Jump to content

Online Password Security

Beerbuddy
By Beerbuddy
in Programs, Apps and Websites
 Share
Posted

So I was watching one of LTT's videos with LastPass as a sponsor.  It was late at night and I couldn't sleep so I decided to finally make the move to using a password manager and get all my accounts security up to par.  As I was going through my many accounts I noticed something kind of scary...  I first started with my email accounts (all Google).  Very secure multiple 2FA options including SMS, authentication apps or even a process that requires me to authorize the login through a notification on my android phone.  I then moved to my crypto trading accounts.  Coinbase, Kraken, Binance and Bitfinex all either require 2FA (using an authenticator app) and email authorizations.  Again, a very high level of security!  Next I moved to my social media accounts...  Again, while not required, they at least offered the most secure options to secure your account as all the other accounts listed above.  I was satisfied with what I saw.  THEN I moved onto my banks and brokerage accounts.  All huge national companies.  After changing my password I wanted to activate 2FA.  NOT A SINGLE ACCOUNT OFFERED 2FA, login notifications or any kind of enhanced security for that matter!  And then I went to change my security questions on one of my accounts and there wasn't a single question you could choose that couldn't be looked up about me in public records.  I was flabbergasted!!

 

Conclusions:

  • My experience with LastPass has been good so far.  It's pretty safe as long as you're not dumb with your master pass (don't log into LastPass from an unsecured system). 
  • Even during the crypto bear market, my cash money is still better off sitting in my Coinbase account than my bank accounts (Coinbase is also FDIC insured just like banks are). 
  • People are more concerned with their social media accounts than their bank accounts.  Which is why this has not been addressed yet.
  • Also, I encourage those of you using SMS 2FA to move to authenticator 2FA apps (like Google Authenticator) as it's more secure! 

I was thinking this could be a decent little topic for the Wan show that LastPass might be willing to sponsor also.  I really think the attention would be great to get some pressure on banks to increase their online security!

 

 

Edit: Obviously use fake security question answers.  I was just making a point that the average person doesn't know much about internet security and it's irresponsible for companies to encourage those kinds of answers!

 

Link to comment
https://linustechtips.com/topic/1032130-online-password-security/
Share on other sites
Link to post
Share on other sites
Posted

I always select the question that asks you what was the name of the st. you lived during your childhood and ooof that's my secret captain, the street where I lived didn't even had a name so I just put random stuff as answer so nobody will ever guess it using social engineering or searches.

ASUS X470-PRO • R7 1700 4GHz • Corsair H110i GT P/P • 2x MSI RX 480 8G • Corsair DP 2x8 @3466 • EVGA 750 G2 • Corsair 730T • Crucial MX500 250GB • WD 4TB

Link to post
Share on other sites
Posted
8 minutes ago, aezakmi said:

I always select the question that asks you what was the name of the st. you lived during your childhood and ooof that's my secret captain, the street where I lived didn't even had a name so I just put random stuff as answer so nobody will ever guess it using social engineering or searches.

The proper way to use those questions is as a trigger, for any word or phrase of your choosing, not for the actual answer. 

i5 8600 - RX 6600 - Fractal Nano S - 1080p 144Hz

Link to post
Share on other sites
Posted
  • Author

I just don't trust security questions in general.  I feel that companies that still use them and don't offer 2FA are the same companies that don't practice good account security training to phone reps that are easily fooled by skilled hackers.  I'm sure I'm a little paranoid but I was recently betrayed by a friend of like 12 years and while doing all this account stuff I realized just how easy it would be for either of us to hack each other's accounts.  We know everything about each other.  For example he was creating an Experian account and they have a set of personal questions that "only the real person should be able to answer" to prove that they are actually the person opening the account.  I could answer all his questions except one that he couldn't even remember like an old phone number or something.  (For the record, we were friends at the time and were curious to see if I could do it, I was not hacking him!)  

Link to post
Share on other sites
Posted

Here banks have used variating passwords ever since online banking became a thing. It differs per bank how its done. One uses password + 12 changing codes (system asks at random), other had 90 code listing, each with single use only. That, my bank, moved to pin code on app or physical authentication device just recently. Besides ofc having number string which you can't choose.

 

The way my bank does it is imo better than the way Google Auth or SMS auth works. As those latter ones don't have any extra protection if someone gets access to my phone.

^^^^ That's my post ^^^^
<-- This is me --- That's your scrollbar -->
vvvv Who's there? vvvv

Link to post
Share on other sites
Posted
  • Author
3 minutes ago, LoGiCalDrm said:

Here banks have used variating passwords ever since online banking became a thing. It differs per bank how its done. One uses password + 12 changing codes (system asks at random), other had 90 code listing, each with single use only. That, my bank, moved to pin code on app or physical authentication device just recently. Besides ofc having number string which you can't choose.

 

The way my bank does it is imo better than the way Google Auth or SMS auth works. As those latter ones don't have any extra protection if someone gets access to my phone.

Yes, those physical non phone 2FA devices are best if offered.  Even World of Warcraft offers those physical 2FA devices for protection LOL!  Yet banks in the US don't offer anything! It's crazy.  This is why I'm ultimately optimistic about crypto.  You don't have to rely on anybody but yourself for the security of your assets.

Link to post
Share on other sites
Posted

Never answer security questions with the actual answer.  Either make up something abstract (What high school did you attend? Octopus.  What is your favorite holiday?  Jumping Spider.  What was the name of your first pet?  Tide with Bleach.)  Basically, it's several other passwords to know.  It's utterly shithouse, and banks really should stop using them, but you can at least partially patch that hole.

Link to post
Share on other sites
Posted
  • Author
2 hours ago, captain_aggravated said:

Never answer security questions with the actual answer.  Either make up something abstract (What high school did you attend? Octopus.  What is your favorite holiday?  Jumping Spider.  What was the name of your first pet?  Tide with Bleach.)  Basically, it's several other passwords to know.  It's utterly shithouse, and banks really should stop using them, but you can at least partially patch that hole.

The solution to forgetting your password shouldn't be more passwords ?

Link to post
Share on other sites
Posted
Just now, Beerbuddy said:

The solution to forgetting your password shouldn't be more passwords ?

I agree, but the fact they use personal trivia that is either widely known by your peers (What high school did you go to?) or can be discovered/deduced with some light googling, it represents an unacceptable security hole.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing Programs, Apps and Websites

×