SolarWinds hackers have a clever way to bypass multi factor authentication

Hackers who hit SolarWinds compromised a think tank three separate times.

Read the whole story

 

[johnsonwax]

Thankfully Duo is now in Ciscos very capable hands. They've never cut corners on security.

 

[johnsonwax]

I dabbled in such techniques for a while (after reading Hannibal ), and my impressions were mixed. They seemed to help memorizing complex long sequences in a way that I could recall them hours or days later, which was neat. But when applying this in the long term to a multitude of infrequently used sequences (passwords and phone numbers), I found that for me even the most bizarre mnemonic image encodings would soon blur into a useless chaos. So the credit card number involved Einstein throwing a pizza at Princess Leia on a tricycle, but did Leia crash the tricycle into a shark, or an elephant - or was the elephant crash something from my dentist's phone number?

Eventually I gave up on this. Memorizing the original sequences themselves seemed to work just as well/poorly in the long term, but without the need to spend time translating them into elaborate short stories. Might be just me, though. Do you use such methods for many passwords?

Edit: typo

I have 6 memorized passwords. Password manager handles the 600 or so others. The way my memory works connects music to events, so I connect music to passwords. Then it's just a matter of calling up the right song, and that triggers the memory of the password. It could be related to the song - lyrics, but usually not. It's usually something I heard or did when listening to the song. Sometimes its almost nonsense - a combination of things I saw on that trip when that song was being played. Always 20+ alphanumeric. Now, I do sometimes have to search for the song, but that usually only takes a moment. Changing the password is a matter of changing the song.

So I have 6 songs in me.

4 of the 6 are either the password manager or ways to recover the password manager in an emergency (part of our evacuation plan is the ability to recreate everything from a new system using only my memory). The other 2 are logins that I use with such frequency that running to the password manager becomes inconvenient.

Everything else is a unique random 30 character alphanumeric + symbols by default, dialing back when a system tells me it's too long. Also makes it easy to find those less secure systems. I've replaced services a few times when it said nothing longer than 12 characters. No, sorry, that doesn't fly. Having your passwords in a database is critical. Find bad passwords, duplicates, notices when sites get compromised. I change at least one password a month, usually around one a week.

 

[johnsonwax]

Edit about 20 min after the original post:
Now that I think about it. dedicated hardware on both ends might work for 2FA as there is no way to remotely extract secrets out of the hardware. This might also work for some types of encryption. But if your entire system is compromised it's hard to defend anything even with dedicated hardware backing.

This is how ApplePay works. The private keys are in your device, not exposed to the OS. And the transaction times out after a reasonably short period of time. Assuming there are no flaws in the encryption algorithm, you either need to physically secure the originating device, or you need to brute force it faster than the transaction times out. Good luck with that.

This is why Apple operates they way they do. Your iPhone (iPad, Watch, etc) is a unique hardware key with local biometrics, and you can build out a lot when you have over a billion such devices in circulation. One of the best aspects of it is that it's pretty impervious to phishing. Not only do I not know the private key, I couldn't give it to you if I wanted to. At best I could hand you my device, but I can't leak my credentials remotely.