Tom Crawford Posted January 26, 2016 Report Share Posted January 26, 2016 From what I have read I think that when I log on using ID and Password I get a text with a passcode I then enter to complete the log in. But what I do not understand is if I get a new passcode every time I log on or if that only occurs the first time and something is saved on that device so a texted passcode is no longer required. Can anyone here explain this to me? Quote Link to comment Share on other sites More sharing options...
boelkers Posted January 26, 2016 Report Share Posted January 26, 2016 Tom, how it exactly functions differs a little from site to site. Generally speaking you will enter your username and password into a siteto login, then it takes you to the next step which is to enter a text passcode. The text passcode has been sent to your phone or sometimes email address that you entered when you setup the two factor authentication. This code is randomly generated each time you login to that site/service and you must enter this new code each time. Quote Link to comment Share on other sites More sharing options...
Beechwood Chip Posted January 26, 2016 Report Share Posted January 26, 2016 I use two factor with several different sites. Some of them have a "trust this device" or "trust this browser" option so you only have to enter the code the first time. Google Apps has "trust this browser for 30 days", so every 30 days I have to re-enter my password and a new code. Some sites don't have a "trust" option and I have to enter a new code every time. Quote Link to comment Share on other sites More sharing options...
Cochese Posted January 26, 2016 Report Share Posted January 26, 2016 You get a new code each time either texted or emailed. There is some trusted certificates used occasionally, but IMO that's less secure. Google has an Authenticator app that works much the same way, just skips the texting step. Quote Link to comment Share on other sites More sharing options...
Beechwood Chip Posted January 26, 2016 Report Share Posted January 26, 2016 I like the Google app. I have about 8 sites that use it, and a few more that text me a code. Not to get too far afield, but there's also "duo", which is like the Google app but you don't need to enter the code. You just press a button on the duo app that tells it to send the code. You still need the device with the app to login, like google, but you don't need to type anything. Duo is new and is only offered at a few places, but it's catching on. Quote Link to comment Share on other sites More sharing options...
Cliff Posted January 27, 2016 Report Share Posted January 27, 2016 A lot of them, after the 2-factor authentication save a cookie to your browser and will associate your ip address. So I have to enter the code for my bank/credit accounts on all three computers in my house but once I do it I'm fine until I clean my cache and delete cookies. It's annoying but also necessary in our stupid society. The password rules that are considered safe and secure are laughably inept. These security measures pushed on us are a false sense of security. Not that it matters, the most popular password is 12345678, and password (#1 & #2 respectively.) Quote Link to comment Share on other sites More sharing options...
Beechwood Chip Posted January 27, 2016 Report Share Posted January 27, 2016 The reusable password's time has gone. If there's a virus on your computer that reads your password as you type it in, or a break in on the server that steals your password when you log in or from the data base, then it doesn't matter how long or complex your password is. I was recently asked what were the most important security topics for a general audience. I said Have a different password for every site, and use a password manager to "remember" them Two factor safe web surfing Quote Link to comment Share on other sites More sharing options...
Coop Posted January 27, 2016 Report Share Posted January 27, 2016 I hate it when I don't understand stuff. 2 factor, Y2K, etc. ! 1 Quote Link to comment Share on other sites More sharing options...
Cliff Posted January 27, 2016 Report Share Posted January 27, 2016 1 hour ago, Beechwood Chip said: The reusable password's time has gone. If there's a virus on your computer that reads your password as you type it in, or a break in on the server that steals your password when you log in or from the data base, then it doesn't matter how long or complex your password is. I was recently asked what were the most important security topics for a general audience. I said Have a different password for every site, and use a password manager to "remember" them Two factor safe web surfing Yeah for the most part I agree. Unfortunately companies are storing passwords in outdated encryption like md5.. It's been broken, gotta stop that. But if you increase the bits of entropy using four random words as your password and use pbkdf2/rsa/aes/sha-256 then your system will be pretty safe. Of course nothing to be done if someone has key loggers or Trojans jacking their system. But at least if you gain access to my password, and the database/server is secure, you probably won't gain admin rights. One hopes? It's a scary world and people focusing on biometric are nuts too. Quote Link to comment Share on other sites More sharing options...
socoj2 Posted January 27, 2016 Report Share Posted January 27, 2016 Its twice as bad as you think out there. This sadly is what i get to do for a living =/ 1 Quote Link to comment Share on other sites More sharing options...
Cliff Posted January 27, 2016 Report Share Posted January 27, 2016 1 hour ago, socoj2 said: Its twice as bad as you think out there. This sadly is what i get to do for a living =/ I have no doubt. I just pick up some things here and there really. It's relevant to me as a programmer, but it's also not because where I work I can't move 5 feet without using 2-factor verification that I can't control. So security is completely out of our hands. As a result though.. if some of these developers I work with went elsewhere where it was a concern - they'd be terrible. Quote Link to comment Share on other sites More sharing options...
Popular Post Immortan D Posted January 27, 2016 Popular Post Report Share Posted January 27, 2016 3 Quote Link to comment Share on other sites More sharing options...
Tom Crawford Posted January 28, 2016 Author Report Share Posted January 28, 2016 Thanks all for your responses. I think I stick with 1Password and have a different 14 random character password for every site. Quote Link to comment Share on other sites More sharing options...
socoj2 Posted February 7, 2016 Report Share Posted February 7, 2016 On 1/28/2016 at 9:41 PM, Tom Crawford said: Thanks all for your responses. I think I stick with 1Password and have a different 14 random character password for every site. You should Do this AND two factor. Quote Link to comment Share on other sites More sharing options...
JosephThomas Posted February 8, 2016 Report Share Posted February 8, 2016 14 hours ago, socoj2 said: You should Do this AND two factor. 2 factor should be done on every critical site, like a banking website, primary email, etc. I personally don't bother on things like, for example, a forum about woodworking, if that were even an option. On 1/27/2016 at 7:22 PM, Cliff said: Unfortunately companies are storing passwords in outdated encryption like md5 Sadly, that's not the worst of it. Some places are still storing in clear text. I used a site once where the 'forgot password' link actually just emailed me back my password in clear text.... I emailed them right away to complain and close my account. The sad part is I never would have known about the complete lack of security otherwise. Examples like this are why we must use different passwords for different sites/services, and use 2-factor auth for the most critical ones. Quote Link to comment Share on other sites More sharing options...
Beechwood Chip Posted February 8, 2016 Report Share Posted February 8, 2016 I once bought tickets from a site and they asked if I wanted to create an account so that I wouldn't have to enter my credit card info for future purchases. I said "no", of course. I later received a letter from them with my account info, including my clear text password. I called them on the phone, eventually got someone who seemed to speak tech, and threatened to report them to the PCI (Payment Card Info, the folks who enforce credit card security). I waited while he manually deleted my records from the database. Looking back, I should have reported them, but I don't actually know how to contact PCI. Or even if they are actually called PCI. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.