• Sign in to Neowin Faster!

    Create an account on Neowin to contribute and support the site.

Securing your Email is IMPORTANT!!

Recommended Posts

+warwagon    13,028

When it comes to securing your online accounts with a strong password and two-factor authentication, one of the most IMPORTANT online accounts to secure is your email.

 

When a password is forgotten on a website, the password reset link is usually sent to your email (or a code is sent to your phone if you have two-factor authentication turned on). If someone got a hold of your email password, they could go to sites around the internet, resetting your website passwords (by having reset links sent to your email account which they now have access to) giving them complete access.

 

In the case of Gmail (which is a google account), it may be used to sync your chrome browser. If someone gets access to it, they also get access to any saved passwords saved inside chrome for other websites.

 

Your email is 1 password you DO NOT want to reuse! When creating a password, NEVER use a word found in the dictionary all by itself. Pad it with something, add some punctuation. For instance, take the word microscope. That word used by itself is a HORRIBLE password, but padding it with more characters makes it dramatically more secure. Let’s put a date and some punctuation on the end of it. Now we have microscope1954*!# This is a MUCH stronger password.

 

Strong, secure password are hard to remember, I get that. So don’t feel bad about writing your passwords down, in fact I highly encourage it! I’m much less concerned about someone breaking into your house steeling your book of passwords, than I am about someone hacking your email account because you reused / used a weak password.

 

Online services such as Gmail, Outlook and Yahoo typically won’t let you use a horrible password without adding a capital letter and some numbers (but they will obviously let you reuse one). 

 

Most email providers also support two-factor authentication. When enabled, you must provide a second factor of authentication when logging into your online account after providing the correct password.

 

The two types of Two-factor for your email are typically

 

SMS : A SMS message (Text message) is texted to your phone with a one time use code - This is the least secure two-factor method, but it is still more secure with it than without it.

 

Authenticator: Once enable you scan a provided QR code into an authenticator phone/tablet app of your choosing (Example, Google Authenticator or the Microsoft Authenticator) with your camera and the app will then generate a 1 time code every 30 seconds. 

 

If you use the Authenticator method I recommend saving the QR code that you initially scan into the authenticator, so you can scan that same QR again into the same phone (should you have to reset it) or in to a new phone (should something happen to your current one).

 

Two-factor codes are typically required when the email site detects a new login from a browser or computer it has not seen before.

 

So just remember, if your email password is not unique, change it! If your email password contains a just a single dictionary word, change it! If your email provider supports two-factor authentication but it's not enabled, turn it on! Your email is the single greatest point of failure of your online identity.

  • Like 1
  • Thanks 2

Share this post


Link to post
Share on other sites
Steven P.    13,596

Or use two-factor authentication, then you can have a weak ass password all you like, but you aren't getting in without the second step auth.

  • Like 1
  • Facepalm 1

Share this post


Link to post
Share on other sites
+warwagon    13,028
3 minutes ago, Steven P. said:

Or use two-factor authentication, then you can have a weak ass password all you like, but you aren't getting in without the second step auth.

Indeed.

Share this post


Link to post
Share on other sites
Circaflex    3,553
12 hours ago, Steven P. said:

Or use two-factor authentication, then you can have a weak ass password all you like, but you aren't getting in without the second step auth.

That isn't true at all. 2FA isn't the end all and isn't a guarantee you are safe. 

  • Facepalm 1

Share this post


Link to post
Share on other sites
Steven P.    13,596

Thread cleaned, please stay on topic.

  • Facepalm 1

Share this post


Link to post
Share on other sites
+warwagon    13,028
2 hours ago, Steven P. said:

Thread cleaned, please stay on topic.

It's ok Steve, I don't mind if my threads go off topic, Off topic is still comments, comments still bump me to the front page, front page gives me views :)

  • Thanks 1

Share this post


Link to post
Share on other sites
goretsky    1,045

Hello,

 

A properly-engineered, properly-implemented and properly-used multi-factor authentication system can greatly increase the security of account logins by providing resistance against brute-forcing, password-reset attacks and so forth.  Of course, if the second factor is vulnerable to phone (SIM or account) resets, token theft, biometric spoofing, and so forth, then a large amount of additional security layer is mitigated.

 

Regards,

 

Aryeh Goretsky

  • Like 2
  • Thanks 2

Share this post


Link to post
Share on other sites
sc302    1,725
On 7/24/2019 at 1:53 AM, Circaflex said:

That isn't true at all. 2FA isn't the end all and isn't a guarantee you are safe. 

Many security experts are saying that if you use 2fa you never have to change your password again. 

 

Right now, there is no known way to bypass 2fa or get the code/onetime auth key without having your device.  It is better to use a token that is registered to your device via an authenticator app vs a password.  If you know of a way to bypass/circumvent 2fa, I am sure all of us would like to know.

Share this post


Link to post
Share on other sites
+BudMan    3,517
2 hours ago, sc302 said:

Right now, there is no known way to bypass 2fa

Depends what the 2fa method is.

SMS can for sure be circumvented - there are many know hacks to this. Pretty sure nist has or is dropping it as valid/recommended method even.

This is why the 3 points of @goretsky "A properly-engineered, properly-implemented and properly-used" are so critical - and can tell you for pretty much fact the weakest link in that chain is going to properly used point "user"... 

 

And there are multiple ways to get around other 2fa.. mitm sort of attacks, mitendpoint, compromised software, etc. etc..

here

https://www.rsaconference.com/writable/presentations/file_upload/idy-f02-12-ways-to-hack-2fa.pdf

So saying there is no known way is just not true..

 

  • Like 1

Share this post


Link to post
Share on other sites
Steven P.    13,596
3 minutes ago, BudMan said:

Depends what the 2fa method is.

SMS can for sure be circumvented - there are many know hacks to this. Pretty sure nist has or is dropping it as valid/recommended method even.

This is why the 3 points of @goretsky "A properly-engineered, properly-implemented and properly-used" are so critical - and can tell you for pretty much fact the weakest link in that chain is going to properly used point "user"... 

 

You are right a PAYG phone and a weak password written on a post it note stuck on the computer screen just isn't enough!

  • Like 1

Share this post


Link to post
Share on other sites
+fusi0n    2,036

Also, malware on the device that would forward the 2FA. This would be more of a whaling type scenario though. Also, if you have a device that was compromised or you wrote your secret that is used to generate the 2FA token and it was stolen, by passing 2FA would be fairly easy. 

 

Always have the application/software alert you of any new logins. This would help incase it was compromised. 

Share this post


Link to post
Share on other sites
The Dark Knight    267
On 7/23/2019 at 10:55 PM, warwagon said:

When it comes to securing your online accounts with a strong password and two-factor authentication, one of the most IMPORTANT online accounts to secure is your email.

Very true! I secure my personal and professional email accounts with crazy long passwords generated by LastPass, and behind TOTP 2FA. And my LastPass password is even longer, again behind 2FA. Finally, I change these 3 passwords and a few other critical ones once a month. :)

  • Thanks 1

Share this post


Link to post
Share on other sites
sc302    1,725
2 hours ago, BudMan said:

Depends what the 2fa method is.

SMS can for sure be circumvented - there are many know hacks to this. Pretty sure nist has or is dropping it as valid/recommended method even.

This is why the 3 points of @goretsky "A properly-engineered, properly-implemented and properly-used" are so critical - and can tell you for pretty much fact the weakest link in that chain is going to properly used point "user"... 

 

And there are multiple ways to get around other 2fa.. mitm sort of attacks, mitendpoint, compromised software, etc. etc..

here

https://www.rsaconference.com/writable/presentations/file_upload/idy-f02-12-ways-to-hack-2fa.pdf

So saying there is no known way is just not true..

 

sorry, going back several years to when rsa key was the standard.  I should know to stay up on knowBe4

Share this post


Link to post
Share on other sites
+warwagon    13,028
2 hours ago, The Dark Knight said:

Very true! I secure my personal and professional email accounts with crazy long passwords generated by LastPass, and behind TOTP 2FA. And my LastPass password is even longer, again behind 2FA. Finally, I change these 3 passwords and a few other critical ones once a month. :)

Ya, I don't change mine once a month. That just sounds like a pain, give I have 8 gmail address :D

Share this post


Link to post
Share on other sites
bikeman25    63

Change my important passwords usually every 6 months, which is coming due again,  I used to do it around Windows new releases, but I got a little behind this year,  but will get it done in a day or two, and make accounts more secure again.    Then I should be set,   might setup Microsoft Authenicator as well,  I do have Google setup with clicking yes or no on login if it's me from my Galaxy S10e.

 

Too much trouble trying to change every account password, but I know I should again, just know it's gonna take a while

 

Share this post


Link to post
Share on other sites
+BudMan    3,517
11 hours ago, bikeman25 said:

Change my important passwords usually every 6 months

You guys need to keep up, and I have always said this - changing passwords for the sake of changing passwords is BS.. And the guy  that wrote the standard has come out and said as much.

 

NIST now clearly states

"“SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”"

 

Unless something has happened, someone left the company.  There has been some breach or something... Changing your password because its been 90 days has always just been utter ######.. And you know what it does do - it forces people to write ###### down ;)

  • Like 5

Share this post


Link to post
Share on other sites
dipsylalapo    1,764
9 minutes ago, BudMan said:

You guys need to keep up, and I have always said this - changing passwords for the sake of changing passwords is BS.. And the guy  that wrote the standard has come out and said as much.

 

NIST now clearly states

"“SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”"

 

Unless something has happened, someone left the company.  There has been some breach or something... Changing your password because its been 90 days has always just been utter ######.. And you know what it does do - it forces people to write ###### down ;)

When I first started working, I needed to remember three fairly complex passwords all of which needed to be changed every 90 days. And like you said, in the end I wrote my passwords down. 

Share this post


Link to post
Share on other sites
+warwagon    13,028
2 hours ago, BudMan said:

You guys need to keep up, and I have always said this - changing passwords for the sake of changing passwords is BS.. And the guy  that wrote the standard has come out and said as much.

 

NIST now clearly states

"“SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”"

 

Unless something has happened, someone left the company.  There has been some breach or something... Changing your password because its been 90 days has always just been utter ######.. And you know what it does do - it forces people to write ###### down ;)

Forcing users to change their password every 90 days also forces them to rotate ###### passwords

Share this post


Link to post
Share on other sites
Steven P.    13,596
1 minute ago, warwagon said:

Or rotate ###### passwords

###### isn't a great password :s 

Share this post


Link to post
Share on other sites
+warwagon    13,028
2 minutes ago, Steven P. said:

## # ### isn't a great password :s 

Why does the 4 letter swear word that starts with S ends with T show up as ###### <------6 characters long ... now they don't know what swear word I was going for, so then I have to edit it so it has the correct amount of ####

Share this post


Link to post
Share on other sites
Steven P.    13,596
2 minutes ago, warwagon said:

Why does the 4 letter swear word that starts with S ends with T show up as ###### <------6 characters long ... now they don't know what swear word I was going for, so then I have to edit it so it has the correct amount of ####

Because at the time moderators didn't want swear words to have the same amount of characters so that people could instantly fill in the word by themselves, it was requested to use a generic term, which is what I did. (and another fine example of how I don't decide everything on my own).

Share this post


Link to post
Share on other sites
cork1958    1,668
Posted (edited)
2 hours ago, BudMan said:

You guys need to keep up, and I have always said this - changing passwords for the sake of changing passwords is BS.. And the guy  that wrote the standard has come out and said as much.

 

NIST now clearly states

"“SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”"

 

Unless something has happened, someone left the company.  There has been some breach or something... Changing your password because its been 90 days has always just been utter ######.. And you know what it does do - it forces people to write ###### down ;)

Ya, I always thought changing passwords just for the sake of it or due to number of days was dumb as dirt. Can't even begin to remember last time I changed my passwords! Don't know a single person that's changed their passwords. Don't know of a single person that's ever had their e-mail hacked or anything either.

Share this post


Link to post
Share on other sites
Jim K    13,225

Still required to change passwords every 90 days for various work related sites/government sites.  Some of them have to be around 15 characters ... can't use x number of characters previously used (so you can't just go up a digit or whatever) ... 

 

Though the work related sites are slowly but surely transitioning away from username/password to CAC card/pin number.  Praise baby Jesus.

Share this post


Link to post
Share on other sites
+Zag L.    695
3 hours ago, BudMan said:

You guys need to keep up, and I have always said this - changing passwords for the sake of changing passwords is BS.. And the guy  that wrote the standard has come out and said as much.

 

NIST now clearly states

"“SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically).”"

 

Unless something has happened, someone left the company.  There has been some breach or something... Changing your password because its been 90 days has always just been utter ######.. And you know what it does do - it forces people to write ###### down ;)

100% 

 

I used to change my entire list every 90 days. What a fool I was. I was using LastPass at the time and have since migrated to BitWarden and have always used strong, tool generated passwords, often at the length limit of the site. I was changing these for no reason.  Today I continue to use strong passwords (as should everyone) and 2FA when available with a preference to time based values over SMS codes. Changing a 23 character password that I never knew to start with every 90 days was foolish and a monumental waste of time.  

 

I just wish my employer would stop making us change them every 90 days AND allowed us to use a password manager.

Share this post


Link to post
Share on other sites
Jared-    577

Password managers, SSO, MFA, and if you wanna go hardcore, hardware tokens. 

 

Rotating passwords is stupid, and actually causes users to just increment their existing password, Monkey1. 

  • Like 1

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

  • Recently Browsing   0 members

    No registered users viewing this page.