Some Advice on 2 Factor Authentication

Today more than ever before we are storing valuable assets online. Those assets could include access to our bank vaults, our galleries of pictures, our writings, our work, and our communications. That is a lot of stuff. It is important that we maintain access to those things and that they do not get hijacked.
The first line of defense against such hijackings is having strong authentication systems in place. If a system will not permit entry without being convinced beyond the shadow of a doubt (within some reason) that you are the one trying to access your systems and not someone else then it is a better system.
There are a lot of problems around online authentication.
https://www.theverge.com/2017/7/10/15946642/two-factor-authentication-online-security-mess

This is a topic I’ve spent a decent amount of time looking into.
I can say that there are a couple things that I have learned that have made a big impact on me.

1. When possible, use 2FA. If you can use an app for authentication instead of SMS messaging.
2. If you are going to use an app then use Authy, https://authy.com/ because if your phone breaks or gets destroyed and you have backups enabled with authy it is much easier to get up and running again than with Google Authenticator (if your phone breaks, you are screwed with Google Authenticator)

Making Better Passwords, The Entropy Argument

I am going to take a side in a debate. The debate is a long and heated one. It centers around the question of what makes the best password.
My argument is that the best passwords are those that are made up of the most numbers of characters and thus have the most entropy. I will argue that building entropy via many characters is superior to having a shorter password that use extra special characters. Whether or not I have special characters in my passwords or not is besides the point because everyone knows I used a computer to make the password and so I COULD have used a special character. Even if an attacker KNEW I was only using lowercase english letters, if it meant my password was say 10 characters longer it would more than make up for the fact that I am missing numbers or special characters.  There are many people who agree with me as well. prominent among them, the writers for XKCD. In this comic https://xkcd.com/936/

The idea is elegantly demonstrated.

The idea is also very popular among the developers of cryptocurrency wallet software. Cryptocurrency wallet seed generators nearly all generate ~20 human readable words that make up their seeds that are then hashed and salted to produce the wallet secret keys. https://bitcoin.stackexchange.com/questions/45978/what-is-the-wallet-word-seed-that-is-commonly-used-in-popular-wallets-clients

 

Martin Fowler on Web Security Basics

This article, written last year, is an evergreen primer on a bunch of different issues in web security .  https://martinfowler.com/articles/web-security-basics.html

The big bullets:

• Trust
• Reject Unexpected Form Input
• Encode HTML Output
• Bind Parameters for Database Queries
• Protect Data in Transit
• Hash and Salt Your Users’ Passwords
• Authenticate Users Safely
• Protect User Sessions
• Authorize Actions

Detail is given to ideas such as

• User/client input cannot be trusted and so must be validated.
• HTML coding needs to be specified.
• Database query input also needs to be validated before it is run, similar to the first point.
• It is worth it to protect data going over the wire with technologies like SSL and WPS.
• That it is valuable to add extra layers of sophistication when encoding passwords to be sent anywhere.
• That sessions are and the users that use them are worth protecting
• That getting specific authorizations to perform certain actions is another good way to add an extra layer of security.

It is for sure worth the read  by pretty much everyone. Since web applications are so tied to our lives these days we as users (and ESPECIALLY as developers) owe it to ourselves and any software we write to adhere to practices like Martin outlines.

Origins of Meltdown + Spectre

The story I read today,
https://www.wired.com/story/meltdown-spectre-bug-collision-intel-chip-flaw-discovery/

Lately all over the news people are talking about the new vulnerabilities identified by 3 researchers at Gratz University in Austria.
I was interested in this article not because it went deep in depth on the implications of the vulnerabilities themselves but because this article talked about the researchers process in discovering the vulnerabilities. Vulnerability testing can be very tedious work. In the realm of security testing at the hardware level that these researchers were doing (and discovering a vulnerability that has been present for the last 20 years) what they did is a huge deal. They were not expecting to uncover what they did.