EVE Search - General Warning: Two way authentication is useless

All Channels

EVE General Discussion

General Warning: Two way authentication is useless

» Click here to find additional results for this topic using Google

Monitor this thread via RSS [?]

Author	Thread Statistics \| Show CCP posts - 0 post(s)
Axhind Eternity INC. Goonswarm Federation 368	Posted - 2017.06.15 21:35:08 - [1] - Quote My guess would be reuse of login credentials combined with CCP implementing fallback in case you lose your authenticator data.
Axhind Eternity INC. Goonswarm Federation 371	Posted - 2017.06.16 16:43:17 - [2] - Quote Marek Kanenald wrote: I use a password manager for every online site I do not care about. And memorized unique passwords for he actually important things. This is a terrible idea. Use an offline password manager (keepass), add rounds to its encryption so it takes several seconds to decrypt on your computer (makes brute force attack infeasible) and make a single high quality password for it. You can even write it down and hide it at home. A password that is easy to remember is not a strong password!!!
Axhind Eternity INC. Goonswarm Federation 371	Posted - 2017.06.16 17:31:09 - [3] - Quote Nalia White wrote: ISD Max Trix wrote: 2FA on the EVE account is a good first step. Having it on your Email is even better. It makes it a lot hardered to compromise the accounts. I did exactly that. And I asked my E-Mail provider for country blocking but they won't do that sadly. I asked the EvE support about that feature but sadly it isn't available either... Alas, as I still have not found a keylogger on any on my 2 machines with which i log in to my webmail, I really wonder how they got that password which is completely unique to all my other passwords and it is only 3 months old... makes me absolutely paranoid. Tried F-Secure (the only tool which prevented ransomware attacks on our company!), Eset online Scanner, malwarebytes and panda antivirus and sophos virus removal tool... Nada. if you have any tips i would be realy glad. Just not possible to reinstall completely at least on my workstation in the company... Well with sms authentication on my e-mail I realy should be safe now... the only possible option to breach now would be to steal the login session token or some **** like that and there is nothing on my end i can do to prevent that. I still have an itch all the time and an urge to check my e-mails if there is someone else requesting some account information, god damn that made me absolutely paranoid... probably scarred for life Thanks again to ccp to restore my stuff! Edit: @Aedaxus You speak the absolute truth and i should have set up two factor authentication for my e-mail a looong time. I swear to you that i never clicked on any bad link :) I work in IT and while i am not an expert in security I know how to move in the internet... i also use noscript addon for my firefox and the days where i watched some series on some dubious streaming sites are definitely over... still it happened. Granted the unique password was not to complex so it may have been brute forced but which service doesn't have a protection against these types of attacks nowadays? It's always more important not to share the same usernames/passwords for different services... and as said i never log in to my private mail from my mobile phone. well lessons learned the hard way i guess. Please, please DO NOT ever use SMS as a second auth. It is trivial to defeat and should never be even offered by the companies. Always use time based auth (OATP with google authenticator). That is the only remotely secure 2FA other than actual dedicated U2F devices. If your mail provider doesn't offer proper auth then change the provider!
Axhind Eternity INC. Goonswarm Federation 371	Posted - 2017.06.17 10:32:35 - [4] - Quote Aedaxus wrote: Linus Gorp wrote: Nalia White wrote: I rarely even use my private e-mail in the company and now that i have such a complex password that i had to write it down https://www.keepassx.org/ That is the security equivalent of posting it on Facebook. While it is true that android is a security disaster it is far more difficult to breach his exact android phone than it is to brute force bad passwords that humans can remember. In this case it is better to use keepass on the phone (better would be on a PC which is far easier to secure than android) than the alternative.
Axhind Eternity INC. Goonswarm Federation 371	Posted - 2017.06.17 20:16:14 - [5] - Quote Linus Gorp wrote: Axhind wrote: While it is true that android is a security disaster it is far more difficult to breach his exact android phone than it is to brute force bad passwords that humans can remember. In this case it is better to use keepass on the phone (better would be on a PC which is far easier to secure than android) than the alternative. KeepassX doesn't run on Android. My bad. I mixed it up with the android version. Anyway keepass is excellent software that I also use and I have no idea why anyone would not use it. Offline password manager is far safer than online ones like lastpass.
Axhind Eternity INC. Goonswarm Federation 371	Posted - 2017.06.17 23:54:29 - [6] - Quote Aedaxus wrote: Linus Gorp wrote: Aedaxus wrote: Linus Gorp wrote: https://www.keepassx.org/ That is the security equivalent of posting it on Facebook. I'm sorry, what? Does the clueless person have anything meaningful to say, or is spreading idiotic misinformation all you're good for? One small vulnerability will make your heart bleed. Open source is something I like, but make sure it's funded enough to put secrets behind. But yes, "clueless person" is a good technical explanation why it is secure. Good job... Are you on drugs or something? You are not making any sense whatsoever. Where is this fancy security issue you are talking about? Heart bleed was in OpenSSL not in keepass.
Axhind Eternity INC. Goonswarm Federation 374	Posted - 2017.06.19 17:03:02 - [7] - Quote Gogela wrote: Axhind wrote: Linus Gorp wrote: Axhind wrote: While it is true that android is a security disaster it is far more difficult to breach his exact android phone than it is to brute force bad passwords that humans can remember. In this case it is better to use keepass on the phone (better would be on a PC which is far easier to secure than android) than the alternative. KeepassX doesn't run on Android. My bad. I mixed it up with the android version. Anyway keepass is excellent software that I also use and I have no idea why anyone would not use it. Offline password manager is far safer than online ones like lastpass. I'm 100% on the KeePass train too. When you have it, there is absolutely no reason not to have long, strong passwords that are unique to everything you might log into. No recycled passwords. 2 stage authentication anywhere it's available. I do a lot of web work and can't take any chances... but knowing what I know now I would say some kind of password vault it crucial these days. Most of the time when I research a site hack or something it wasn't the site that got hacked... it was a stupid client that used the same 8 character password for everything for the last 10 years. One thing to remember is that none of this helps against a spoofed site. If they mess with your DNS you are screwed unless you are lucky enough that your browser has correct cert pinned or you pay a lot of attention. There really needs to be a lot more work done on authenticating the server to the user too. This is why threema is the only really secure IM. They make the key exchange easy so that even non technical people understand it and that is the only way to have proper security.

Copyright © 2006-2025, Chribba - OMG Labs. All Rights Reserved. - perf 0,03s, ref 20251218/1541
EVE-Online™ and Eve imagery © CCP.

COPYRIGHT NOTICE
EVE Online, the EVE logo, EVE and all associated logos and designs are the intellectual property of CCP hf. All artwork, screenshots, characters, vehicles, storylines, world facts or other recognizable features of the intellectual property relating to these trademarks are likewise the intellectual property of CCP hf. EVE Online and the EVE logo are the registered trademarks of CCP hf. All rights are reserved worldwide. All other trademarks are the property of their respective owners. CCP hf. has granted permission to EVE-Search.com to use EVE Online and all associated logos and designs for promotional and information purposes on its website but does not endorse, and is not in any way affiliated with, EVE-Search.com. CCP is in no way responsible for the content on or functioning of this website, nor can it be liable for any damage arising from the use of this website.