|
Magnetic North posted:I have not heard of fido keys before now, but I had been thinking about some form of backup to get into accounts if there were an issue. Anyone have a trusted resource on these? Sure, I can look at Google and Youtube but I have no idea who actually knows anything. https://learn.microsoft.com/en-us/events/ignite-nov-2021/security-compliance-and-identity/breakouts/brk244/ If you want a quick explainer on how fido2 works. If you purchase fido keys always purchase in couples. One with you and one in a safe place.
|
# ? Jan 26, 2023 00:02 |
|
|
# ? May 31, 2024 03:40 |
|
Blurb3947 posted:I was going to say a simple explanation was that the thief was trailing them and saw the pin then swiped it later. It is crazy how lazy people are with their sec ops until they're actually affected. Someone getting their phone stolen and SIM swapped (without a passcode) isn't really end-user laziness at this point. It's a flaw with the current defaults for something like "having a phone" and "having a Gmail account."
|
# ? Jan 26, 2023 01:04 |
|
Oh I'll agree for sure on that. I was more just mentioning how easy it can be to get device access through simple means. 2fa SMS is useless then but so could an authenticator app if it's not itself locked down through an additional mean.
|
# ? Jan 26, 2023 02:18 |
|
We're in the process of rewriting our storage engine (log management software) and are adding data silos. I've been tasked with the architecture for this, including rbac. What is everyone's requirements for this in a SIEM? Do you handle it by host access, or on a more granular level?
|
# ? Jan 26, 2023 16:58 |
|
I saw this CVE mentioned on a tech news website, it said the following:quote:
I use KeepasXC myself, I'm not sure how that is affected and if this is something to worry about. Is it indeed a case of, if they already have access to your pc it doesn't matter anymore?
|
# ? Jan 27, 2023 01:42 |
|
It's on the level of "if you type in your password on a compromised machine the attacker can sniff your keyboard to get the password to decrypt the vault".
|
# ? Jan 27, 2023 01:48 |
|
Zadda posted:Is it indeed a case of, if they already have access to your pc it doesn't matter anymore? Pretty much. Imagine if Keepass adds a Y/N confirmation before auto-export like that guy wants. I get access to your PC and overwrite your keepass executable with a new version that disables that confirmation. Is that a new CVE? Why isn't Keepass guarding against that? That's the level of dumbassery here.
|
# ? Jan 27, 2023 02:30 |
|
Thanks for the answers
|
# ? Jan 27, 2023 03:34 |
|
I am really starting to become a fan of 1password being my virtual mfa as well in a lot of situations. Both for shared/service accounts and private/person ones. When you can't consolidate things under SSO, its a really neat tool for that. I am getting a bit overloaded on the microsoft authenticator and google authenticator front.
|
# ? Jan 27, 2023 04:30 |
|
Lucid Nonsense posted:We're in the process of rewriting our storage engine (log management software) and are adding data silos. I've been tasked with the architecture for this, including rbac. What is everyone's requirements for this in a SIEM? Do you handle it by host access, or on a more granular level? Sentinel doesn't let you filter much for item access, if you have budget you could have multiple instances, one overseeing everything and one for each app silo.
|
# ? Jan 27, 2023 11:37 |
|
Klyith posted:Pretty much. Honestly, to me silently exporting passwords to plaintext seems to be a bigger issue for incompetence than malice. It should always be accompanied by big warning so users with fat fingers don't accidentally make plaintext copies that hang around to be found to be later.
|
# ? Jan 27, 2023 12:57 |
|
Sickening posted:I am really starting to become a fan of 1password being my virtual mfa as well in a lot of situations. Both for shared/service accounts and private/person ones. When you can't consolidate things under SSO, its a really neat tool for that. It's technically not a second factor at that point, because if a malicious actor has the password to your vault, they also have your second factor. But it's just so drat convenient, I use it too. And the banking sites that do SMS 2fa piss me off every time because I just want 1pass to deal with it
|
# ? Jan 27, 2023 17:39 |
|
Yeah, but how many MFA challenges on your phone are supplied by your phone? There's certainly some significant cons, but the pros vastly outweigh them for me. Password to vault isn't enough in 1Pass. Secret Key and you can add MFA to protect it. Still an issue of one thing getting owned and the bad peeps getting both your passwords and MFAs. To lower risk there, I don't put my Google account in 1Pass and MFA is handled outside. So any service that sends an email to confirm a login from new device is still covered. Internet Explorer fucked around with this message at 17:54 on Jan 27, 2023 |
# ? Jan 27, 2023 17:52 |
|
My boss keeps forwarding me dreamhost phishing attempts, saying “can you take care of this?” The same boss had me do his cyber security training module for him. He was born in 1992
|
# ? Jan 27, 2023 17:59 |
|
I don't use the Google or Microsoft MFA, consolidated all my MFA to Authy, it has some risks like someone doing a SIM clone and knowing the password for the backup could clone the MFA, but its so much easier than having them spread all over different apps and being able to recover them on a new phone without having to use backup codes.
|
# ? Jan 27, 2023 18:06 |
|
Happiness Commando posted:It's technically not a second factor at that point, because if a malicious actor has the password to your vault, they also have your second factor. Its MFA under another layer of MFA.
|
# ? Jan 27, 2023 18:20 |
|
Sickening posted:Its MFA under another layer of MFA. MFA all the way down
|
# ? Jan 27, 2023 18:40 |
|
I love 1Password MFA for shared accounts but I would never use it for personal ones for those reasons. Yubikey all the way, and Yubikey Auth for whatever rear end in a top hat service doesn't take hardware authentication.
|
# ? Jan 27, 2023 18:52 |
|
Cup Runneth Over posted:I love 1Password MFA for shared accounts but I would never use it for personal ones for those reasons. Yubikey all the way, and Yubikey Auth for whatever rear end in a top hat service doesn't take hardware authentication. I feel like all are options are all are things I do. Personal accounts aren't are all created equal and debating the security of my 1password vault vs my phone is going to be a wash for anything that isn't super serious.
|
# ? Jan 27, 2023 19:18 |
|
I wish a pair of Yubikeys wasn't so expensive.
|
# ? Jan 27, 2023 21:13 |
|
I honestly can't understand why yubico isn't making newer yubikeys with more TOTP slots, i have give or take thirty of them so i'm forced to use multiple platforms(authy+yubi) to cover all of them.
|
# ? Jan 27, 2023 21:20 |
|
SlowBloke posted:I honestly can't understand why yubico isn't making newer yubikeys with more TOTP slots, i have give or take thirty of them so i'm forced to use multiple platforms(authy+yubi) to cover all of them. Hmm I think I can understand why OP
|
# ? Jan 27, 2023 22:03 |
|
Any recommendation on a 2FA app? I've scanned this thread and seen Authy mentioned a few times but I also heard Aegis is nice since you can have an encrypted backup.
Busy Bee fucked around with this message at 08:52 on Jan 28, 2023 |
# ? Jan 28, 2023 07:53 |
|
Busy Bee posted:Any recommendation on a 2FA app? I've scanned this thread and seen Authy mentioned a few times but I also heard Aegis is nice since you can have an encrypted backup. Lol so yeah you got it. Aegis.
|
# ? Jan 28, 2023 09:01 |
|
There is a new method for hijacking WhatApp accounts through VoiceMail. The hacker tries to login while you are sleeping. WA sends a PIN code over SMS. Hacker honestly tells WA they didn't receive the SMS and ask for a call. WA robotcalls, it goes to voicemail. Hacker checks your voicemail using the last 4 digits of your phone number as PIN code. https://twitter.com/ihackbanme/status/1616192784960217088
|
# ? Jan 29, 2023 13:17 |
|
As per the thread title I'm finally getting off Lastpass and looking at alternatives, trying to sort the jargon from the marketing and figure out what's relevant. 1Password comes up a lot and the price on Bitwarden is great, are there pros/cons to either of those? Using on Android and PC(currently Chrome) if that's relevant.
|
# ? Jan 31, 2023 00:47 |
|
IMO both Bitwarden and 1Password are fine choices.
|
# ? Jan 31, 2023 00:55 |
|
Agreed, the biggest differentiator is that you can optionally self host bitwarden .
|
# ? Jan 31, 2023 00:58 |
|
Bruceski posted:As per the thread title I'm finally getting off Lastpass and looking at alternatives, trying to sort the jargon from the marketing and figure out what's relevant. 1Password comes up a lot and the price on Bitwarden is great, are there pros/cons to either of those? My understanding is that if you're looking for more (paid) bells and whistles and more extensive support options 1Password is the way to go. For (free) individual use of a more stripped down 'just a password manager' Bitwarden is fine. I'm using Bitwarden and haven't had any issues so far and it has a browser extension for everything I use. It doesn't look like there's an official 1Password extension for Opera but the one from the Chrome store seems to work without issue.
|
# ? Jan 31, 2023 00:59 |
|
If neither turns up an immediate red flag I'll go with the free one and see if there's any bells and whistles I miss. Just wanted to make sure I wasn't walking from one security issue into another. Thanks. And then it's time to change everything. *sigh* no shortcut for that but to just do it. Ah well, I'd been meaning to clean everything up anyway, there's stuff from small accounts ten years ago that has no reason to still be in that library.
|
# ? Jan 31, 2023 01:06 |
|
Bruceski posted:If neither turns up an immediate red flag I'll go with the free one and see if there's any bells and whistles I miss. Just wanted to make sure I wasn't walking from one security issue into another. Thanks. I believe 1Password can import a plaintext Last Pass export.
|
# ? Jan 31, 2023 02:48 |
|
Ynglaur posted:I believe 1Password can import a plaintext Last Pass export. My dad was just trying to do this a few days ago and saw something weird. I didn't watch exactly what he was doing but he said when he tried to import the actual file that LP spit out it only showed about 30 entries in 1P, but if he viewed the file in a browser tab and copy/pasted it into 1P it seemed to pick up everything. I guess just keep an eye on the total number of LP entries you have and make sure it still matches after import.
|
# ? Jan 31, 2023 02:50 |
|
Ynglaur posted:I believe 1Password can import a plaintext Last Pass export. They both can import, I mean actually changing the passwords on the sites and not saving stuff that's out of date and taking up space. A lot of these are due, old weak passwords I never got around to strengthening, so this is a good excuse.
|
# ? Jan 31, 2023 03:08 |
|
I switched to bitwarden and I'm happy with it so far in terms of functionality compared to lastpass, I'm additionally glad to finally be able to use it on mobile as well.
|
# ? Jan 31, 2023 07:39 |
|
I've been using Psono for quite some while now. It's open source, has Browser integrations, a mobile app and so far I've had no complaints.
|
# ? Jan 31, 2023 08:00 |
|
quote:The Verge says that the statement leaves a great many questions unanswered, beginning with the key one:
|
# ? Jan 31, 2023 16:22 |
|
I feel like I keep asking questions around the same thing because my brain just can’t really wrap itself around how fido2 and webauthn work (and I naturally haven’t gotten around to watching the videos that explain it) but hopefully this will be the last (for now): If I just want to auth to windows/macOS/iOS/Bitwarden/aws/azure/GitHub/etc then will the Yubi Security Key that just does fido2 suffice? I already use MS Authenticator for totp codes and I don’t expect I’ll have need for a virtual smart card like what you get on the 5C - and I already have a yubikey4 which does support that if the need arises later
|
# ? Feb 1, 2023 07:24 |
|
beuges posted:I feel like I keep asking questions around the same thing because my brain just can’t really wrap itself around how fido2 and webauthn work (and I naturally haven’t gotten around to watching the videos that explain it) but hopefully this will be the last (for now): FIDO2 logon for windows is available only for Azure AD joined or Hybrid AD joined machines, personal accounts are not natively supported. MacOS and iOS will call FIDO2 keys only on OOBE if you enable the new advanced security option but just for enroll, not day to day usage. You can tinker with PAM to use a fidokey to log on with linux. Web site access for FIDO2 keys is native to every Chromium or WebKit based browser. Yubikey 4 series only supports U2F/FIDO1, not FIDO2.
|
# ? Feb 1, 2023 11:53 |
|
Microsoft hasn't gotten their FIDO2-implementation notified as "authentication level high" according to EU eIDAS regulation, so anyone in the EU who wants to use FIDO2 and needs level high will need to have another FIDO2-implementation anyway. We use a level high notified implementation (with yubikey 5-series) for PAM and are in the process of rolling it out to some other user groups this spring.
|
# ? Feb 1, 2023 14:49 |
|
|
# ? May 31, 2024 03:40 |
|
Caconym posted:Microsoft hasn't gotten their FIDO2-implementation notified as "authentication level high" according to EU eIDAS regulation, so anyone in the EU who wants to use FIDO2 and needs level high will need to have another FIDO2-implementation anyway. EIDAS relies on known trust anchors based on conventional certs, fido will never get accepted in any LoA scheme since it would cut current CA providers out. I'm expecting eID ficep nodes to become an auth high anchor well before whitelabel fido keys become the norm. EU Login does support fido already, albeit hidden very deeply, so it's not like they don't know it exists.
|
# ? Feb 1, 2023 15:15 |