2FA provider Authy, password manager LastPass, and DoorDash all experienced breaches.
Read the whole story
Read the whole story
The number of companies caught up in the Twilio hack keeps growing
- Thread starter JournalBot
- Start date
Tips for a password manager that isn't that, and works everywhere?
I migrated from LastPass to Bitwarden a while back, I assume it's only a time before they are hit with something similar...
EDIT: Just had a thought and it turns out I didn't remove the stuff from Lastpass. Oops.
Upvote
155
(155
/
0)
See? This is why my password is "password123" everywhere. No dependencies on iffy third parties.
Upvote
371
(373
/
-2)
A product of hyper centralizing services across the internet. Call me old but, I pine for the days when software was available and you could reasonably run services yourself in house. Sure, people didn't patch the way they should... Sure, people didn't run the best edge security or necessarily follow best security practice... But containerization largely eases the maintenance burden and they have to find you before they can break in. Centralization via cloud services allows us to dedicate less time and resources to security as a whole but the single target nature of it means that someone will definitely get in eventually and it's going to be absolute carnage when it happens.
Not advocating bad security practice, I just miss how the internet was in the early 2000s... Back when I ran a PHPBB board for my friends and I, and the world wasn't slipping into an authoritarian hellscape with regular security breaches mixed in.
Not advocating bad security practice, I just miss how the internet was in the early 2000s... Back when I ran a PHPBB board for my friends and I, and the world wasn't slipping into an authoritarian hellscape with regular security breaches mixed in.
Upvote
217
(227
/
-10)
I recently had the opportunity to set up a Twilio integration, for sending out text messages. While the API was very developer friendly, I was immediately discouraged by the fact that it asked for my phone number. It seemed insistent, and eventually my co-worker (since this was for work) acquiesced his phone number, so I could proceed.
After passing this barrier, I could switch the 2FA procedure to a Authenticator app. (While I do not have a smartphone, I do have a Yubikey, which provides a desktop application that functions as an Authenticator app.) I figured, now that I was using a much saner 2FA method, I could delete the phone number, and Twilio's profile form happily allowed me to remove it.
But upon removal, I could no longer log in again, until I gave up my phone number. Fortunately, by this point, the integration was set up and working, so I did not bother. But it did not sit well with me, how much it insisted on a phone number, when it has other options. I guess because Twilio sends out text messages, suggesting they are unsafe might be bad for business.
After passing this barrier, I could switch the 2FA procedure to a Authenticator app. (While I do not have a smartphone, I do have a Yubikey, which provides a desktop application that functions as an Authenticator app.) I figured, now that I was using a much saner 2FA method, I could delete the phone number, and Twilio's profile form happily allowed me to remove it.
But upon removal, I could no longer log in again, until I gave up my phone number. Fortunately, by this point, the integration was set up and working, so I did not bother. But it did not sit well with me, how much it insisted on a phone number, when it has other options. I guess because Twilio sends out text messages, suggesting they are unsafe might be bad for business.
Upvote
187
(189
/
-2)
I think the obvious lesson here is if a company is in the security business, sooner or later someone will target them. I've never used password managers before but then again, I don't have much to be hacked either.
Upvote
-16
(14
/
-30)
How can physical yubikeys not be phished? If they use the yubikey on a fraudulent site that just passes that through to the real site, is that not the same as getting a token from an app or sms?
The token just generates from the yubikey, but I still feel like a well done phishing site could definitely get you to generate a token it passes through.
The token just generates from the yubikey, but I still feel like a well done phishing site could definitely get you to generate a token it passes through.
Upvote
38
(72
/
-34)
Seems like FIDO2 protocol should be getting a bigger recommendation in the cyber sec world.
Upvote
84
(84
/
0)
I definitely agree that any hack is potentially troubling, but I think the LastPass aspect to this could use a bit more nuance in the explanation. I saw a notice from LastPass yesterday about the hack but I’m not concerned, given what was hacked and how client-side data is stored. I’m not sure it’s accurate to just make a blanket statement that any hack is “serious”, irrespective of the details. At this point, we should all basically assume that any business we work with is going to get hacked- so we just need to be smart about mitigation. The details of the LastPass hack aren’t very troubling, to me at least.
Edit:typo x 2
Edit:typo x 2
Upvote
109
(121
/
-12)
The thing is, if my password manager is only available from one device I might as well not have one at all.
Upvote
183
(212
/
-29)
General question/possible article request:
How do these services stack up against built in browser tools? I know they're portable, which is a nice advantage over browser tools, and as standalone products they're both easier to administer and move an org on to and off of. Am I at the same or similar risks using Firefox or Chrome to remember passwords? A security shootout would be enlightening to me for sure.
In the meantime, I guess I'll dig out that Ars yubikey after all, sigh.
How do these services stack up against built in browser tools? I know they're portable, which is a nice advantage over browser tools, and as standalone products they're both easier to administer and move an org on to and off of. Am I at the same or similar risks using Firefox or Chrome to remember passwords? A security shootout would be enlightening to me for sure.
In the meantime, I guess I'll dig out that Ars yubikey after all, sigh.
Upvote
62
(62
/
0)
I think it is part of the protocol YubiKey uses. The domain of the site requesting authentication is validated as part of the process. So even if you exactly mimic auth.mydomain.com on auth.myd0main.com,
*This is only if the site uses U2F or FIDO2 authentication schemes.
-Edited to be more specific that the protocol needs to be implemented in the browser.
-Edited again that clarify that the server checks the domain.
Upvote
109
(109
/
0)
So I'm an Authy user. I've always had to enter a password that I had assumed was for encrypting/decrypting my vault, in the same way as my 1Password vault, such that Authy don't have the unencrypted seeds.
But if it's possible for a new device to be added to an Authy account and then get access to accounts through it then clearly their security model does not work how I assumed it worked, which is rather disturbing.
Code based 2FA has never been a protection against phishing, I remember seeing 2FA harvesting phishing sites over a decade ago when I used to work on the detection/takedown side of thing. It's only ever been a protection against less sophisticated phishing or password leaks/reuse. Any phisher who has the infrastructure to do a man in the middle attack can easily deal with it, it only deals with the simpler phishing attacks.
In some ways this attack is a good thing as it's bought to light the fact that too many people have been relying on 2FA to provide a kind of security that it can't provide.
But if it's possible for a new device to be added to an Authy account and then get access to accounts through it then clearly their security model does not work how I assumed it worked, which is rather disturbing.
Code based 2FA has never been a protection against phishing, I remember seeing 2FA harvesting phishing sites over a decade ago when I used to work on the detection/takedown side of thing. It's only ever been a protection against less sophisticated phishing or password leaks/reuse. Any phisher who has the infrastructure to do a man in the middle attack can easily deal with it, it only deals with the simpler phishing attacks.
In some ways this attack is a good thing as it's bought to light the fact that too many people have been relying on 2FA to provide a kind of security that it can't provide.
Upvote
67
(70
/
-3)
If you use a password manager like KeyPass or MacPass, you can share the encrypted file across your devices and unlock with a single strong master password.
YMMV based on how good your master password is.
Upvote
123
(125
/
-2)
At least for the yubikey I had, it seemed to generate a token into any text field anywhere, non browsers, notepad, etc, it never read any info afaik.
Upvote
29
(33
/
-4)
Been there done that. Yeah, it's doable, but it's also a royal pain to make sure the file is synced across all your devices. I've been caught more than once with a device that didn't have the right Keypass file.
Upvote
43
(56
/
-13)
I think you missed the point.
It's not "how serious the breech", it's how the breech was done in the first place. It was very successful.
Moreover, how serious the breech ACTUALLY was has yet to be determined, because this is still an ongoing, and apparently spreading, issue. The damage assessments haven't been completed. Some haven't even been started.
By those standards, this is quite "serious" ALREADY, and only getting worse.
Upvote
57
(69
/
-12)
I feel like that just moves the problem from trusting LastPass to trusting whatever cloud storage service I use to sync the file, too.
Upvote
65
(81
/
-16)
Upvote
10
(18
/
-8)
it would generate a token, but would it generate the same token for different domains.
Upvote
1
(3
/
-2)
PHPBB boards are one of the reason password managers and code based 2FA became popular in the first place. There were (and continue to be) so many hacks of poorly configured or out-of-date BB systems that would leak easily brute forced password hashes, resulting in people getting compromised due to password reuse.
While I agree that centralisation is an issue, so is having accounts on hundreds of poorly configured small-time systems that can be easily compromised by automatic scripts.
Upvote
55
(57
/
-2)
Yeah, there is no app you install so no info is sent to the key. It appears as a keyboard on windows/mac, and then on mobile it just uses nfc to paste the token, nothing is sent to yubikey
Upvote
15
(15
/
0)
Its more work sure not to use one for sure, but if you use one them you are trading security for convenience.... And then you lose both when thins like this happen.
Upvote
1
(15
/
-14)
The entire point is that KeyPass passes around an encrypted file protected by you. Accessing the passwords once you have the file is it's own layer of defense. Getting into your account would require a bad actor to get access to the file AND be able to open it. It is moving your trust from LastPass to not get hacked to KeyPass having sound encryption that can't be brute forced without your password.
Upvote
61
(70
/
-9)
I just bought a 2nd Yubikey to have a backup for my several accounts secured by the one I already have. I'll be moving my bitwarden account to them as well; currently it uses Google Auth, as do some other accounts, but a hardware token seems much better all together.
Upvote
18
(18
/
0)
The alternative is picking much simpler passwords and reusing passwords, which seems like a bigger risk. I've got hundreds of sites in LastPass; I'm not going to remember a unique 16-character password for each of them.
Upvote
48
(53
/
-5)
LastPass also requires a master password to decrypt the file, so that part is the same.
Upvote
65
(67
/
-2)
Sure, but the breach goes from impacting 75 million users down to about 2 dozen. I'm not at all advocating for bad security practice, unique passwords (and preferably 2FA) ought to be used everywhere. I just think the hyper centralization of the internet has effectively been a cancer on society this far.
Upvote
36
(38
/
-2)
As long as the data is encrypted and the keys are not known by the cloud service, then I don't think I'll worry much about it.
Upvote
33
(34
/
-1)
Well, respect, then. Your memory must be better than mine. I can manage to remember the six or seven I use most often but it gets pretty hazy after that. Especially for stuff I only log into every once in a while.
Upvote
112
(114
/
-2)
Most Yubikeys support multiple protocols. The old ones like TOTP where you enter text into a field are all insecure and can trivially be phished just like SMS or email codes. If you are typing or copying it, it can be phished.
U2F, FIDO2, and WebAuthn are the secure ones - I listed them in order from date because they’ve been adding more capabilities but all of them have the core feature that the browser and server do a secure handshake where the token uses a private key to sign a challenge which includes the browser-verified hostname. That means that I can’t get a token which works on GitHub.com unless I can compromise your DNS and get a valid HTTPS certificate which your browser trusts, at which point the entire internet is failing.
Upvote
89
(89
/
0)
I’ve just completed a project to upgrade my family’s auth credentials (maybe 1500 sites in total) using the features in iCloud Keychain (password generator, TOTP, and the notes field) and iCloud+ (hide my email).
Took a long time for so many people but It was pretty straight forward and given this news maybe just in time.
Now, as we learn what sites we use were affected, we can update e/m, p/w and TOTP token for that one site, instead of doing nothing for the first and only addressing the two latter.
since 2010, I’ve used a secondary email for low security sites, and that address has drawn spam. Now I can retire that e/m. Now I only use my personal named e/m for folks that I know because it’s easy for them to remember, all important things also use the HME generated iCloud e/m addresses.
Note: What I found is that any site offering TOTP and suggesting google authenticator or Authy will also work with the built in iCK TOTP feature.
Ps I’m keenly looking forward to see where FIDO2 goes.
Took a long time for so many people but It was pretty straight forward and given this news maybe just in time.
Now, as we learn what sites we use were affected, we can update e/m, p/w and TOTP token for that one site, instead of doing nothing for the first and only addressing the two latter.
since 2010, I’ve used a secondary email for low security sites, and that address has drawn spam. Now I can retire that e/m. Now I only use my personal named e/m for folks that I know because it’s easy for them to remember, all important things also use the HME generated iCloud e/m addresses.
Note: What I found is that any site offering TOTP and suggesting google authenticator or Authy will also work with the built in iCK TOTP feature.
Ps I’m keenly looking forward to see where FIDO2 goes.
Upvote
21
(24
/
-3)
Tips for a password manager that isn't that, and works everywhere?
I migrated from LastPass to Bitwarden a while back, I assume it's only a time before they are hit with something similar...
EDIT: Just had a thought and it turns out I didn't remove the stuff from Lastpass. Oops.
No such thing. To be able to work everywhere it needs to be on multiple devices. To be on multiple devices, there has to be a mechanism to share the password database.
Unless you want to store it on a phone and set up an ad hoc Bluetooth connection, which has its own issues.
Upvote
-11
(11
/
-22)
Yeah, I don't believe that you have memorized > 100 login credentials with long and complex passwords.
Or even if you have, hardly anyone else in the world would be able to.
Upvote
124
(126
/
-2)