Mat Honan
made me do it, but now I don't know whether to curse him, the hacker who ruined Honan's digital life, or Google, which is making me rue the moment I clicked to enable two-factor authentication to better safeguard my accounts.
You will recall that Wired writer Honan was plunged into a digital hell when control of some of his accounts -- Amazon, iCloud, and more -- were seized by a clever hacker (who, incidentally, did most of his mischief with old-fashioned social engineering, meaning he charmed his way into retrieving passwords that Apple and Amazon handed out).
Understand: Everything I do revolves around Google -- I use Gmail and Google Voice, I have an Android phone, I even use a ChromeBook for much of my computing. And that is why, when I heard about Honan's misfortune, I liked the idea of beefing up the security wall around my Google accounts.
The core idea of Google's two-factor authentication borrows from banking sites by requiring the user to input something he knows (username and password) and something he has (in Google's case, a phone number that can receive either an SMS or a voice call with a numeric code). The result is a sharp jump in security.
To sign in, you type username, password, and that onetime numeric code, and theoretically, that will keep hackers distant.
Except it does not work that easily -- trust me. Hours into this I still don't have my calendar syncing on a Kindle Fire, for instance, and that may be just one of many apps that worked fine yesterday but this morning are mired in thick cyber frustration.
The apparent problem: iOS apps do not support the two-factor authentication invoked by Google, and neither, apparently, do at least some apps on the Android-powered HTC One S (running Ice Cream Sandwich) and a Kindle Fire (running an Amazon-tweaked version of Android).
Google knows this is frustrating. It's even put up a video about it on YouTube.
Google's workaround is "application specific passwords" -- onetime codes that Google advises users not to bother memorizing or writing down -- even though for email on an iPad to sync up it needs that unique password entered (and remembered by the device). Frankly, it's maddening. So far I have set up six of these, and it's not getting easier.
Getting the code is a multi-step process and the first step is clicking on an app that used to work and now does not. Step two: Find the password that's associated with the app. Fairly straightforward with iOS, not always so on Android, where sometimes passwords appear to be hidden.
Google, helpfully, offers a list of apps it knows requires application specific passwords:
● POP and IMAP email clients such as Outlook, Mail and Thunderbird
As you work through this list, know it may not be complete. There is a provocative blog by software engineer Stephen Rees-Carter, who argues that not only are the application-specific passwords a pain, they actually resulted in lowering his security. That is because Rees-Carter, left to his own devices, loves complicated passwords. He explained: “My Google password is 16 characters long with lower case letters, upper case letters, a couple of numbers, and a couple of random characters.”
The machine-generated application specific passwords, by contrast, are 16 characters long, mixing only numbers and lowercase letters. No uppercase, no special symbols.
Wrote Rees-Carter, who like me has found it necessary to create six such specific passwords: “if you compare this with my original password, this is a lot simpler to crack or guess. Also note, there are now 7 possible passwords that get into my account. By anyones [sic] logic, I have just reduced my security significantly.”
In my case -- where my core Google password is shorter than 16 characters -- maybe mathematically my security has strengthened.
But I am still fiddling with my Fire apps. I know I will find more that don't work on my HTC phone. And now I have Rees-Carter complaining that Google's beefed-up security is a shell game that has left him more exposed.
Just to clarify, these types of brute force attacks typically take place against a exfiltrated password list, not against the ultimate target. If someone steals the unsalted password database for myfavoriteonlinesite.com, and I have an account there, a brute force attack will be easy to run on the stolen database, and if my password is the same on other sites, it will be effective at finding that password.
Similarly, and more relevant in this case, if the attack successfully uses a side channel attack, (a technical attack on the cryptosystem,) or social engineering to trick the owner or company into reveling the password, the password will be revealed. This isn't a brute force attack, but does reveal the password. Each of these methods is used routinely in some context or another - and the exploit that discussed in the article was a clever combination of several techniques.
In any case, multi-factor authentication adds a new, presumably unconnected layer of security - and thereby multiplies the difficulty of cracking the password. Of course, rubber-hose cryptanalysis will always be a threat.
That's effective for online attacks, mhhfive. Successful brute force attacks take place offline, which requires, of course, access to the encrypted material.
I am on the road...keeping finding more apps that need a special password, will wind up with more than 12, I believe. I have a Playbook, 2 iPads, and a Kindle Fire (maybe not a typical user)...but, man, this is aggravating. Do hope it is worth the aggro
Two-factor authentication is a HUGE pain.. the thing that I don't quite understand is: how do hackers brute-force attack password systems? Shouldn't it be somewhat obvious when another computer is "guessing" a lot of wrong passwords that maybe the host system should stop accepting password guesses?
Maybe two factor authentication should only kick in AFTER someone has tried to unsuccessfully login three times in a row?
It's ease of use over security for me, hands down. I just don't have that much out there...lots of stuff on line but for most of it I have several local copies too. As far as somebody trying to use my credit or other financial stuff...good luck with that! I'm lucky if I have $50 in all my bank accounts put together. (Note, this is a big improvement, over the last 10 years or so I was lucky to have 50 cents in all my bank accounts put together...)
I sometimes try the two factor stuff when I'm dealing with client stuff--their data isn't mine so I have to protect it better. ;)
The 2-step authentication is good for banking systems which we logon once in a while and can take the pain 2-step authentication. If the same thing is to be followed every hour or two then it will be really painful...
"And now I have Rees-Carter complaining that Google's beefed-up security is a shell game that has left him more exposed...".
Looks like making the passwords strong is the better method. And, further if we have more apps handling our accountsthen making the application-specific password strong is good enough (though we still need google to fix 2-step authentication on those apps)
Google is serious about the security and in october Google plans to have a $2 million competition for hackers to hack their Chrome browser Chrome blog...
That story gave me a headache, Robert, and it's certainly not your fault.
Argh, I have a history with these two-step systems, going back to the early days of SecurID tokens, which never seemed to work, and always necessitated calls to a call center in Atlanta (I was in London at the time).
More recently, Craigslist has been using a similar process to Google's, although of course there's no question of needing to sync a bunch of accounts. In short, Craigslist often (but not always) asks you to verify your account when you sign in by inputting a numeric code received on your phone.
Oh, it's all great, unless you don't have the right phone with you, or you switch phones, because you do realize there's only one number associated with that account... or to put it i n a nutshell, aargh!
I like all of you have tried several times now since Google started Two-Factor and it gets a bit better each revision. But Chrome syncing between my Android phone and Chrome browser does not work.
The ThinkerNet does not reflect the views of TechWeb. The ThinkerNet is an informal means of communication to members and visitors of the Internet Evolution site. Individual authors are chosen by Internet Evolution to blog. Neither Internet Evolution nor TechWeb assume responsibility for comments, claims, or opinions made by authors and ThinkerNet bloggers. They are no substitute for your own research and should not be relied upon for trading or any other purpose.
Businesses are cutting the landline tether surprisingly quickly.
"The rise of the cellphone-only worker is happening at lightning speed," wrote David Cameron, president of the IT services firm Rhode Island-based Conduit Systems, in an email.
The drumbeats are loud. Google, reports filter out of Asia, is preparing to manufacture its own Chromebook, to be branded Google and/or Nexus.
The blunt question: Is this dumb or smart on the part of the Mountain View, Calif.-based company?
Hurricane Sandy -- one of the most expensive storms ever, causing an estimated $50 billion in damages -- may have devastated New Jersey and parts of New York. However, it also may turn into the poster child for the why of cloud-based disaster recovery and business continuity services, according to providers, and financial institutions are among the companies most likely to take the plunge.
Call this the ultimate bar brawler question among telephony geeks: Is Skype business-grade quality, or is it best used for calling the folks back in County Donegal on the odd Sunday for free? (See: It's Too Soon to Hang Up on Skype.)
Businesses attempting to stuff the ballot box on Yelp with paid-for favorable reviews will feel the pain of full public disclosure and humiliation. In a blog last week, Yelp made it plain it intended to root out and destroy businesses that sought to buy positive scores.
New York's Metropolitan Transit Authority is conducting a pilot test of digital kiosks to guide subway users to where they want to go more efficiently and at lower cost.
The whole Amazon.reader debate is a double-stupid. It's stupid to think that there's any e-book buyer who doesn't know Amazon's URL, and it was stupider to let ICANN launch the whole free-form TLD initiative to start with.
While NFC's original goal was to enhance mobile commerce applications, it is finding its way into a number of other uses, which is creating both opportunity as well as challenges for IT departments.
Enterprises would like to move to cloud computing but are hesitant because they are concerned about providers’ ability to secure company data. Here are some tips that help to ensure that if breaches occur, the business is not left holding the bag.
Edmunds separates customers into segments based on the info it collects on its site and from partners, and uses that to push out custom content, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
The automotive website uses propensity modeling to target ads and customer registration forms, said Brian Baron, director of business analytics for Edmunds.com, at Predictive Analytics Innovation Summit.
Expert Integrated Systems: Changing the Experience & Economics of IT In this e-book, we take an in-depth look at these expert integrated systems -- what they are, how they work, and how they have the potential to help CIOs achieve dramatic savings while restoring IT's role as business innovator. READ THIS eBOOK
your weekly update of news, analysis, and
opinion from Internet Evolution - FREE! REGISTER HERE
Wanted! Site Moderators Internet Evolution is looking for a handful of readers to help moderate the message boards on our site – as well as engaging in high-IQ conversation with the industry mavens on our thinkerNet blogosphere. The job comes with various perks, bags of kudos, and GIANT bragging rights. Interested?
To save this item to your list of favorite Internet Evolution content so you can find it later in your Profile page, click the "Save It" button next to the item.
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
M2M: Rise of the Machines? Not Yet David Weldon In the 1970 science fiction thriller Colossus: The Forbin Project, two giant supercomputers from the United States and Soviet Union secretly join forces to take control of the collective nuclear might of the two countries. In the film, the two machines discover each other's existence, communicate back-and-forth, share their collective data, and cut their human creators out of the process. It is the ultimate example of machine-to-machine communications, or M2M. CLICK FOR MORE
Email This
