Password Resets in an Age of MFA


A padlock engraved into a circuit board.

Recently, WordPress got in contact with me to say they suspect that my password was exposed in some sort of data breach. Well, it's a day ending with a "y" - so of course some scumbag has pilfered my digital identity. WordPress mandated that I change my password. But was that really necessary? Firstly, the password was uniquely generated by my password manager. It isn't re-used anywhere else. So there is no chance of hackers breaking in to my email, bank, or OnlyFans account. Secondly, and…

Continue reading →

What's the optimal length for a 2FA code?


Screenshot of a text message. It says "Your one time passcode is 1031."

The other day, a company sent me a 2FA code which was only four digits long. I'll admit, this weirded me out. Surely 4 is just far too short. Right? I think almost every 2FA code I've seen has been 6 digits long. Even back in the days of carrying one of those physical RSA fobs, 6 has been the magic number. But why? A 2FA code is meant to prevent a specific class of problem. If an attacker has got hold of something you are (your username) and something you know (your password), you are…

Continue reading →

I've locked myself out of my digital life


Photo of a house engulfed in flames. Photo taken by Wikimedia user LukeBam06.

Imagine… Last night, lightning struck our house and burned it down. I escaped wearing only my nightclothes. In an instant, everything was vaporised. Laptop? Cinders. Phone? Ashes. Home server? A smouldering wreck. Yubikey? A charred chunk of gristle. This presents something of a problem. In order to recover my digital life, I need to be able to log in to things. This means I need to know my usernames (easy) and my passwords (hard). All my passwords are stored in a Password Manager. I can r…

Continue reading →

Emoji Passwords and BitWarden


Screenshot of the Bitwarden Android interface. Emoji are showing as question marks.

Let me start by saying that Emoji Passwords are probably a really daft idea. I want to use emoji in my passwords. They're easy to type on a mobile keyboard, easy to remember, and a lot more fun than boring ASCII characters. Let's go with ✅🐎🔋📎 (As close as possible to Correct Horse Battery Staple) I use BitWarden as my password manager. It saves emoji passwords into its database, but has trouble displaying them: Android Browser Plugin Linux App Bug Report I've raised this (minor) …

Continue reading →

I have 4% 2FA coverage


A long list of 2FA tokens.

Last year, when doing some digital spring-cleaning, I realised that I had 800 different passwords. I tried going through them, removing long-dead websites, closing old accounts, and deleting anything incriminating. I now have 891 accounts. Arse. I also went through my 31 different 2FA accounts. Getting rid of old employers' email tokens, failed crypto wallet providers, Club Penguin etc. I now have 40 different TOTP tokens. So, about 4% of my accounts have 2FA security. I don't know if…

Continue reading →

I have Thirty-One 2FA codes


A long list of 2FA tokens.

Last week I wrote about how I had 800 passwords in my password manager. It was intended to highlight the ridiculous proliferation of online services, and how redecentralising identity comes with a manageability problem. I now want to talk about 2FA - Two-Factor Authentication - the random codes you have to type in every time you log in somewhere secure. This week, I've moved all my 2FA tokens from Authy, to the open source andOTP app. It was mostly painless exporting the Authy keys - but…

Continue reading →

I have 800 passwords


Bitwarden vault showing 795 login details.

I've started using BitWarden - the open source password manager. As I've been binge-watching Marie Kondo, I thought it was about time that I deleted all the accounts that I no longer user. I got rid of dozens related to previous employers. I hope the passwords wouldn't work after I left but 🤷‍♂️. I scanned through the list and deleted old bank details, failed social networks, and obvious duplicates. I'm left with seven-hundred and ninety-five different login details! How has it got this b…

Continue reading →

Review: BitWarden - the better password manager


Bitwarden vault showing 795 login details.

I've been a long time user of LastPass - but over the last year, they've abandoned their Linux customers and insisted that users pay to access enhanced security. Forget that noise! I started looking for a new password manager and, on the recommendation of several friends, started using BitWarden. Pros Open Source! Works in the browser - tried in Firefox and Chrome. Fast, and easy to use. Linux app - handy, but a little clunky to use. Bonus CLI tool available Android app - great at…

Continue reading →

Training Customers To Be Stupid


Companies face a complicated choice. Make things easy for the customers, or make things secure for them. Convenience seems to take priority most of the time. This forces companies to get their customers to risk their own security. In this example, we see Verizon Wireless asking their customers to type their passwords into Twitter for everyone to see! This is dangerous. It is likely that many of their customers recycle their passwords. Does the average customer know that their "billing"…

Continue reading →

How *not* to do a password change page


We've all been faced with this screen, right? You haven't logged in to a website for a while, so it prompts you to change your password. sigh Annoying but probably necessary. The problem was, every time I tried to change my password, it told me that my old password was invalid. The one that I'd just used to log in. I use the incredible LastPass Password Manager - so I knew I wasn't typing it incorrectly. It took a few tries, but I finally figured out what was going wrong. When I'd set…

Continue reading →

How *NOT* To Do A Password Field


We're all changing our passwords in the light of Heartbleed, right? Good! If you are a developer or designer, I want to explain to you exactly how not to create a password dialogue box for your users. We're all used to seeing this: Input password: Change Password This is incorrect! Why? Because it leads to this? Input password: Change Password ERROR! Your password must be longer than 7 characters! Ok! Ok! I'll enter in a longer password. Input password: Change Password ERROR! …

Continue reading →

The Perfect Twitter Spam Attack?


This morning, when I logged on to Twitter, I saw a user who I didn't recognise tweeting away in my timeline. I wracked my brains thinking about how they could have gotten in there before I realised it was a long-dormant friend who had changed their name and avatar. But, in thinking about how a spammer could infiltrate one's timeline, I think I came up with a fairly bullet-proof method to spam Twitter users. I present this as an exercise in devious thinking - and also to show how our…

Continue reading →