Insights For Success

Strategy, Innovation, Leadership and Security

2 factor

What do you do if your password was hacked?

GeneralEdward Kiledjian
fingerprint-2904774.jpg

This is not a sponsored post and the links are not affiliate links. The links are provided to simplify your journey.

I wrote this post to help the average consumer user.

Many believe bad things only happen to other people, but the quantity and severity of breaches are growing quickly. Once you have accepted that you may be part of the unlucky, how do you know if your information was leaked in a breach?

Was my information leaked in a breach?

First check HaveIBeenPwnd

Security researcher Troy Hunt has created this free resource to check if your email address was part of any known breach.

You simply enter the email address you used to register for most sites and it will give you a green sign (you are not in any data breach) or a red sign (your email was found in a data breach):

Screen Shot 2021-02-15 at 12.57.26 PM.png

HIBP does not store any emails you use to search for breaches, unless you sign up for their automatic notification service. By listing the sites that leaked your credentials, you can determine what other sites may now be at risk (because the majority of you reuse passwords).

Second, you may want to checkout another similar service operated by the non-profit Mozilla foundation called Firefox monitor.

Screen Shot 2021-02-15 at 1.01.43 PM.png

this works the same way as HIBP. You enter your mail and press check. Similar to HIBP, if your email address was in a known leak, they will list the sites (or breaches):

Screen Shot 2021-02-15 at 1.03.04 PM.png

The third source you can check is a site called cybernews

Screen Shot 2021-02-15 at 1.07.28 PM.png

Like HIBP and Firefox Monitor, you enter your email address and the site returns a list of breaches your information was found in:

Screen Shot 2021-02-15 at 1.08.53 PM.png

Unlike the others, this one does not provide a list of the breaches (or number) your information was found in. This could be a good third check.

I recommend checking these sites monthly or using their auto-alert feature, which will email you if your information is found in a future breach.

BIG IMPORTANT WARNING:

If these sites do not find your information in a known breach, it does not mean you are safe. There are probably hundreds or thousands of breaches that occur each year that go unannounced and therefore these sites cannot catalog that information. Always be careful and we will provide some extra insight later in this article.

Be aware of weird account activity

As mentioned above, not being included doesn’t mean you are safe. So always be vigilant with your online accounts. Sites or services with good security controls will detect anomalous activity related to your account and will email you. As an example, if you receive a password reset link, that you didn’t request,

Or if a site emails Askin if you have logged in from a location you didn’t log in from (you log in from the USA but the email says someone from Prague attempted to log into your account). Gmail does this (for unusual browsers, IP addresses or geographic locations).

Sometimes when accounts are taken over, the attacker will change the registered account email so if you try to log into a service you are registered for and it does not recognize your email address, that is an indication your account was taken over.

Another indicator is strange configurations in your email accounts. Attackers want to get into your email because that is how they can reset service account passwords or delete alerts so you are not tipped off they are trying to break into your account. They can either set up filters in your email (to forward emails of interest to them or mark alert warning emails as read and immediately delete them) or they can set up forwarding of your emails to another email address they control.

The main issue is password reuse

The main issue is password reuse. Most users have a handful of passwords they reuse for all the sites they register on. Once an attackers finds that password, they will try logging into other major services (Facebook, twitter, Instagram, Gmail, Hotmail, etc) and will have immediate access.

This is why I recommend using long unique passwords for each site and storing those passwords in a reputable password manager.

  • My favourite password managers (free and paid)

  • five sites to help you generate long, complicated and unique passwords

What do I do if my information was leaked in a breach?

With the quantity and size of breaches, it is likely that your information was leaked in a breach, what do you do now?

  • If you reuse passwords, then the first thing you should do is visit all the sites you use and immediately change the passwords.

  • If you are locked out of your account (if could mean the attackers have done an account takeover), use the reset password functionality to change your password.

  • If you are sure you had a registered account but the system can not find your email address (when you use the above reset feature), it could mean the attackers have changed the registered email address for your account. You will have to contact the support team for the site in question and explain the situation.

  • Another interesting recommendation you don’t see often is to use multiple email addresses. If you are using a password manager (and you should be by now), then why not create a free email address for different groups of services. Maybe one for online shopping, one for social media, etc

Good internet password hygiene

  • Use long, complicated and random passwords for each site. Something like f%[_8s9f579o+*38zjURqjK}GQZ

  • You can also use long passphrase (if you are stubborn and don’t want to use a password manager) but make it unique for each service: 1l0v3*K1nG!*Appl3?P3acH%Umrellas-P1nk!

Most sites use a technique called hashing to store user passwords. This means that they don’t store your password but a mathematically derived result and hackers have to “crack” the hashes to reverse them back to passwords. This cracking function is done with trial and error and is impractical for long and complex passwords. So even if your data is leaked in a breach, they may not be able to reverse the hash and your account may end up being “safe” if you use long and complex passwords.

  • Never reused a password for multiple sites.

  • whenever possible, use two factor authentication to add additional security to your account.

There is a great free site called twofactorauth that has an exhaustive list of sites that allow users to leverage 2 factor authentication and even provide a link to the info page on how to turn it on for many of those sites

Screen Shot 2021-02-15 at 1.40.50 PM.png

The most secure is using a hardware token (my favourite token is the Yubikey ones) and the least secure is SMS. If you are curious why SMS isn’t secure, I wrote an old article about the SS7 attack.

If you choose to use a software token, the one I recommend is Authy by Twilio Authy is free, cross-platform and incorporates good security protection features.

Authy vs Google Authenticator for 2 factor authentication

technologyEdward Kiledjian
Picture by Harald Groven under creative commons license

Picture by Harald Groven under creative commons license

It seems password theft is in the news every week and even average computer users are starting to learn about the benefits of 2 factor authentication. 2 factor authentication increasing your account security because it add to your password (something you know) with a second factor (something you have). 

The something you have is usually either an SMS message with a one-time authentication code to your primary phone on file or a special software that generates the same kind of code. The SMS option seems convenient but is less attractive when you consider the site would have to send your secure log in code encrypted through a 3rd party carrier (which is never a good idea in my opinion). Using a software one-time code generator is a much more attractive proposition in my book.

Which major sites use 2 factor authentication?

Almost every major site uses 2 factor authentication... Some (small list) examples are:

  • Facebook
  • Google+
  • LinkedIn
  • Twitter
  • Tumblr
  • WordPress.com

What is Authy?

Since most people have heard of Google Authenticator, let me take a minute and introduce Authy before I jump into the comparison. Like the Google product, Authy is a  Time-based One-time Password Algorithm and adheres to RFC 6238 (link) described by the  Internet Engineering Task Force. 

In addition to being a slick well designed app, Authy allows you to manage all of your TOTP 2 factor authentication tokens with it (including Google Authenticator tokens).

And with the Bluetooth agent on Apple computers, you don't even need to touch your phone when logging into websites. The entire process is slick and beautiful.

Authy also trives for 99.9995% uptime and has built their infrastructure accordingly. You can read a great techical article on Leanstack.io (link) about this.

Authy versus Google Authenticator

There are 2 types of Authy implementations:

  1. A site can use Authy as their 2-factor authentication system (front and back end)
  2. A site can use the Google Authenticator back end and the customer can choose to use Authy as the token generation client app

Let's take scenario number 1 first.

Let's say you are using Google Authenticator and you lose you phone, the only course of action you have is to find your backup 2-factor codes (that you hopefully printed when you set the entire thing up) and deactivate your tokens app by app (or site by site).

If the sites use Authy as the back/front end, you can revoke a apps token very easily from their site.

The other major issue with Google Authenticator touches world travelers. There are some countries where you won't have connectivity on your mobile device for extended periods of time which could lead to a drift between your phone's time and that on the Google servers. If the drift becomes too wide, you won't be able to login anymore because the entire TOPT process uses time in the calculation algorithm. The Authy team has accounted for this possibility and has built in more refined time drift smoothing algorithms to reduce the likelihood of this occurring.

Google Authenticator is built to run on only 1 device but more tech savvy users know that you can use your authenticator seed on multiple devices. The problem is that all your devices use the same seen which means if any device is compromised ot stolen, you have to cancel and regenerate all of your tokens. Even when used in multi-device mode, Authy create unique seeds for each device (when used with sites that have implemented the Authy backend not the Google authenticator backend). Which means you can revoke the rights to one device without having to reset everything.

Let's take scenario 2 now

One thing I hate with Google authenticator is that I have to redo the entire token creation process for every 2-factor enabled site everytime I change my phone. I could save a screenshot of my seed and use that in the future (instead of going through the entire process again) but that is a HUUUUUUUGGGEEE security risk. You really don't want to store your seed unencrypted.

Authy has a account synchronnization feature that allows you to move your entire token vault to a new phone or to a second device. Security analysts know that the goal is to minimize the attack surface and therefore sometimes you may chose to only allow 2-factor authentication code generation on one device. Authy actually sets its default configuration to only work on one device to ensure multi-device support is a conscious decision by the user.

To enable Multi-Device synchronization of your tokens, they have created a model of inherited trust which means a new device can only be authorized from an already trusted device.

This means that if you buy a new device (to replace your existing one or a tablet), you can easily transfer your authentication tokens over. 

The other benefit is that everytime you start the app, you get a fresh authentication code valid for 20 seconds which means you're not waiting 1 minute for the app to refresh with a new code.

Overall the app is much nicer than Google's. It is a clean touch friendly interface that is a joy to use. I have now migrated all my Google tokens to Authy and it is the only 2-factor authentication app on my devices: smartphones and tablets.

You can download Authy for free

Enable 2-factor authentication for Google services

InfoSecEdward Kiledjian

Related Article:  

How to enable 2-factor authentication for Google

Sign into your Google account

Click the arrow next to your name


Choose Account

Select Security

Click settings listed under 2-step verification

You have to start the setup process. You are then asked to supply a telephone number where an authentication code will be sent when you login from an “untrusted computer or device”. A code then arrived that you have to enter when Google login detects something strange.

You  are then asked to login and test the code. When you login, you will be asked whether you trust the device you are loging in from.

The other option on 2-factor authentication page is the IOS or Android Google authenticator application which generates a new unique login code every 60 seconds. You download the app from your app store, then chose the Google Authenticator option on the 2-factor settings page, you scan the barcode generated on the setup webpage and then test the generated code.

Personally I use the Google authenticator option and have the app on my phone (iphone) and my tablet (nexus 7). If you intend to use the Google Authenticator on multiple devices, download the app on all of your devices at the same time and scan the generated barcode on both devices at the same time. The same unique codes will then be generated on both devices.