Strange, I got my Gmail account highjacked by someone from Alberta, CA, as well.
It was an old Gmail account I wasn’t using anymore. The password was randomly generated by Keepass. It was not brute forced
First, they accessed my Google account and changed the password. I received a notification and was quick to go and change it to a new password. Note how Google let me do it.
Second attempt was a few days later. They changed the password and all the recovery info this time. Google says “blah blah we can’t allow you to recover from this device”.
Learned two things: Strong passwords mean jack squat these days apparently and Google doesn’t care about you.
I really wish everyone had an option to disable recovery procedure and optionally lockout IPs for x hours/days after incorrect attempts. I never make a mistake entering passwords and they’re strong enough.
Recovery is just another attack vector. Plus you need to remember/store all that information.
I would have my username and randomly generated password stored in keepass, but for recovery question I would also use randomly generated strings from keepass for my answers.
To store that information, I use the notes section of keepass or store that information on a text file as an attachment to the specific keepass entry.
Which is what I do. Answers are random unrelated stuff. But yeah random generated stuff is even better.
My attacker either brute forced them (seems rather unlikely imo) or they have a way of making Google think they’re on a trusted Android device, which is what I believe happened.
i have a weird thing with all my stuff lately. I have an old Yahoo account from 2000 that I have all my password stuff sent to. I rarely use it cept once a month when I change all my passwords. I finally have started using last pass, because I can’t afford anything else, but my main password is a very long sentence. And i change it every 2 weeks. (I have done this since I had an unrelated google account get hacked somehow without my main yahoo account getting compromised. This was 4 weeks ago.)
I also have all of my passwords stored on a USB stick that sits inside the leg of my big vintage school teachers desk from the 80’s. Those passwords are scrambled twice. So even if they get the usb stick, they’re not gonna know what those passwords are.
I thought of all of this like 4 weeks ago Because i decided to go back and reconnect with all the email accounts i’ve had since the early 90’s and either delete them after getting all the info off them, or if I can’t get them deleted, I have deleted everything off them and have the passwords set to some weird gibberish that I don’t even know of anymore.
I will not have anything of mine hacked again. I’m taking all of this way to seriously. But I’m happy with it.
Banking and yahoo email… should of switch that a long time ago. Something to be said for more modern email accounts. Might use it for a spam dump…about all it is good for these days.
After listening to an episode of Reply All about SIM-swapping, I found a service that allows me to port my phone number away from a SIM card, then I got a new phone number from my original service provider just so I can have mobile data. I don’t use this phone number anywhere (at least not anywhere associated w/ my identity, and I don’t share it with anyone (to prevent them from saving it to their Contacts in the context of my identity)). I’ve been using this service for over a year now, and have been pretty happy with it. Idk if I’m allowed to link to the service w/o solicitation (new to the forum), so feel free to ask me about it. The developer of the service is very responsive and has an XMPP/Jabber chatroom anyone can join.
I also do this, though I use the “Additional attributes” section to store security answers because I can toggle “Protect” to keep them hidden. And instead of a random alphanumeric string, I generate a passphrase and pick words that make sense for the question. That way, I could potentially remember them off the top of my head, but they’re still incorrect. I also don’t say which answer belongs to which question (hence Sec Q1, Q2, Q3 in my example); I giuve myself the work of figuring it out/remembering in the moment.
Nothing especially tragic. The usual inconvenience of having to spend $ on another device.
I have adequate backup copies of the entire OTP database as well as one-time backup codes stored in several encrypted copies for this situation. Losing this laptop is not a problem at all. I am able to quickly restore 2FA’s normal function.
But since you mention it so, the next step to proper security is to have 2FA prepared in such a way that if necessary you can recover everything and not lose any access. There were situations in this forum where people had 2FA on the phone which was damaged and had no copy and had a problem …
All my codes are encrypted with something I can remember, about or more than 36 characters, including symbols, upper/lower case and numbers. My authenticator is on my android phone with a 4> pin which is on Android 10 (Pixel 4) and I can remote in to do what I please with it.
Just in case, my home server is also encrypted to the balls, with all my backup codes just in case.
@TimHolusThis is my current setup, and it has worked well. Will look into FIDO, would be an interesting read.
I wouldn’t trust Android if it has network connectivity.
As for encryption, this is a good way, although I often see people making some mistakes in the philosophy of encryption and data manipulation.
There are cases where the user has a NAS and encrypted drives and keeps data there. In the user’s logic there is a thesis that the data is secure because the disks are encrypted. The problem is that it is not entirely true. In the event of a physical takeover of the server and its restarting, the data may be secure but it does not protect it from online leakage. If the data was not encrypted on the server, that’s it. This is a typical error that I observe.
Personally, I like to offer people a solution based on encrypted containers shared in lan. Then the data always remain in encrypted form and only the decryption takes place on the target user’s machine and for a specified period of time. If a data leak occurs, it is only in encrypted form.
Sensitive files/folders, compressed and encrypted (gnupg)
RAIDZ array encrypted when powered down (FreeNAS, planning a new server upgrade/unRAID)
Shares are local only
All attacks are blocked at the router/using a tier 3 system on banning IP’s
Server access can only be done locally, remote applications don’t exist
My server is setup in a way to only accommodate local services, not designed to go beyond my router besides the FreeNAS/BSD repo and plugin access to the web that I heavily configured, some forced into VPNs.
In regards to android, I really don’t care if google themselves have my 2FA codes… But if the fact that google wants them, then your far more paranoid then I.
Go for it! It’s ok in this instance as it’s on topic.
My response is a few months late because I didn’t get a notification, but the service is JMP.chat. I’m still using it, and am quite satisfied with how it’s performed.
It’s ok in this instance as it’s on topic.
My response is a few months late because I didn’t get a notification, but the service is