I see what you mean but what are the chances of someone else logging on using your password then setting up two factor authorisation?
Could there be any checking with the mobile network, eg to ensure the subscriber's surname matches?
Also, I tend to feel that if you accept extra security measures and something does go wrong, you are in a better position to argue your corner. You can say you took all steps rather than opting out of measures on offer.
About the same as someone logging in as me in the absence of 2FA, day by day.
Only if (a) you have given the mobile network your name (unnecessary for PAYG) and (b) the mobile operators are willing to divulge it (breaching data protection I would hope).
So 2FA would weaken my position if I don't implement it.
It's worth noting that some hacks have managed to bypass 2FA by getting mobile operators to swap phone numbers to a SIM the criminals have.
In theory it shouldn't be possible, but it has happened.
But that can be revoked, or still subject to re-authentication in certain circumstances.
Potentially so. If you consider house insurance as an example, just suppose you decided not to lock the downstairs windows because in your opinion there was no security benefit, the insurers could turn round and say you were negligent by not locking the downstairs windows.
Alas the days when passwords of adequate complexity being memorable are long since gone for most users. Yes you can probably deal with a few that are ok, but for hundreds of unique passwords for all the things that need a password?
For certain values of "written" - yes they could be on paper, but equally in a password manager or some other form of encrypted storage.
(actually we are quite good at keeping safe small amounts of paper - like stuff in your wallet)
However it does get past a few of the issues, since you probably can remember one really good password that gets you into the manager[1].
If you link that to 2FA then you have less chance of it being compromised as well as a recovery mechanism.
(and good password managers don't store plaintext passwords online - any encryption / decryption being done only at point of use)
[1] and if you can't, then you write that down in an obfuscated/hidden form on paper and put that in your wallet.
Unless you have a memorable *algorithm* to generate a password for a given site ? Even it it's just "ROT13 the URL"
See above ...
Still not very secure IMHO, someone steals your laptop or smartphone and, until you notice and do something about it, they have access to whatever is automatically allowed because your laptop/smartphone is 'secure'.
Any sort of system that makes it 'easier' for you to use complex security will make it less secure. It's swings and roundabouts, a simple system may not be so secure but one is much less likely to bypass it routinely.
You (anyway I) don't need hundreds of secure, unique, passwords. I need lots of insecure passwords but only half a dozen or so really secure ones. All those web forums and shops (as long as you don't give them your credit card details) don't need secure passwords, what do you lose if someone breaks one of them?
Er, but the password manager needs a password/key.
... and when you're out and about and need access to your bank account, or your money transfer system, or whatever and you don't have the password manager with you?
To my mind good password managers don't store your passwords anywhere that isn't 'yours'! :-) The one thing I have considered for this sort of thing is a memory stick with the program and password storage on it. You could even have a stick with Linux and Windows and Mac softwre to decrypt the password so can stick it in a friend's computer if necessary.
That's what I do for relatively insecure/unimportant passwords (not ROT13, but a 'algorithm' that allows me to derive the password from the web site name).
Plenty of those around - KeePass gets a lot of mentions.
Personally I am willing to take the marginal extra risk and use a cloudy manager that doesn't transmit anything in plaintext. It offsets the need to worry about backing up *and* keeping track of an extra memory stick.
As with most things YMMV.
A working set of credentials that may work on other sites. Lots of bits of "low grade" information that when taken as a whole may add up to enough to be used for social engineering attacks on other more values sites.
Basically its not worth trying to second guess the capabilities of the bad guys, just make everything decently secure (randomly generated 16+ character alphanumeric passwords with symbols) and you have far less to worry about. If you are going to find a mechanism that works for the "important" sites, then why not use it for all
See below...
Look at the paper version in your wallet, or look in the contacts on your phone...
The person stealing your phone does not know that among the hundreds f contacts you have, the one for Aunt Maud in Hove actually conceals the master password for your manager comprised of the first 4 digits of her phone number, her post code, and the middle 5 characters of the street name, and the name of the dog you casually mention by name in a note to yourself.
(and if anal, use a real post code, and matching street address, with a phone number in the right dialling code area!)
Well in an ideal world that may be true, but the implications of that are that you are either now responsible for providing secure hosting of "your" database, or secure remote access to your computer and all that entails.
Second best is allowing someone with a vested interest in not getting hacked to look after the encrypted version. (which if done right will be computationally secure for an adequate period)
How do you remember the login password for the account on the that installation of Windows/Linux etc? You are always going to come back to the same basic problems...
Might be worth testing your generated passwords against known breaches, just in case you are not the only one to have thought about it...
Also how confident are you given access to enough real credentials generated with your algorithm, it can't be deduced?
(i.e. the usually warnings about the fact that most engineers can device a crypto algorithm that they themselves could not break, but that does not mean its actually any good)
There is no subscription as such unless you wish to purchase API lvel access.
Which just demonstrates that you should not rely on your intuition in these matters :-)
(go do some research on Troy Hunt)
If that were all that was available, then there would be a massive problem... however in reality it is *much* worse!
Have a look through some of the names in here:
e.g.
Experian
In September 2015, the US based credit bureau and consumer data broker Experian suffered a data breach that impacted 15 million customers who
[snip]Breach date: 16 September 2015 Date added to HIBP: 6 September 2016 Compromised accounts: 7,196,890 Compromised data: Credit status information, Dates of birth, Email addresses, Ethnicities, Family structure, Genders, Home ownership statuses, Income levels, IP addresses, Names, Phone numbers, Physical addresses, Purchasing habits
Vodafone
In November 2013, Vodafone in Iceland suffered an attack attributed to the Turkish hacker collective "Maxn3y". The data was consequently publicly exposed and included user names, email addresses, social security numbers, SMS message, server logs and passwords from a variety of different internal sources.
Breach date: 30 November 2013 Date added to HIBP: 30 November 2013 Compromised accounts: 56,021 Compromised data: Credit cards, Email addresses, Government issued IDs, IP addresses, Names, Passwords, Phone numbers, Physical addresses, Purchases, SMS messages, Usernames
Perhaps you had better check how ad networks serve content...
Which is where having a "formula" to generate passwords scores. You don't have to remember any passwords, you can work them out where ever you are for use on any device.
And yes I have had to do this. Probably the most important was when a CC got skimed in Rio.
All good points. But once again, we're back to the two campers and the lion.
As long as my security is better than 80% of the population, I'm fairly relaxed.
When the long line of people (still) being scammed by Nigerian Princes dries up you'd think it would be time to worry, but there's always a new scam to take it's place.
When I wrote "signing in", I meant entering the authenticator app's generated number.
I don't really see any need. As soon as I see the word 'subscribe' or anyone asks for money I'm out.
Would each of these sites not require to make customers aware at the time? I'm sure Experian did.
HomeOwnersHub website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.