The only thing that bothers me about lastpass.com is that it is sort of the same problem as E-mail, except instead of all your accounts registered with one E-mail address, now you have all your passwords stored in one database (at lastpass). According to Jeff’s previous posts, if you’re using a very strong password at lastpass, then perhaps you don’t have much to worry about (since if their DB was stolen, it would supposedly take years to hack a strong password). Unless someone’s installed a keystroke sniffer on your PC. Or someone discovers a vulnerability in lastpass.com’s encryption.
The most common attack vectors are fishing and man in the middle ones. Strong passwords will not help, this is why the two step auth is the only real protection. the only true protection from fishing is personal awareness and intelligence, but some fishing attacks are so good even professionals get hooked sometimes.
Thanks for raising the visibility on this, Jeff. If you’d like to protect the rest of your remote access points check out Duo Security. http://www.duosecurity.com
Disclaimer: I work for Duo.
We provide two-factor authentication as a service. It’s free for personal use. The user experience is substantially better than typing a six digit code: one tap to login using our smartphone app (iOS, Android, BlackBerry).
We have integrations for all sorts of VPNs, SSH/PAM, Windows RDP, etc. For everything else we have both a Web SDK and REST API. You can sign up and having it running in a few minutes.
Clearly Google cares about this stuff. Google Ventures backed Duo a few months ago by leading our Series A.
@qvasi Interesting. With a little research, I can find 15 CAD plans for cell phones. None of these plans include data, so it would be pay-per-SMS (not a big deal if we’re talking about using it as a land line).
So, yes, I could get a no-data phone for cheaper than my land line (though only barely … I pay 20 CAD for my land line). Comparing those low-end plans with my land line, I still prefer the land line.
I am under 40 by a decade. It’s true that most of my peers have dropped the land line in favor of their cell phones. There are still a good number of us, though, that have a land line. Usually we are also the ones who own a house instead of either renting or owning a condo. Perhaps we are a dying breed.
I’m the only one of my peers who does not own a cell phone, though. Even my land-line owning friends have a cell (if only one in some cases). I just … don’t find that I need a cell, so I don’t bother.
Android? There’s an app for that. Google Authenticator. No network access required, just tap on the icon and you get the password. Drawbacks? You need to decide: Authenticator or text messages.
Why doesn’t GMail do the 2-step authentication for password changes? That way you wouldn’t get locked out of your account (unless the “hacker” stole your phone). Then when you log in, you’d see the GMail warning that some weird IP address accessed your account and you could change your password. Of course, your private emails may have been compromised, but at least you haven’t lost control of your account.
Of course, a court order/subpoena/secret FBI request still trumps all of this.
"Two-factor authentication is not useless. It works for local login, and it works within some corporate networks. But it won’t work for remote authentication over the Internet. "
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html
The Failure of Two-Factor Authentication
Bruce Schneier
Just another attempt to link my telephone number with my gmail account.
Nope. Not gonna do it. I will use a good strong password instead.
I’ve done it straight after reading your article in the middle of the night.
Thanks to make me remember about the real world.
I use the same procedure as @churchskiz. I’m surprised this basic hygiene isn’t more widely practised. It certainly deserves including in any follow-up post, Jeff, given the interest this seems to have generated.
@churchskiz’s tip: use separate email addresses for (i) general account signups, (ii) banking & confidential app signups and (iii) correspondence with friends and family.
My additional tip: don’t make your (ii) and (iii) guessable from (i). In other words, don’t use fred.smith.spam@gmail.com for (i) if your (ii) and (iii) are fred.smith.confidential@gmail.com and fred.smith@gmail.com
This is a great 1st step but it’s pretty infuriating that you use “hacker proof” to describe it. This does nothing to prevent 2 of the major methods of getting compromised: man in the middle attacks and malware.
Man in the middle: I fall for a phishing scam and I enter my user+pw. Google SMS.s me a code which I also give to the MitM. No protection.
Malware: instead of prompting me for action like MitM, it waits for me to get around to logging in and piggy-backs off of my legit session. No protection.
I’m not calling 2-factor authentication useless, but it is NOT “hacker proof.”
Don’t take my word for it. Security god Bruce Schneier wrote about this 7 years ago and has brought it up often ever since:
http://www.schneier.com/blog/archives/2005/03/the_failure_of.html
Fair warning: if you do this and have an Android phone, you’re going to be entering quite a few of those one off passwords. (And while yes, you can revoke access on each and yadda yadda yadda - it’s still a pain in the ass.)
For my Sensation I’ve had to enter a one off auth for the HTC email client (which I can’t uninstall, unfortunately - the native GMail is much better), Google Market, the native GMail application… and that’s just one device out of four I have to configure.
For those who are saying it’s not secure: nothing in the cloud is secure. Like all things you must balance convenience with security and having access to my email from anywhere is a convenience I enjoy.
Also, for those who are saying “why not just use a strong password”? Why not use a strong password and 2 factor authentication?
I didn’t know they had this feature or I’d have turned it on long ago - and I use randomly generated passwords for every individual site.
Anecdotal, certainly, but valid.
Thanks Jeff.
There’s one thing I don’t understand. As you mentioned, the main worry with having email compromised just once is that the person can see everything you’ve ever sent/received. The purpose of the application passwords is that they allow applications to access your Gmail with a revokable password in case those applications are compromised. However, correct me if I’m wrong, but if one of those passwords is compromised, it bypasses the 2-factor validation, right? So if one is compromised, the hacker has already accessed all your email, right? Doesn’t that defeat the purpose of revoking since they’re already in your email?
The upside is that once you enable this, your email becomes extremely secure, to the point that you can (and I regularly do) email yourself highly sensitive data like passwords and logins to other sites you visit so you can easily retrieve them later.
Jeff, emailing yourself sensitive data like this can eventually come back to bite you. I know someone who was using a purely in-house email arraingment, PGP and everything. His account info was still compromised because… someone looked over his shoulder and watched him type his password.
Bottom line, any electronic communication can be compromised without encryption.
And I second secretGeek’s recommendation to disable IMAP and POP since a bot can easily spend days on end trying to brute force a login.
BTW… You can remember passwords better by using a mnemonic instead of the password itself.
I.E. Some obscure nusery rhyme (I use Sri Lankan ones unheard in the West) or some memorable phrase a family member said can be turned into a great password if you take the first letter of each word and tack on its position in the alphabet
I.E.
A = 1
B = 2… and so on.
You can turn This little piggy went to market into :
tlpwtm201216232013
Add some punctuation here and there and you’re set.
Has anyone got this working with iCal on OSX? Even with a generated app password, authentication fails. Dclegg on April 17, 2012 5:18 PM
Does anyone have a suggestion for this problem? I appear to be having the same problem. Not sure why. I generate different passwords and each one fails…
This worked with my iPhone.
Chrome seemed to ‘automatically’ transfer – as it’s not giving me any problems and I haven’t changed the password… Ditto for the native mac Mail client.
Yet another reason to switch from Hotmail to Gmail (as if there weren’t enough already)! Great post, Jeff!
Dclegg and others,
I found this: https://discussions.apple.com/thread/3620732?start=0&tstart=0
You have to delete your Gmail account from under the iCal Accounts tab and recreate it again using the application specific password.
Thank you for sharing this! I’ve known 3 people whose email or server got hacked this week alone, and sure scared the heck out of me! I’m now 2-step verified thanks to you. 
Hope your twins are doing well. I’d love to see some updates on them!
Ironically, I tried installing the WP7 Authenticator from the address http://www.windowsphone.com/en-US/apps/82c12390-0176-43de-916e-5613d17f61a0, but have forgotten my Windows Live password. The Windows Live password reset page gives a 404. It will allow me to use a one-time password, but I haven’t added my WP7 phone number to my Windows Live account, so it won’t SMS/text me a one-time password. However, since I told my phone to remember the Windows Live password, I was able to go to the marketplace, search for, download, and install the Authenticator without any trouble. Now if only I can remember or reset my Windows Live password…
The problem with 2-factor authentication is that if I lose my phone or its battery is dead or I’m outside of the country, then I can’t get my email.
The only danger I see if I have a strong password is keyboard loggers if I use an untrusted computer to get my email.