|
There are isolated problems with current patches, but they are well-known and documented on this site. |
May 5th was World password day. A day that Microsoft wanted us to ditch our passwords completely and move to authentication apps, fido keys and other
[See the full post at: Today is “What drives me insane about passwords” day]
Susan Bradley Patch Lady
During my career, people’s lack of security with passwords drives me insane. They happily share their password with others. Happy until someone misuses it and they get to chat with investigators. The punishment is usually identical. I’ve never heard of anyone pointing out the culprit. “He’s a friend. You don’t dob on a mate and I get the sack either way”.
In my retirement job I supported a fleet of laptops for schools. There I learnt where bad password habits started. Password sharing was common, including teachers giving their logon access to students.
At home, Google’s 2FA to access causes the occasional blue word. I use Brave and have it set to clear everything when closed. I have an iNaturalist account and use log in with Google for access. The time that suits me to identify species is early morning before my wife rises. I charge my phone in the morning. I suspect you can guess the rest but the main result is I am not using my iNaturalist account as frequently as I would like due to 2FA.
The temptation exists to buy a Yubikey. I am concerned what may be the result if it is lost.
Group A (but Telemetry disabled Tasks and Registry)
Win 7 64 Pro desktop
Win 10 64 Home portable
I have no cell phone. Are all “Authenticator apps” dependent on cell phones? I will never voluntarily own a cell phone. Passwords are best. I’m not keen on handing over biometric data to big tech. They know too much already, and I sure as hell never want a Microsoft account.
I have no cell phone. Are all “Authenticator apps” dependent on cell phones? I will never voluntarily own a cell phone. Passwords are best.
The short answer is no, because there are desktop apps that serve the same purpose.
But first, let’s be clear that authenticator apps and passwords are two different things. Authenticator apps provide a second-step for Two-Factor Authentication (2FA). Passwords are traditionally the first step. (If anyone is not sure how this works, perhaps my tutorial will help bring this into focus.)
The most popular authenticator apps are smartphone based, such as Google Authenticator, Microsoft Authenticator, Facebook Authenticator, etc. They are not tied to a phone number, they merely use a random, super-long secret string and encrypt it with the current time to calculate a time-based one-time passcode. This is used as a way to prove you and your account on the web service have the same secret string.
But there are desktop apps that can do the same calculation, so you don’t need to use a smartphone if you don’t want.
And BTW, in case this isn’t clear to everyone, this means that authenticator apps do not need to know anything about you or communicate with any cloud server anywhere, so they do not need to collect any personally identifiable information. (Whether they surreptitiously do is another matter, but they don’t need to. It’s not a requirement for them to function.)
That sounds like a challenge. Guessing is not the problem. Hackers don’t try to guess the owners password. They use computers to crack the password (or work around it if the system has a vulnerability or a keystroke recorder can be used).
Take one of your passwords and test it here
Substitute a hash or other character but reduce by one letter so your amended password is the same length (the longer the password, the less susceptible it is to cracking).
I tested it with ‘banana’. That can be cracked instantly.
‘#anana’ – can be crack in 100 milliseconds
Some people use passphrases (e.g. ‘My first dog was named bowser’). Testing that
‘this_is_my_password’ – can be cracked in three trillion years.
‘this_is_my_passwor#’ – can be cracked in three trillion years.
Protection depends more on the length of the password (or passphrase) than the use of special characters but they can help increase complexity a little.
Group A (but Telemetry disabled Tasks and Registry)
Win 7 64 Pro desktop
Win 10 64 Home portable
They can also crack a database of stored hash values from one database and then use it to see if you’ve reused a password in another site.
Susan Bradley Patch Lady
For authentication I use *Itsme*. That means that Itsme, through my smart phone, requires scanning and checking my fingerprint (*) to log me in to my bank account, or government and social security websites, or my medical database. No complex passwords or hilarious phrases needed.
Up to now no worries. I’m sure Itsme has extremely high security (I hope), considering it was developed and introduced by the belgian banks federation and the government.
(*) No, I’m not telling which finger. Though I’d love to divulge which toeprint, but alas, I’m too old and stiff to manage that.
Using a non-changeable “password”? Bad idea. Especially DNA, it’s spread everywhere! Every hair or dead skin cell you lose can compromise your access!
Martin
To me, this shows a big blind spot in the computer industry. “Everybody” has a smart phone so everybody assumes that everybody else has a smart phone, and they use their smart phones in the same way. That leads to the presumption that “you are your phone”, and where you use that for everything, whether phone calls (remember those?), text, apps for all sorts of things, but also for payments and as an authentication token. Unfortunately, if you lose your phone, then you’re in a world of hurt, partially from not from having all those functions in hand, but also what happens if somebody else might have access to all of that.
For Susan’s comments specifically, the problem is that there’s an expectation of 1:1 relationship between both users and user IDs as well as users and phones. And obviously, there are a lot of places where that simply doesn’t work. In particular, there are places that are both appropriate and necessary for more than one person to have access. Sometimes, it’s a matter of managing access, sometimes it’s that multiple people need the same access.
There are also differences between how things behave in a commercial environment and how things behave in a home environment. Although the idea of everybody in a family having their own smart phone is widespread, there are plenty of places where that’s impractical or undesirable, and where shared access is needed. Even for something as simple as a telephone, in a family environment, it’s appropriate to have a shared phone, where incoming calls can be interacted with by anybody in the house, rather than forcing the call to somebody specifically.
One other thing that I can think of — I’ve done some work with a “digital will”, of what would happen if, for some reason, I’m not available, either temporarily or permanently. In a case like that, it’s appropriate and necessary to be able to get to most of my accounts, and where the necessary information is not locked away in a form that only I know it.
How do you do this? I’d like to check mine. I am not comfortable putting my passwords into those password checking websites
You are not putting the passwords into haveibeenpwned, your browser hashes the password and sends the hash to the site. If a bad guy intercepted the hash it would be useless.
https://www.troyhunt.com/ive-just-launched-pwned-passwords-version-2/#cloudflareprivacyandkanonymity
cheers, Paul
Donations from Plus members keep this site going. You can identify the people who support AskWoody by the Plus badge on their avatars.
AskWoody Plus members not only get access to all of the contents of this site -- including Susan Bradley's frequently updated Patch Watch listing -- they also receive weekly AskWoody Plus Newsletters (formerly Windows Secrets Newsletter) and AskWoody Plus Alerts, emails when there are important breaking developments.
