One important thing to keep in mind that's not mentioned within the article -- according to Apple's FAQ (http://support.apple.com/kb/HT5570):
Do I still need to remember any security questions?
With two-step verification, you don't need to create or remember any security questions. Your identity is verified exclusively using your password, verification codes sent to your trusted devices, and your Recovery Key.
In other words, once you enable two-step verification, security questions no longer come into play, and they're no longer listed under your Apple ID account information. I think most would agree that's a good thing.
What I don't understand is can't a thief simply bypass all these security features by going into recovery mode? When a friend of mine forgot his password, I just logged in via recovery mode to reset the iPad.
Useless security, irregardless of platform, when it requires a smartphone [sms enabled] phone to activate.
While Apple's current implementation requires a mobile network connection, what if Apple were to add support for time-based one-time passwords like those supplied by Google Authenticator? Then the system would work just like those industry-standard 2-factor setups that use RSA keyfobs.
Roughly an infinite number of ways to avoid loss or compromise.
But what I do is have a piece of of paper with all my passwords and answers written down, and I tape that paper to a shelf above the computer. No issues of trying to remember anything. Security? I have not had a stranger in my condo for years. If somebody breaks in a steals my paper? We haven't had a burglary in the neighborhood since I moved in 20 years ago.
I believe I'm far more secure than a hollywood starlet with a cloud account.
And the fact of the matter is that if someone has PHYSICAL ACCESS to your machine or device, you're already compromised.
The problem with "security questions" is that someone who knows even a little bit about you probably knows your pet's name or birthdate or favorite sports team from your Facebook profile. Not to mention, you probably answered the same questions with the same answers for other accounts. It really doesn't matter how many bits of entropy your password has if someone can reset it by looking up your Mom's maiden name or Dad's middle name on Ancestry.com...
Write the answers backward (spelling and sentences).. be creative
Easiest thing to do is enter ALL of the security questions on ALL the sites with the SAME answer. Something that you would know; something simple, like the first person you kissed, shagged or dumped.
Ohh, that was a hell-of-a weekend! I'm not sure she ever told me her name...
Irregardless isn't a word. Why does autocorrect even help people type it? It's even in the iOS dictionary. But autocorrect fights every form of the word "abuse", which IS a word.
Security features are worthless if you can still access your own data. If you can do it, someone else can. The best thing we can do is take steps to make it harder for the unauthorized access of your stuff, which makes it harder for us to access it too. Got a two step log in with 30 character password? Lovely. Makes it hard for social engineering and hacks to break your security... And you have to constantly type that 30-character password, and get SMS messages every time the cookie expires on the so-called trusted browser (or every time your trusted device uses a different browser mode to access the page, like from an app like gmail, etc... to the point that you run out of trusted device slots and kill the oldest(?) one by adding a new one, because it's not the actual device, it's the browser cookie).
Security is a hassle to the user or it's not secure. The more a hassle it is, the less people want to deal with it. Having a hundred accounts to protect, all with different ID and password... It's just too much. It requires keeping lists. Those lists have to also be secured, or they become massive security breeches themselves. There must be a better system. Trusting a one-password product is not my idea of a better system. Fingerprint scanning is a convenience that can be cheated by clever people with access to your finger print on something they can transfer to an artificial medium for scanning (it was demonstrated already on iPhones). What's next? Retina or iris scanning? How will that be compromised? When will we end up with implants with RFID? When will people bypass that?
With all this security, the most annoying part is... You can lose your legitimate access credentials, just because you're human, and no one will be able to help you. Lose your emergency key? You're locked out. You'd have to be a security cracker to get in. Most people aren't, and it's illegal to crack some third party's security for access to your own stuff.
I've never lost my house or car key. This is true. But people don't need keys if they're willing to break windows or bust down doors. Yes, we could use safes... But who really considers buying expensive and heavy secure safes for a password list? They can also be compromised with heavy cutting hardware like blowtorches.
At the end of the day, with Internet accounts, we have way too much stuff to protect. The more protected we are, the harder it is to access our own junk. What level of discomfort are you happy with? How important are each of those accounts? How many access credentials can you remember without a list? Where do you store that list? How often do you have to change those credentials until you cannot remember any of them any more?
I don't have a solution, but I feel like we are only getting worse by continuing to use this challenge and response system, with different credentials for every account. But I'm not willing to have an implant, and certainly not be tracked by one. My data isn't important enough to mutilate me for access, but if biometrics can be bypassed with artificial copies, then what's the point in using them?
It's a question of whether you're willing to be more inconvenienced than your potential thief.
I wish I could live another 200 years to see how humanity deals with this long term.
Roughly an infinite number of ways to avoid loss or compromise.
But what I do is have a piece of of paper with all my passwords and answers written down, and I tape that paper to a shelf above the computer. No issues of trying to remember anything. Security? I have not had a stranger in my condo for years. If somebody breaks in a steals my paper? We haven't had a burglary in the neighborhood since I moved in 20 years ago.
I believe I'm far more secure than a hollywood starlet with a cloud account.
Furthermore, what has Apple done to protect all those celebrities whose photos were stolen from Google/Android? The theft wasn't specific to iOS. Apple once again leaves Android users out in the cold when it comes to security!
Torches and pitchforks for everyone! We march on One Infinite Loop at first light!
While Apple's current implementation requires a mobile network connection, what if Apple were to add support for time-based one-time passwords like those supplied by Google Authenticator? Then the system would work just like those industry-standard 2-factor setups that use RSA keyfobs.
Yeah, they should really support the TOTP algorithm (RFC 6238). It's an industry standard, and would allow 2-factor authentication to work regardless of country or signal in a device-agnostic way (even all the way back to decrepit things like Blackberry OS 7). It would be a great way for Apple to show how important security is to them.
Yeah, that's a bit of an issue but really not so often. Things like bank accounts and buying tickets and all that which require account data and passwords and all I tend not to do away from home, over public WIFi networks. Go home and do it. So not a major problem.
Irregardless isn't a word. Why does autocorrect even help people type it? It's even in the iOS dictionary. But autocorrect fights every form of the word "abuse", which IS a word.
Security features are worthless if you can still access your own data. If you can do it, someone else can. The best thing we can do is take steps to make it harder for the unauthorized access of your stuff, which makes it harder for us to access it too. Got a two step log in with 30 character password? Lovely. Makes it hard for social engineering and hacks to break your security... And you have to constantly type that 30-character password, and get SMS messages every time the cookie expires on the so-called trusted browser (or every time your trusted device uses a different browser mode to access the page, like from an app like gmail, etc... to the point that you run out of trusted device slots and kill the oldest(?) one by adding a new one, because it's not the actual device, it's the browser cookie).
Security is a hassle to the user or it's not secure. The more a hassle it is, the less people want to deal with it. Having a hundred accounts to protect, all with different ID and password... It's just too much. It requires keeping lists. Those lists have to also be secured, or they become massive security breeches themselves. There must be a better system. Trusting a one-password product is not my idea of a better system. Fingerprint scanning is a convenience that can be cheated by clever people with access to your finger print on something they can transfer to an artificial medium for scanning (it was demonstrated already on iPhones). What's next? Retina or iris scanning? How will that be compromised? When will we end up with implants with RFID? When will people bypass that?
With all this security, the most annoying part is... You can lose your legitimate access credentials, just because you're human, and no one will be able to help you. Lose your emergency key? You're locked out. You'd have to be a security cracker to get in. Most people aren't, and it's illegal to crack some third party's security for access to your own stuff.
I've never lost my house or car key. This is true. But people don't need keys if they're willing to break windows or bust down doors. Yes, we could use safes... But who really considers buying expensive and heavy secure safes for a password list? They can also be compromised with heavy cutting hardware like blowtorches.
At the end of the day, with Internet accounts, we have way too much stuff to protect. The more protected we are, the harder it is to access our own junk. What level of discomfort are you happy with? How important are each of those accounts? How many access credentials can you remember without a list? Where do you store that list? How often do you have to change those credentials until you cannot remember any of them any more?
I don't have a solution, but I feel like we are only getting worse by continuing to use this challenge and response system, with different credentials for every account. But I'm not willing to have an implant, and certainly not be tracked by one. My data isn't important enough to mutilate me for access, but if biometrics can be bypassed with artificial copies, then what's the point in using them?
It's a question of whether you're willing to be more inconvenienced than your potential thief.
I wish I could live another 200 years to see how humanity deals with this long term.
Requiring everyone to obey the Ten Commandments would solve the problem of security in one fell swoop.
Two-steps verification is a nightmare. Keep away from it like the plague. Apple forums are full of complains, doubts, troubles, lost information, untrusted devices, and whatever sad stories you can imagine. I myself disabled two-step verification because I couldn't buy ANYTHING from App Store.
Requiring everyone to obey the Ten Commandments would solve the problem of security in one fell swoop.
If theocracies weren't able to make that happen, I doubt the modern world ever could. It's called the "human condition" for a reason, otherwise you wouldn't need the rules in the first place.
If theocracies weren't able to make that happen, I doubt the modern world ever could. It's called the "human condition" for a reason, otherwise you wouldn't need the rules in the first place.
Not to mention that only 2 of them even apply to me.
Requiring everyone to obey the Ten Commandments would solve the problem of security in one fell swoop.
If theocracies weren't able to make that happen, I doubt the modern world ever could. It's called the "human condition" for a reason, otherwise you wouldn't need the rules in the first place.
I was posting more in hope than reality.
Wouldn't it be amazing if no-one needed any passwords? No need for security of any kind?
There was a time in England when people didn't need to lock their front doors.
Comments
Which can be lost or compromised.
I only have one passport and one passcard. Both of which have never been lost.
I only have one set of keys to my apartment. I haven't ever lost those either.
At the end of the day, people just need to be responsible for their own shit. If you have something that is important, then take good care of it.
One important thing to keep in mind that's not mentioned within the article -- according to Apple's FAQ (http://support.apple.com/kb/HT5570):
Do I still need to remember any security questions?
With two-step verification, you don't need to create or remember any security questions. Your identity is verified exclusively using your password, verification codes sent to your trusted devices, and your Recovery Key.
In other words, once you enable two-step verification, security questions no longer come into play, and they're no longer listed under your Apple ID account information. I think most would agree that's a good thing.
What I don't understand is can't a thief simply bypass all these security features by going into recovery mode? When a friend of mine forgot his password, I just logged in via recovery mode to reset the iPad.
Useless security, irregardless of platform, when it requires a smartphone [sms enabled] phone to activate.
What do you suggest that is a better method?
Useless security, irregardless of platform, when it requires a smartphone [sms enabled] phone to activate.
While Apple's current implementation requires a mobile network connection, what if Apple were to add support for time-based one-time passwords like those supplied by Google Authenticator? Then the system would work just like those industry-standard 2-factor setups that use RSA keyfobs.
Roughly an infinite number of ways to avoid loss or compromise.
But what I do is have a piece of of paper with all my passwords and answers written down, and I tape that paper to a shelf above the computer. No issues of trying to remember anything. Security? I have not had a stranger in my condo for years. If somebody breaks in a steals my paper? We haven't had a burglary in the neighborhood since I moved in 20 years ago.
I believe I'm far more secure than a hollywood starlet with a cloud account.
And the fact of the matter is that if someone has PHYSICAL ACCESS to your machine or device, you're already compromised.
The problem with "security questions" is that someone who knows even a little bit about you probably knows your pet's name or birthdate or favorite sports team from your Facebook profile. Not to mention, you probably answered the same questions with the same answers for other accounts. It really doesn't matter how many bits of entropy your password has if someone can reset it by looking up your Mom's maiden name or Dad's middle name on Ancestry.com...
Write the answers backward (spelling and sentences).. be creative
Ohh, that was a hell-of-a weekend! I'm not sure she ever told me her name...
Ah, but you wind up with the Liar's Conundrum: Can you remember which lie you told to whom?
Which can be lost or compromised.
Simple way to deal with this. Just attach a word(that only you would know) to every "correct" answer.
Q. mother's name
A. SmithGozira
Q. First car
A. HondaGozira
Q. High School name
A. John FranklinGozira
That way, you would still have unique answer to each question.
Security features are worthless if you can still access your own data. If you can do it, someone else can. The best thing we can do is take steps to make it harder for the unauthorized access of your stuff, which makes it harder for us to access it too. Got a two step log in with 30 character password? Lovely. Makes it hard for social engineering and hacks to break your security... And you have to constantly type that 30-character password, and get SMS messages every time the cookie expires on the so-called trusted browser (or every time your trusted device uses a different browser mode to access the page, like from an app like gmail, etc... to the point that you run out of trusted device slots and kill the oldest(?) one by adding a new one, because it's not the actual device, it's the browser cookie).
Security is a hassle to the user or it's not secure. The more a hassle it is, the less people want to deal with it. Having a hundred accounts to protect, all with different ID and password... It's just too much. It requires keeping lists. Those lists have to also be secured, or they become massive security breeches themselves. There must be a better system. Trusting a one-password product is not my idea of a better system. Fingerprint scanning is a convenience that can be cheated by clever people with access to your finger print on something they can transfer to an artificial medium for scanning (it was demonstrated already on iPhones). What's next? Retina or iris scanning? How will that be compromised? When will we end up with implants with RFID? When will people bypass that?
With all this security, the most annoying part is... You can lose your legitimate access credentials, just because you're human, and no one will be able to help you. Lose your emergency key? You're locked out. You'd have to be a security cracker to get in. Most people aren't, and it's illegal to crack some third party's security for access to your own stuff.
I've never lost my house or car key. This is true. But people don't need keys if they're willing to break windows or bust down doors. Yes, we could use safes... But who really considers buying expensive and heavy secure safes for a password list? They can also be compromised with heavy cutting hardware like blowtorches.
At the end of the day, with Internet accounts, we have way too much stuff to protect. The more protected we are, the harder it is to access our own junk. What level of discomfort are you happy with? How important are each of those accounts? How many access credentials can you remember without a list? Where do you store that list? How often do you have to change those credentials until you cannot remember any of them any more?
I don't have a solution, but I feel like we are only getting worse by continuing to use this challenge and response system, with different credentials for every account. But I'm not willing to have an implant, and certainly not be tracked by one. My data isn't important enough to mutilate me for access, but if biometrics can be bypassed with artificial copies, then what's the point in using them?
It's a question of whether you're willing to be more inconvenienced than your potential thief.
I wish I could live another 200 years to see how humanity deals with this long term.
Roughly an infinite number of ways to avoid loss or compromise.
But what I do is have a piece of of paper with all my passwords and answers written down, and I tape that paper to a shelf above the computer. No issues of trying to remember anything. Security? I have not had a stranger in my condo for years. If somebody breaks in a steals my paper? We haven't had a burglary in the neighborhood since I moved in 20 years ago.
I believe I'm far more secure than a hollywood starlet with a cloud account.
What if you're away from home?
Torches and pitchforks for everyone! We march on One Infinite Loop at first light!
While Apple's current implementation requires a mobile network connection, what if Apple were to add support for time-based one-time passwords like those supplied by Google Authenticator? Then the system would work just like those industry-standard 2-factor setups that use RSA keyfobs.
Yeah, they should really support the TOTP algorithm (RFC 6238). It's an industry standard, and would allow 2-factor authentication to work regardless of country or signal in a device-agnostic way (even all the way back to decrepit things like Blackberry OS 7). It would be a great way for Apple to show how important security is to them.
What if you're away from home?
Yeah, that's a bit of an issue but really not so often. Things like bank accounts and buying tickets and all that which require account data and passwords and all I tend not to do away from home, over public WIFi networks. Go home and do it. So not a major problem.
Requiring everyone to obey the Ten Commandments would solve the problem of security in one fell swoop.
Requiring everyone to obey the Ten Commandments would solve the problem of security in one fell swoop.
If theocracies weren't able to make that happen, I doubt the modern world ever could. It's called the "human condition" for a reason, otherwise you wouldn't need the rules in the first place.
If theocracies weren't able to make that happen, I doubt the modern world ever could. It's called the "human condition" for a reason, otherwise you wouldn't need the rules in the first place.
Not to mention that only 2 of them even apply to me.
I was posting more in hope than reality.
Wouldn't it be amazing if no-one needed any passwords? No need for security of any kind?
There was a time in England when people didn't need to lock their front doors.
Be good. Don't steal.