is better to use a token that is registered to your device via an authenticator app vs a password.  If you know of a way to bypass/circumvent 2fa, I am sure all of us would like to know.

[+BudMan MVC]

2 hours ago, sc302 said:

Right now, there is no known way to bypass 2fa

Depends what the 2fa method is.

SMS can for sure be circumvented - there are many know hacks to this. Pretty sure nist has or is dropping it as valid/recommended method even.

This is why the 3 points of @goretsky "A properly-engineered, properly-implemented and properly-used" are so critical - and can tell you for pretty much fact the weakest link in that chain is going to properly used point "user"... 

 

And there are multiple ways to get around other 2fa.. mitm sort of attacks, mitendpoint, compromised software, etc. etc..

here

https://www.rsaconference.com/writable/presentations/file_upload/idy-f02-12-ways-to-hack-2fa.pdf

So saying there is no known way is just not true..

 

[Steven P. Administrators]

3 minutes ago, BudMan said:

Depends what the 2fa method is.

SMS can for sure be circumvented - there are many know hacks to this. Pretty sure nist has or is dropping it as valid/recommended method even.

This is why the 3 points of @goretsky "A properly-engineered, properly-implemented and properly-used" are so critical - and can tell you for pretty much fact the weakest link in that chain is going to properly used point "user"... 

 

You are right a PAYG phone and a weak password written on a post it note stuck on the computer screen just isn't enough!

[fusi0n]

Also, malware on the device that would forward the 2FA. This would be more of a whaling type scenario though. Also, if you have a device that was compromised or you wrote your secret that is used to generate the 2FA token and it was stolen, by passing 2FA would be fairly easy. 

 

Always have the application/software alert you of any new logins. This would help incase it was compromised. 

[The Dark Knight]

On 7/23/2019 at 10:55 PM, warwagon said:

When it comes to securing your online accounts with a strong password and two-factor authentication, one of the most IMPORTANT online accounts to secure is your email.

Very true! I secure my personal and professional email accounts with crazy long passwords generated by LastPass, and behind TOTP 2FA. And my LastPass password is even longer, again behind 2FA. Finally, I change these 3 passwords and a few other critical ones once a month.

[sc302 Veteran]

2 hours ago, BudMan said:

Depends what the 2fa method is.

SMS can for sure be circumvented - there are many know hacks to this. Pretty sure nist has or is dropping it as valid/recommended method even.

This is why the 3 points of @goretsky "A properly-engineered, properly-implemented and properly-used" are so critical - and can tell you for pretty much fact the weakest link in that chain is going to properly used point "user"... 

 

And there are multiple ways to get around other 2fa.. mitm sort of attacks, mitendpoint, compromised software, etc. etc..

here

https://www.rsaconference.com/writable/presentations/file_upload/idy-f02-12-ways-to-hack-2fa.pdf

So saying there is no known way is just not true..

 

sorry, going back several years to when rsa key was the standard.  I should know to stay up on knowBe4

[+Warwagon MVC]

2 hours ago, The Dark Knight said:

Very true! I secure my personal and professional email accounts with crazy long passwords generated by LastPass, and behind TOTP 2FA. And my LastPass password is even longer, again behind 2FA. Finally, I change these 3 passwords and a few other critical ones once a month. 

Ya, I don't change mine once a month. That just sounds like a pain, give I have 8 gmail address

[bikeman25]

Change my important passwords usually every 6 months, which is coming due again,  I used to do it around Windows new releases, but I got a little behind this year,  but will get it done in a day or two, and make accounts more secure again.    Then I should be set,   might setup Microsoft Authenicator as well,  I do have Google setup with clicking yes or no on login if it's me from my Galaxy S10e.

 

Too much trouble trying to change every account password, but I know I should again, just know it's gonna take a while

 

[+BudMan MVC]

11 hours ago, bikeman25 said:

Change my important passwords usually every 6 months

You guys need to keep up, and I have always said this - changing passwords for the sake of changing passwords is BS.. And the guy  that wrote the standard has come out and said as much.

 

NIST now clearly states

"“SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”"

 

Unless something has happened, someone left the company.  There has been some breach or something... Changing your password because its been 90 days has always just been utter ######.. And you know what it does do - it forces people to write ###### down

[dipsylalapo Supervisor]

9 minutes ago, BudMan said:

You guys need to keep up, and I have always said this - changing passwords for the sake of changing passwords is BS.. And the guy  that wrote the standard has come out and said as much.

 

NIST now clearly states

"“SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”"

 

Unless something has happened, someone left the company.  There has been some breach or something... Changing your password because its been 90 days has always just been utter ######.. And you know what it does do - it forces people to write ###### down

When I first started working, I needed to remember three fairly complex passwords all of which needed to be changed every 90 days. And like you said, in the end I wrote my passwords down. 

[+Warwagon MVC]

2 hours ago, BudMan said:

You guys need to keep up, and I have always said this - changing passwords for the sake of changing passwords is BS.. And the guy  that wrote the standard has come out and said as much.

 

NIST now clearly states

"“SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”"

 

Unless something has happened, someone left the company.  There has been some breach or something... Changing your password because its been 90 days has always just been utter ######.. And you know what it does do - it forces people to write ###### down

Forcing users to change their password every 90 days also forces them to rotate ###### passwords

[Steven P. Administrators]

1 minute ago, warwagon said:

Or rotate ###### passwords

###### isn't a great password  

[+Warwagon MVC]

2 minutes ago, Steven P. said:

## # ### isn't a great password  

Why does the 4 letter swear word that starts with S ends with T show up as ###### <------6 characters long ... now they don't know what swear word I was going for, so then I have to edit it so it has the correct amount of ####

[Steven P. Administrators]

2 minutes ago, warwagon said:

Why does the 4 letter swear word that starts with S ends with T show up as ###### <------6 characters long ... now they don't know what swear word I was going for, so then I have to edit it so it has the correct amount of ####

Because at the time moderators didn't want swear words to have the same amount of characters so that people could instantly fill in the word by themselves, it was requested to use a generic term, which is what I did. (and another fine example of how I don't decide everything on my own).

[cork1958]

2 hours ago, BudMan said:

You guys need to keep up, and I have always said this - changing passwords for the sake of changing passwords is BS.. And the guy  that wrote the standard has come out and said as much.

 

NIST now clearly states

"“SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”"

 

Unless something has happened, someone left the company.  There has been some breach or something... Changing your password because its been 90 days has always just been utter ######.. And you know what it does do - it forces people to write ###### down

Ya, I always thought changing passwords just for the sake of it or due to number of days was dumb as dirt. Can't even begin to remember last time I changed my passwords! Don't know a single person that's changed their passwords. Don't know of a single person that's ever had their e-mail hacked or anything either.

[Jim K Global Moderator]

Still required to change passwords every 90 days for various work related sites/government sites.  Some of them have to be around 15 characters ... can't use x number of characters previously used (so you can't just go up a digit or whatever) ... 

 

Though the work related sites are slowly but surely transitioning away from username/password to CAC card/pin number.  Praise baby Jesus.

[+Biscuits Brown MVC]

3 hours ago, BudMan said:

You guys need to keep up, and I have always said this - changing passwords for the sake of changing passwords is BS.. And the guy  that wrote the standard has come out and said as much.

 

NIST now clearly states

"“SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”"

 

Unless something has happened, someone left the company.  There has been some breach or something... Changing your password because its been 90 days has always just been utter ######.. And you know what it does do - it forces people to write ###### down

100% 

 

I used to change my entire list every 90 days. What a fool I was. I was using LastPass at the time and have since migrated to BitWarden and have always used strong, tool generated passwords, often at the length limit of the site. I was changing these for no reason.  Today I continue to use strong passwords (as should everyone) and 2FA when available with a preference to time based values over SMS codes. Changing a 23 character password that I never knew to start with every 90 days was foolish and a monumental waste of time.  

 

I just wish my employer would stop making us change them every 90 days AND allowed us to use a password manager.

[binaryzero]

Password managers, SSO, MFA, and if you wanna go hardcore, hardware tokens. 

 

Rotating passwords is stupid, and actually causes users to just increment their existing password, Monkey1.