50 upvotes, 18 direct replies (showing 18)
View submission: How to keep your Reddit account safe
I'm a big fan of two factor authentication, generally. It's best to use some kind of token system or an app like Authy or Google's Authenticator rather than SMS as your second factor. I prefer Authy because it's easier to recover your account because it stores the data in the cloud.
It's an increasingly common attack vector for hackers to take over your phone number and use that to unlock your two factor accounts. A step you can take to prevent this is to contact your cellular carrier and ask them to establish a security PIN on any number porting requests.
If you change carriers and need to have the number ported, that PIN will be required. This makes it much more difficult for someone to social engineer a transfer of your number.
And I know this is the thousandth time you've been told, but you really should be using a password manager. I use LastPass and a typical password for me looks like this: 7GXc2f*hIVTV(MYO
The reason you want to be using a password manager is so you can have ridiculously complex and unique passwords for each account. If you're re-using the same passwords, a hacker doesn't need to break through Bank of America's security, they only need to hack the pizza place down the street that you use for online ordering. Once someone has a working username and password combination, they can jaunt around the internet and try to find other places those credentials work.
Comment by worstnerd at 06/05/2019 at 17:38 UTC
27 upvotes, 3 direct replies
This is great information and a solid way to improve the security of your account. Thanks for sharing!
Comment by obrienmustsuffer at 06/05/2019 at 18:06 UTC
6 upvotes, 2 direct replies
I prefer Authy because it's easier to recover your account because it stores the data in the cloud.
Contrary to Google Authenticator it allows the keys to be backed up by iTunes, so as long as you do regular backups, you'll be fine.
Comment by itsmebutimatwork at 06/05/2019 at 18:36 UTC
4 upvotes, 2 direct replies
And I know this is the thousandth time you've been told, but you really should be using a password manager. I use LastPass and a typical password for me looks like this: 7GXc2f*hIVTV(MYO
​
WTF?? How did he know my password?!
Comment by AtheistComic at 06/05/2019 at 18:08 UTC
2 upvotes, 2 direct replies
If you search Duckduckgo for "password 8", it will give you a nicely randomized password 8 characters long (yes you can change that to 12 or whatever to get longer passwords).
Comment by dietderpsy at 06/05/2019 at 18:22 UTC
2 upvotes, 1 direct replies
Isnt storing plaintext passwords in plain text in a db is the same way as storing them in the cloud?
Comment by SanityInAnarchy at 07/05/2019 at 07:18 UTC
1 upvotes, 0 direct replies
I'm a fan of two-factor generally, but not a fan of TOTP (let alone SMS) now that U2F exists. Unfortunately, Reddit still doesn't support U2F.
And I feel that Authy's backup defeats the purpose of two-factor; if the data is stored in the cloud, what secures that cloud? Possible answers:
Comment by taulover at 06/05/2019 at 20:52 UTC
1 upvotes, 0 direct replies
I'm a big fan of two factor authentication, generally. It's best to use some kind of token system or an app like Authy or Google's Authenticator rather than SMS as your second factor. I prefer Authy because it's easier to recover your account because it stores the data in the cloud.
It's an increasingly common attack vector for hackers to take over your phone number and use that to unlock your two factor accounts. A step you can take to prevent this is to contact your cellular carrier and ask them to establish a security PIN on any number porting requests.
If I'm not mistaken, reddit only allows authenticator apps, not SMS-based 2FA, for this very reason.
Comment by Fosnez at 07/05/2019 at 06:03 UTC
2 upvotes, 0 direct replies
2 factor is great, until you lose your phone. Then you're fucked.
Comment by Reelix at 06/05/2019 at 23:39 UTC
1 upvotes, 1 direct replies
A step you can take to prevent this is to contact your cellular carrier and ask them to establish a security PIN on any number porting requests.
The people doing the port-jacking generally work for the carrier, making this step useless.
Comment by Zakkeh at 07/05/2019 at 03:37 UTC
1 upvotes, 1 direct replies
How do i login to my account when I'm not at my pc? Lastpass sounds great and secure, but I'm not always at home.
At a mates place and i want to login to a website, what do?
Comment by kyiami_ at 07/05/2019 at 03:41 UTC
1 upvotes, 0 direct replies
Ridiculously complex passwords are not as important as having a long, unrelated password.
Unique passwords are incredibly important, and something not enough people do.
Comment by [deleted] at 07/05/2019 at 03:18 UTC
1 upvotes, 0 direct replies
Out of curiosity, how is Authy kept safe if the info is stored in the cloud? I currently use Microsoft Authenticator, but it sucks setting up a new device.
Comment by FreydNot at 07/05/2019 at 01:14 UTC
1 upvotes, 0 direct replies
Another good idea is use a Google voice number for sites that only do sms 2fa. It's more complex to take over a GV account with social engineering.
Comment by Longshot365 at 06/05/2019 at 23:49 UTC
1 upvotes, 2 direct replies
But what happens when the password manager gets hacked? Or when you loose your password to the password manager.
Comment by Fantastic-Mister-Fox at 06/05/2019 at 17:35 UTC
1 upvotes, 1 direct replies
SMS is insecure anyway. You don't even need to contact a carrier, you can spoof the number and receive texts temporarily, long enough to either spy or to get a 2fa code.
Comment by StarBam at 06/05/2019 at 18:54 UTC*
1 upvotes, 2 direct replies
What's the most secure password manager to use?
Comment by Mlitz at 07/05/2019 at 03:35 UTC
1 upvotes, 0 direct replies
This needs more up votes!
Comment by [deleted] at 07/05/2019 at 02:50 UTC
0 upvotes, 0 direct replies
Use LastPass and give NSA all your passwords. Great suggestion OP