WHAT EVEN IS TWO FACTOR AUTHENTICATION?

In past instalments we’ve talked about creating a safe password for your smartphone and how to use a password manager for all other accounts, but something was left behind that needs addressing.

As we mentioned before, data leaks can happen, and even tho the passwords to access an account on any internet platform tend to be stored hashed, it can be unhashed by people with the right tools.

So there is no point having a great password that then gets leaked and cracked, right? We can do something about this too.

Multifactor authentication is a way of ensuring whoever is sending the credentials to an account is actually the person who owns that account. It normally uses two of these three:

  • Something you know (usually, your password!)
  • Something you have (your smartphone, or a hardware key, or some other object)
  • Something you are (fingerprints, biometrics and so on)

We have talked about the dangers of biometrics already and we would highly advise you to not use them. That said, you still can use two factor authentication (2FA) by giving something you know (your password) and something you have (either a hardware key, or an application on your smartphone).

This is how it works; when you log in on Facebook, you are asked for your email and password. You have done your job right and know that the password is complicated and stored in your Bitwarden account. So you select it, then add that little bit of password that only you remember, and hit enter. A second screen appears that asks you for a code. You check your smartphone, introduce your code, and you’re in!

Ideally, that code will be a one time use code and change every time, making things a lot safer.

That means that if someone was to get your password, they still wouldn’t be able to access your account without also having that code, which should be in your pocket!

You have already done this before, normally over telephone number. Amazon asks you for a mobile number, they send you a code over text, and then you introduce it in your log in screen to get in. But texts are sent and stored in plain text, and SIM Swapping (an attack where someone manages to acquire your telephone number without you realising) is a very common vector of attack.

Instead of using your telephone number, you can choose to use a hardware token if you feel you need to go the extra mile with your security (like YubiKey, go read about it!) or you can use a software based 2FA authenticator.

Our recommendation for a software based 2FA authenticator would be the open sourced Aegis Authenticator if you’re using Android, as it offers a few extra features like password access and back up options, or TofuAuth if you’re using iOS, also open sourced and designed for iPhones.

The process is simple, you go to your account, find 2FA and enable it. You then grab your phone, scan the QR code that the website offers and it will automatically add it to the account. Now the app and the website will be able to talk to each other and nod in agreement when you give them the right code!

This is an incredibly easy, yet very effective way of keeping your accounts safe. Please head to your accounts and enable 2FA, connect it to your phone software and stick your middle finger to whoever might try to gain access to your accounts!

UA Tech and Sec department.

If you like what we do, consider donating a few coins, we have very little funds left
Paypal: unoffensive_animal(at)tutanota.com
Patreon: www.patreon.com/animalliberation

PASSWORD MANAGEMENT

We have talked in the past about how important a passphrase is to unlock your smartphone, instead of a numerical code, or if you’re still not up to date with how law enforcement abuses their powers, especially don’t use biometrics like your fingerprints or FaceID.

If you have not read about smartphone passphrase, you should start here: 
https://unoffensiveanimal.is/2021/03/16/creating-a-safe-passphrase-for-your-smartphone/

Now that you have read that, we MUST talk about all other passwords you use to log in to every other account you own.



Passwords are normally stored in the servers of those accounts (let’s say Facebook for example), as hashes. That means that people cannot simply access your password as plain text. But many tools are able to unhash and find your passwords. 



So how do we protect ourselves from a major data leak, that would release into the internet the key to open every account you own? 



Firstly, we need to visit a few rules: 



  • You should NEVER reuse your password. It doesn’t matter if it is for an account you don’t care about. Just DO NOT reuse your password. If it leaks for one account, it will leak for all accounts!
  • Your passwords should be complicated and should be lengthy. There are many ways of “creating” passwords, but we will explain a very simple one later on in this article.

So once we have learnt those two rules, how can we create, manage and memorise very long, complicated passwords, that are single-use so you do not repeat them in every single account? 



The answer is using a password manager.



A password manager is a vault that keeps all those passwords safe and away from prying eyes. For most of our readers, whose threat level is probably low, we will recommend a cloud-based password manager due to its ease of use, but if you believe you should go a step further, once you’ve read about password managers check KeePass, a completely off-cloud alternative.

Our recommendation for a cloud-based password manager is Bitwarden. Bitwarden is an open-sourced password manager capable of storing all the information you need, but also able to generate new passwords on demand and synchronising within all your devices if so you wish. 



Storing all your passwords in a single drawer sounds like a huge, scary thing doesn’t it? This is why you should think before you even create a new account with Bitwarden.

1- Create a new, never-used-before email address. Only use it to create that password manager account, so it doesn’t leak. That means it is more difficult to try to brut force the password manager credentials if the attacker doesn’t even know what email address you could’ve used.

2- Create a MASTERPHRASSE. Remember how we talked about a passphrase for your smartphone? Follow those rules, but double it, or even triple it in size. Write it down for a few weeks until you are 100% sure you will not forget, and practise using it. Make it the longest, most complicated password you can create whilst being able to remember it because it is the password that will rule all the passwords. 



Now, you can log in to Bitwarden, and start storing all your account’s passwords. And because we know what your like, this is the moment we prompt you to CHANGE THE 6-YEAR-OLD PASSWORD YOU’VE NEVER IN YOUR LIFE CHANGED. Seriously, go on Facebook, change your password. Go on your proton mail, and change your password. Go on your amazon account and CHANGE-YOUR-PASSWORD.



You will find this a very good little tool within Bitwarden. When you’re changing a password in whatever account, you can click on “generate password”, choose the length and how complicated you need it to be, and the software will create the password for you. You copy it, change the password in the account, then save the new credentials in your Bitwarden and voila! You are done! 



But I can imagine more than one person complaining about putting all the vegan eggs in a single, steel basket, and hoping that that does not fuck things up. 



And you people are right. That master passphrase could be broken. All your accounts, compromised. And we also have remedies for those problems.

In a future instalment, we will talk about 2FA and how to use it (not the one where google sends you a text with a code mind you!). but for now, this is a cool little trick you can use to secure your accounts a step beyond the password manager. 



Let’s imagine that the FBI has decided to check out all the nudes you send over Instagram DMs. They try to enter your IG, but they are unsuccessful. Sadly, they find a plaintext of your password manager master passphrase, and they learn that your Instagram login credentials are: 



User: @thegreensheepinthehill
Password: z3JtBqGT$ZRjWY!cf&[email protected] *(a very nice password created by the PW generator within Bitwarden!)



When they try to log in, “username and/or password are invalid” prompts the screen! 



Why? Because you did not put all the vegan eggs in one steel basket. You kept half an egg to yourself.

That metaphorical egg is “something you remember”, an add on to your password, something extra that you don’t forget. 



For example, let’s say that you really like plants, and your favourite plant is a pothos. Maybe that something you remember can be {p0th0%s}, and when you are creating new passwords to all your accounts, you keep adding “{p0th0%s} at the end of the randomly generated password that Bitwarden is giving you.



When you save your passwords, you are not saving {p0th0%s} alongside it, but you simply remember it, so when you need to log in to IG for example, Bitwarden gives you this: 


User: @thegreensheepinthehill
Password: z3JtBqGT$ZRjWY!cf&[email protected]

But you remember that the actual password is:

Password: z3JtBqGT$ZRjWY!cf&[email protected]+{p0th0%s}



And tada! You made your life a little safer by spending a couple of days learning a new tool that will really, really help you in the long run. 



Enjoy, and for the love of bunnies, stop using “password123” as your password, please. 



UA Tech and Sec department.

CREATING A SAFE PASSPHRASE FOR YOUR SMARTPHONE

Most of us have one, most of us benefit from them, we put our lives all over them but should in reality fear them. Smartphones are a tool of the modern world, being able to share data to anybody instantly; a mindblowing concept.

Each year, new devices are released, with new and possibly beneficial features, Authenticating yourself only by looking at the screen, Storing Photos in the cloud, Managing banking transactions with minimal effort. Smartphones are convenient. Yes. They can also be VERY damaging for activists.

A device that knows where you are, where you’re going, when you’re there, the journey you took, and whether you drove, walked or cycled. They know who’s with you, they hold the messages you’ve sent to each other and the pictures and videos you took while you were there.

One small mistake and the device you hold so dearly can get you into some serious ‘legal’ issues. The biggest mistake that you may already be making? Unlocking your phone.

Various reports show that most devices are secured with a 4 Number Passcode, Are you currently doing this? If you are, this should be the first step you take to securing your device. Longer passwords are harder to enter, yes, but are also relatively harder for Law enforcement to break.

Knowing the difference between an Insecure and ‘Secure’ Smartphone can be difficult. With the next few posts, we’ll try to recommend easy to implement changes and tips that ANYBODY can follow, irrelevant to your knowledge of technology.

There’s a constant battle in the tech world with Security vs Convenience, With Smartphones, typically benefit from convenience. As mentioned above, Face, fingerprint, and iris unlocking for your device are very ‘cool’ and convenient methods of authentication but take it from us, there’s nothing stopping Law enforcement from forcing your eyes open, your phone to your face, or by pressing each finger onto your fingerprint scanner. – the only thing they currently cannot do is force you to provide a password to a device. 1*

Most Operating Systems on Phones use the screen lock as a method of Encryption; It’s good to assume that if you’re using a 4 number password or similar, the data on your device is easily recoverable by anybody with very little effort.

Bringing us to the first change for a more secure device.

Your Device password.
If you’re currently using a ‘PIN Code’ or Numerical password, Change it.
If you’re using a Pattern lock, Change it.
If you’re using Biometrics, Fingerprint, FaceID, Iris… Stop… Seriously. Stop it. Stop reading, go disable it now…
If your password is the name of your ‘pet’, child, spouse, town, date of birth, Spring2016, AnimalLiberation, or FuckTheCops, Change it.

Change it to what? Good Question!
How do we as Human beings, Generate a Secure, complex password that’s difficult for a highly-intelligent computer to guess? It’s not difficult, there’s a general rule in the password-cracking industry that longer passwords aren’t typically the most secure.

As the person writing this post, I can suggest the following formula for ‘Secure’ Passwords.

Multiple, DIFFERENT Symbols, Multiple Words in different languages if you’re so lucky to know them and numbers, no phone numbers, bank pins or dates and 1312, 161, etc are also not secure :). It may be easier for you to remember a complex password if it flows easily when you recall it in your head, maybe something that rhymes.

For Example, Looking around me right now, I will try to make a ‘secure’ password, 1 x Aloe Vera Plant… 1 x Bottle of Water… 2 x Skylights… 8 steps to some Stairs…

My Password could be:
!128/[email protected]

Easier to remember, but less Secure:
!1128AloeVera_bottleOf_Skylight1128!

Now… I understand that you might be thinking “There’s no way I’m going to remember something like that…” This is why it’s important to personalize your password with rules and patterns that make sense to you. Assuming you use your Smartphone every day, That’s a repetitive task for your brain and you will learn to type the password easily, without thought very quickly. It’s just adjusting to it that may take a few days. Sadly, Security is not convenient and will take effort to introduce.

If you’re worried about forgetting the password, I suggest keeping a written copy or reminder of the password until you don’t need it anymore and then destroy it with fire :), it’s better to use a slightly insecure method of security temporarily than it is to only use insecure methods permanently.

This change is possibly the most mentally demanding. It will take time and effort to introduce properly but once you’ve laid the groundwork here, the effectiveness of the other changes will be greatly increased; Banks aren’t made from Cardboard for a reason ;).

==================

Change your Password!
Unoffensive Animal.

Comments:

1* – Depending on where you are in the world, the Police can press Legal charges for individuals who do not provide access to personal devices. What we mean is they can’t force their way into your brain.

We now accept Bitcoin and Monero as donation methods! Please visit "Support Us" page to find out how.