Support NeoGAF

[Kayant]

I think for now alerting users to check their password's strengths and activate 2FA is the way to go.

Then they can add alternative app based implementations.

Did last pass have a big data breach this year though?

I'll look into it though for sure, thanks.

It wasn't a data breach more a method in which user's data could be comprised by visiting a URL which allowed attackers to get access to your account but that would have been stopped if 2FA was on.

There are many good ones out there including Lastpass which is now free for mobile syncing. Keepass although not the most user friendly or easy to setup for non "techy" people. Enpass is also good and has the most platform support and apps.

Paid -
- 1Password
- Dashlane

People are still getting hacked with 2fa. I said it a month or two ago that it was a patchwork fix and the Sony zealots came defending. Still we are here... do not put your cc info up there.

Whlist you can indeed still be hacked with 2FA see big youtubers like h3h3productions,boogie2988 then hasn't been a case of such a targeted attack or what claim iirc as it's been mentioned.

 

[Transistor]

People are still getting hacked with 2fa. I said it a month or two ago that it was a patchwork fix and the Sony zealots came defending. Still we are here... do not put your cc info up there.

You ddi this in the last PSN account security thread and you posted the same misinformation there too

 

[pottuvoi]

Check if user uses same password on E-mail tied to an PSN account.
Do not accept otherwise a bad password.

 

[FunkyPajamas]

Please do. Cuz it's exactly the same as 90% of the 2FA that I use. The only services I use that have an app are Google, Discord, Snapchat, and Twitter.

Amazon and Steam as well. While I do prefer services that use an app for 2FA, I wouldn't call the ones that use SMS messages "lazy" or "half-assed". Basic perhaps?

 

[RexNovis]

Check if user uses same password on E-mail tied to an PSN account.
Do not accept otherwise a bad password.

I dont think there is any way to do this. It wild require not only checking passwords from a completely different service but also passwords for platforms that are not owned/operated by the company in question. If it was possible to cross reference passwords like that I could see it being abused to phish email passwords.

 

[pottuvoi]

I dont think there is any way to do this. It wild require not only checking passwords from a completely different service but also passwords for platforms that are not owned/operated by the company in question. If it was possible to cross reference passwords like that I could see it being abused to phish email passwords.

Sadly, this is true. (At least legally.)

In general forcing decent password would help a lot.
Checking most used passwords or jut really bad otherwise.
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

 

[Fortinbras]

People are still getting hacked with 2fa. I said it a month or two ago that it was a patchwork fix and the Sony zealots came defending. Still we are here... do not put your cc info up there.

That happened to me actually. Except it was my Microsoft account.
http://www.neogaf.com/forum/showthread.php?t=1317483

People still post about this on the Skype forums so I guess the backdoor still hasn't been closed. 2FA is only good if it works. Maybe Microsoft should work on that.

Great post OP. It includes useful suggestions that would make any account safer.

 

[JP]

Additional layers of security are always a major plus for me, irrelevant of the online service those additional layer of security are for.

Above that, what people must learn is that the primary ownership of personal online security lies with the individuals who own that information and it's also where the shortfall lies in the vast majority of account breaches.

Never rely on a service to be the sole protecter your information because they could go over and above the law in how they protect your information but they still won't ever come close to having the power or security that that the individual who owns that information has.

Of course, those organisations also have obligations in relation to the security of your information but people should always treat their information as if that organisation is the weakest link in the protection that you're taking, even they do far more than is asked of them. Always assume that any organisation you're entrusting with your information to is going to fall victim to the worst scenario in relation to your data at some point, always assume them to be breached at some point and deal with your information as if you know that is going to happen.

I believe that this stuff really should be a part standard schooling because the levels of understanding of online security are absolutely horrific in all but a tiny minority of people. People simply don't think enough about this stuff. For me, online security really should be seen as a basic life skill rather than something that is for other people.

I really wish that GAF security was improved, partly because I'm pretty confident that many people share their GAF login details with other sites and shared security details are only as strong as the weakest link in that security chain.

 

[RexNovis]

Sadly, this is true. (At least legally.)

In general forcing decent password would help a lot.
Checking most used passwords or jut really bad otherwise.
https://nakedsecurity.sophos.com/2016/08/18/nists-new-password-rules-what-you-need-to-know/

Hmm yea maybe it would be reasonable to check to make sure the passwords didnt match any sequence from the top 50 most common passwords list. That could work.

 

[ddikxela]

If we had a portal(which uses a diff username/password to the PSN account it ties up to) where we could actually see what devices we have logged into and manage restrictions/block devices that would be something wouldnt it?

 

[antibolo]

People are still getting hacked with 2fa. I said it a month or two ago that it was a patchwork fix and the Sony zealots came defending. Still we are here... do not put your cc info up there.

Sony clearly needs to construct additional pylons.

 

[ChaoticBlue]

been using psn for 10 years now. never had someone hack my accounts.

and I have 2 ps4s and 5 ps3s with multiple accounts.

 

[Hesh]

There's nothing more for them to do, at this point it's PEBKAC. It's on the user to enable 2FA and to not use the same e-mail and password combo that they've used on other services that have been hacked in the past. Those that have taken these steps have not been hacked and will not be hacked, simple as that.

 

[The Dear Leader]

Require two factor authorization opt in on everyone's account. Make it so they can't log in until it's set up.

 

[LOLCats]

For people without cell phones, a key fob like blizzard would be an option.

 

[antibolo]

SMS-based 2FA has been proven to be weak and nobody should defend it.

 

[VetrexKnight]

How about first we get them to just add the option for e-mail or call to landline phones for 2FA then go foward from there, focus on the small doable things first.

 

[Joni]

Require two factor authorization opt in on everyone's account. Make it so they can't log in until it's set up.

There are simply people that don't want it, even here on GAF.

 

[Jacksinthe]

Aside from 2FA I prefer unique IDs over email, tbh.

So I made my own for all of my services using aliases in Gmail: email+whateverthefuckaliasyouwant@gmail

I can give you my legit email and my password. Good luck getting in with an alias and 2FA enabled.

People need to stop reusing emails and passwords everywhere. That's the NUMERO UNO reason breaches occur.

 

[UpDownLeftRight]

There are simply people that don't want it, even here on GAF.

That's their own problem. If people don't want it it should be turned on by default and have an 'opt out because I totally don't care about security' button.

 

[ANDS]

Or people could just have setup 2FA when it first came out a while back.

Maybe read the OP?

The suggestions made, you wonder why they aren't in the actual system. And a forced 2FA would actually not be a bad idea. Everyone has an email account, and while it might be compromised as well at least it would stem some of the tide.

They also need to add a level of security on some of their actions for people without 2FA. You shouldn't be able to change your email on file for the PSN without confirming through the current email for example.

 

[DriftingSpirit]

I have a question - does auto-login make 2FA less effective? Is it better to log out every time and sign in?

.

 

[deletethis123]

How would this work for people who don't got cellphones?

They should improve it and either user the code generation apps or send you an email.

 

[Upinsmoke]

Just use Google authenticator, ubisoft do and it takes like two seconds, plus you always have your backup codes....

 

[The Dear Leader]

There are simply people that don't want it, even here on GAF.

Yeah I know, but that seems like the only way to really stamp out most of the account hacking problems.

 

[Kayant]

SMS-based 2FA has been proven to be weak and nobody should defend it.

Yh but it's better than nothing and only really when you're targeted like some big youtubers does it fail if am not wrong.

 

[antibolo]

Yh but it's better than nothing and only really when you're targeted like some big youtubers does it fail if am not wrong.

Well yeah it's "better than nothing" but the point of this thread is what they can improve and this is definitely a thing.

 

[Sky87]

The truth is most people are too lazy to enter a generated code every time they log on.

Just to reiterate here, you put in the code once on your console, then never again (unless perhaps your IP changes).

Of course, logging in through the website requires a 2FA code every time, but i doubt many people do that often. Blizzard does this well with their app. You get a popup on your phone asking you if you want to permit/deny a login attempt. No codes needed.

 

[RexNovis]

How about first we get them to just add the option for e-mail or call to landline phones for 2FA then go foward from there, focus on the small doable things first.

Before they make 2FA mandatory they absolutely need to expand their service to include other options like the ones you've mentioned here as many have no interest in using SMS. There are plenty of other options available for 2FA as well so it's not as if they'd need to reinvent the wheel to do so.

 

[Joni]

Yeah I know, but that seems like the only way to really stamp out most of the account hacking problems.

At the cost of a significant amount of users.

 

[bitbydeath]

Force daily password resets on those without 2FA.

 

[Halabane]

Its time that credit card companies and vendors of on-line just go to something like this: http://www.cac.mil/common-access-card/...or the FOBS: http://security.stackexchange.com/questions/9584/can-the-numbers-on-rsa-securid-tokens-be-predicted

You have to have the card with the chip and the pin to log in or use the random number. Frankly for those of you in apartments using wpa 2 with just a pin and not a certificate are just asking to get hacked. You need some physical thing to make sure it's you. Guessing to roll this out would cost too much but I have never had a problem with most of the MMOs that use the FOBS or my timecard at work which also uses that.

 

[pottuvoi]

Hmm yea maybe it would be reasonable to check to make sure the passwords didnt match any sequence from the top 50 most common passwords list. That could work.

Top 1000 or preferably more would be decent start.

 

[Justinh]

Man...
Siftd's stream of Shane Satterfield vs. Bloodborne because he lost this year's video game fantasy draft just started, but it's like 2 or 3 hours late because his account was compromised just like the threads I've seen so many times here. I would think he knows 2FA is an option now since all he does is go through game articles all day. I hope he has it activated now if he didn't before.

Send users an email anytime someone logs into their account from a new device with links to immediately reset their password and set up 2FA


Notify users by email when a new system is activated on their account and provide two links one to deactivate said system and change their password if they did not add said system and another to set up 2FA on the account.

I just think that they should at least email everyone who hasn't activated 2FA kinda inviting them to activate it for increased security. The fact that there are so many people on GAF even that didn't know it was an option makes me think it's not being pushed enough.

Force daily password resets on those without 2FA.

Seems kinda excessive, you think?

Top 1000 or preferably more would be decent start.

I've never known such a thing existed. That's pretty cool. Do sites already block passwords on that list? I always use a generator so I guess I'd never notice.