Results 1 to 5 of 5

Thread: 2024 - General Account Security - Passwords & 2FA

  1. #1
    Join Date
    Nov 2004
    Posts
    5,194
    Rep Power
    25

    Default 2024 - General Account Security - Passwords & 2FA

    Hi all. Will update and clean up as things progress. Probably.

    Would like to reference this thread.

    https://www.techjamaica.com/forums/s...-been-stronger

    I'm loving the fact that discussions were going on from 2012. With how things have been in more recent times, it becomes more important and far more necessary to take added precautions with your accounts.

    When the internet was young, having a single password for all your accounts was very convenient. Yahoo. Hotmail. Gmail. Your hosting provider. Your bank account. Everything. Then came the breaches.

    Many companies have suffered data leaks and breaches over the years, some of which have even been password manager companies. Suggestions are made - but what would be the best course of action to take? Well. Here's a few suggestions.

    With the increase in breaches, many companies have added 2FA to their sites. Even if you use an "easy" password, having 2FA enabled will ensure that your account cannot be breached unless the hacker has your hard or soft token. Impossible to breach? Not really - but the amount of work required for YOUR specific account is too much of a hassle. They'll give up or move on. But this brings us to the other option. Your password.

    An issue that most persons will have is remembering ALL the passwords for all the different sites. Personally, I have accounts with over 200 websites. That's a lot to have 200 different passwords - so how can that be managed? A password manager.

    The beauty of any good password manager is the single password. Think of that as your key to get access to all the other passwords. It's best to use some really long password to get in - and it doesn't need to be overly complicated - just mildly so.

    I Love TechJamaica
    1 L0v3 T3c4J@m@1c@

    Some simple phrase about something that you know or like can be used. Adding in numbers and special symbols or substituting some for others will help in the complexity. Avoid using your name, family member names and date of birth and all that - but ensure it's something you won't forget.

    RoboForm is probably one of (if not THE) oldest password manager out there. I had a license with them and moved to the subscription model, but then changed to other options thereafter. If you're a real stickler for security, then you can get your own VPS, VM or dedicated machine to run something like BitWarden. You would then have full control and can setup sync between the devices you use.

    Wary of something like that? You can use another option like KeePass with a key file. Simply setup your database and run your app. Purchase a license for Resilio Sync to ensure it syncs across your personal devices, or set up SyncThing to ensure things stay in sync. You could also use Google Drive, DropBox or other services, but the sync capabilities of Resilio and SyncThing are superior IMO.

    Using a key file helps with the overall security. This could be a simple text file with a line from something you remember...."Do not go gentle into that good night" for example. A simple file that can be created and stored separately on your mobile device, and then created as needed on your desktop/laptop. This plus your password will keep your database secure.

    As for which 2FA to use - that's entirely up to you.

    "Authenticator Plus" on Android was my favorite - since it would allow you the option to export your encrypted database into WinAuth for use outside of the phone. The development has stopped, but it's still the only one that I've seen with that kind of feature. Since then - I push "Authy" for usage. They had a desktop app, but that's being discontinued. "Authy" runs on all platforms and has the ability to backup/sync across all devices. I love the way it works overall, but wish I could export for use on a desktop app. Sad to see the desktop app go as well.

    As things progress I may put in links and such, but for now it's just information. Hopefully this helps others and gives some insight on what to do and how to secure your account. We can discuss more - and you can post your suggestions on what you've used or like.

    Keep safe.
    Knowing the solution doesn't mean knowing the method. Yet answering correctly and regurgitation are considered "learning" and "knowledge".

  2. #2
    Join Date
    May 2010
    Posts
    3,852
    Rep Power
    18

    Default

    Quote Originally Posted by khat17 View Post
    As for which 2FA to use - that's entirely up to you.

    "Authenticator Plus" on Android was my favorite - since it would allow you the option to export your encrypted database into WinAuth for use outside of the phone. The development has stopped, but it's still the only one that I've seen with that kind of feature. Since then - I push "Authy" for usage. They had a desktop app, but that's being discontinued. "Authy" runs on all platforms and has the ability to backup/sync across all devices. I love the way it works overall, but wish I could export for use on a desktop app. Sad to see the desktop app go as well.

    As things progress I may put in links and such, but for now it's just information. Hopefully this helps others and gives some insight on what to do and how to secure your account. We can discuss more - and you can post your suggestions on what you've used or like.

    Keep safe.
    Take a look at Aegis Authenticator:


    Allows you to export your tokens and automatically backup your vault when changes are made. A nifty feature it has is the ability to "show" the secret so you can add it to a another device or share it with someone else.

    I would also recommend looking into hardware keys such as those from Yubico [https://www.yubico.com/]. They go on sale 2-3 times a year in a BOGO sale, so keep an eye out.

    If you go this route [hardware keys] get at least two keys. One key will be your main and the other will be your backup, add both to your accounts. You can also configure Yubikeys as smart-cards for use with software such as Bitlocker. Blog: https://nathanaelfrey.com/2021/01/09...as-smart-card/

    A newer and excellent option is Passkeys: https://arstechnica.com/information-...-finally-here/
    Last edited by Arch_Angel; Mar 3, 2024 at 08:47 AM. Reason: fixed Yubico url

  3. #3
    Join Date
    Nov 2004
    Posts
    5,194
    Rep Power
    25

    Default

    Quote Originally Posted by King_Jay16 View Post
    Take a look at Aegis Authenticator:
    Thanks for this - will check it out. Didn't know about it.

    Quote Originally Posted by King_Jay16 View Post
    I would also recommend looking into hardware keys such as those from Yubico
    Already own two and have the same keys on both. One is a backup kept at home in a drawer - the other is always in my wallet.



    I've always tried to keep the security tight. Been using password managers and such from long before (from around 2007 if I recall).

    Quote Originally Posted by King_Jay16 View Post
    A newer and excellent option is Passkeys: https://arstechnica.com/information-...-finally-here/
    I set this up today actually. I've been talking about Authy for some time because it can be integrated into businesses, but people seem to want to spend money on OTHER things before spending on the better options.
    Last edited by khat17; Mar 3, 2024 at 11:38 AM.
    Knowing the solution doesn't mean knowing the method. Yet answering correctly and regurgitation are considered "learning" and "knowledge".

  4. #4
    Join Date
    Nov 2004
    Posts
    5,194
    Rep Power
    25

    Default

    Double posting to hopefully BUMP and alert @King_Jay16.

    Quote Originally Posted by King_Jay16 View Post
    Take a look at Aegis Authenticator:
    This looks very promising. One feature I like is the cloud sync ability. Most apps really only use DropBox and Google Drive. I was able to point it to a different service that's on my mobile device, and it has successfully added and synced the file to that service. So plus there. Will now start the painful task of migrating from the other platforms.

    Kudos to @King_Jay16 - hopefully development on Aegis will continue. Only issue is it's Android only at this time.

    https://getaegis.app/

    If you use iOS, I would still suggest using Authy. Not able to do exports, but their platform has been solid.

    https://authy.com/


    *EDIT*
    So I made the move. "Painful" as I said due to issue with Authenticator Plus. Had to get it done on BlueStacks due to lack of support for newer Android platforms, but the import/export features in Aegis are really good. So now I've officially moved over. Thanks again to @King_Jay16 for the suggestion.

    I never did get around to checking in more recent times, but you can see Aegis as the first alternative suggested on this site.

    https://alternativeto.net/software/authy/

    Authy has 200+ likes while Aegis has 100+. I should have checked it out, but I was too hung up on what I was using - hopeful that they'd pick up back development.

    Well - moving on. Let's see how this project goes. If it ever gets on iOS then it'll make Authy #2. Only reason for Authy still holding a great spot is the website/domain integrations and the fact that it works on ALL platforms. Only issue is the Windows desktop app is going to be discontinued.

    Adding photos for context.

    Let's add some pictures for context.



    It's got a LOT of options for import. Only issue is it requires root access for some.





    Exporting has only these 3 options above, but that's more than enough. Bear in mind that any format other than JSON cannot be encrypted.

    There's a lot of ways the information can be displayed.



    I do love the "tiles" option which gives a more compact display. There are LOTS of options to customize, which allows for a robust app. The best one IMO is the ability to use **ANY** cloud service to do your backup. Tested and worked - as long as the cloud service shows up on your phone as an available save location.

    Take a look at it when you have time. Good stuff. Only drawback? Not support on IOS (yet?) so Apple users will have to get Authy. Great alternative, but less (or no) control over backup and export options.

    One of the nicest features as well is the ability to export single entries. This lets you show the barcode to be scanned by another device for sharing. If you have someone else that needs account access, you can grant that.

    Overall - very robust - very nice. My new go to app for 2FA.
    Last edited by khat17; Mar 15, 2024 at 07:51 AM.
    Knowing the solution doesn't mean knowing the method. Yet answering correctly and regurgitation are considered "learning" and "knowledge".

  5. #5
    Join Date
    May 2010
    Posts
    3,852
    Rep Power
    18

    Default

    @Khat17 no prob. Glad that my suggestion was useful.

    I noticed that they are also now listed here: https://www.privacytools.io/secure-password-manager



    The regeneration of the secret to a QR and the external backups are by far my favorite features. Makes it easy to share them with the wife for shared accounts etc.

    I'm watching their repo on Github for new updates and features: https://github.com/beemdevelopment/Aegis. V3 was released a couple weeks ago.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •