Feature Friday: Password Reminder Popup
I use the Authy mobile app to serve up my 2-factor tokens when I need them. I’ve blogged about Authy before here at AVC so regular readers will be familiar with it.
Authy does something that I really like. Even though my password is stored on my mobile phone and I don’t need to type it in every time I log in, Authy regularly prompts me for my password so that I don’t forget it. The popup box has an “ignore” link on it that I can click if I don’t want to be bothered. But I type my password in every time I’m prompted to do this because I realize that regularly typing in my password is the best way to insure I don’t forget it.
It’s one of those things that makes so much sense and makes you wonder why more apps don’t do this.
Well done Authy.
Comments (Archived):
I use it too, and like the Secure Backups feature, so you can easily restore your passwords at once if you lose the phone.But another related thing that is not consistent across apps is the “password recovery” processes. They vary from the annoyingly complicated, to the super easy which makes you wonder. I wished there was more consistency and standardization around that.
Flawed design pattern. For those not interested in the feature having to click ignore each time is a pain in the ass.Make it required or allow opt-out.Thinking about it. There most be a deeper reason. Maybe a soft nag/security feature. Makes no sense otherwise. Perhaps if you ignore more than X times it won’t allow you to bypass.
And twilio had the foresight to acquire them. Good job everyone.
(Deleting most of my original comment, realising that I didn’t understand the post correctly.)Still, waiting for biometric and other methods to at last take hold and become widespread, as password-based authentication is so archaic and flawed.
Have you heard of “digits” from Twitter? My company may use for a mobile app we are building for urbandigs.com. its a mobile text based authentucation for logins…curious if anyone here used before??
Two factor doesn’t work well for me because my phone isn’t usually attached at my hip. But I used a different PW for every site/app and never have a problem remembering them…. once I got.. a ‘system’.
Jesus:if your passwords for each site is based upon authentication, difficulty, etc how can you remember them all without writing them down, storing or using a password storing platform.The ten to fifteen method makes it a chore to have different passwords. How do you remember them all?
Simple. Start with a strong base PW, then create a system based on the sites name, for example… take the first three letters of the sites name, reverse them and capitalize the first. So the PW for Disqus would be base PW + Sid. Facebook would be basePW+Caf.Then just remember your base PW and your system.
And once your base password is compromised, access to all your accounts is compromised.
Only if your system was also compromised.
Which you did by documenting it above, no?
Exactly. Only reason to talk about anything security wise is to provide disinformation.
Right. Uh, wrong. No I mean right.
Ha, no. That was just an example as stated. The system can be as complex or simple as you like, as long as it reasonably obfuscates the sites name. A Facebook PW of basePW+Face is going to expose both the basePW and system.
basePWOK basePWI basePWget basePWit basePWthanks.
Exactly….The reason we wanted clarification before replying with the obvious.
I also don’t like 2FA, although I think it’s great for many. I spend a fair bit of time in Asia (traveling from the U.S.), using a different phone number, and most 2FA systems require texting to only one number (at least that’s what I’ve encountered). Carrying a backup key on a slip of paper for every service is impractical and defeats the purpose of 2FA.Like you, I memorize all of my pass phrases, and they’re different for every site or service. They’re also typically 16-25 characters. I try not to access anything “important” via mobile anyway because I feel it’s inherently less secure; and I never allow my device system to memorize my authentication credentials on any portable device: laptop, phone or tablet.Life would be so much easier with reliable biometric scans for authenticating on all services – say fingerprint plus retina scan. 😉
2FA is terrible for highly mobile people, particularly with apps that de-authorize your device when you change sim. Ugh.
I completely agree, Cam.
I used to have such a system, but 1Password eliminated the need. I don’t recycle passwords, and I haven’t got a clue what any of them might be. Probably something like this recently generated horror: vpEfp3Aa6JWY{HR+rGGyVw
Ok .. hmm… I guess I don’t get your process. If you are not required to put your PW in… then its not 2-factor. It’s 1-factor, just your having your phone will do. Unless im missing something.
Password management on a mobile device? I’ve thought that that sounded like a bad subject, and now I’m more convinced it is.Someone gave me a mobile phone, but I’ve never used it. Otherwise I don’t have a mobile device at all, and so far I don’t need one. Instead, my head is down working on my project at my desktop computer.At my desktop computer my passwords are something likedesktop0562093284984from just stabbing fingers at the number keys, and no way do I want to try to remember something like that.So, on my desktop computer, for password management I have a database I built using my favorite software, my favorite text editor, KEdit.So, to find my latest password to, say, Facebook I typekey faceb pwAnd there key is a dirt simple editor macro. Works great. No, I didn’t use SQL!I try to use Facebook as little as possible, and I’m pretty successful at that!That little database for password management works great but, yes, does have all my passwords which would be a disaster if my desktop computer were a mobile device and got lost, stolen, confiscated, destroyed, etc.So, for passwords on a mobile device, I’d need backups at home, right, on a desktop computer, and then I’d be back to where I am now.On my desktop computer, backup and restore of the operating system data was a pain to set up, but I’ve long since done that and it works great.For backup/restore of the rest of the data, I have just some little command line scripts based on the old program XCOPY — terrific.If I have to get a mobile device, then I won’t know what the heck I will do about passwords.That database is general purpose for essentially any little things I want to remember. I just checked; currently it has 3282 entries including, yes, passwords but also phone numbers, mailing addresses, URLs, just anything that is small and not better kept elsewhere. Those 3282 entries cover right at 10 years!It’s amazing how useful a collection of just 3282 entries can be. Not even my brilliant wife with her fantastic memory could have easily remembered that many little detailed items.The whole file has just 1,843,078 bytes on 60,133 lines. So, anything I do with it is faster than I can get my finger off the Enter key. Amazing.With some indexing, it’d be much faster, still. With solid state disk (SSD), still much faster. Now Samsung has 10 trillion bytes (TB) on an SSD in the 2.5″ size. Wonder what could be done? Hmm ….Gee, the 10 TB is also amazing: My back of the envelope estimate for my project has been that I could serve the world for 150 TB; so that’d be just 15 of those Samsung puppies! Amazing.
I am assuming that both your laptop and your desktop are encrypted as well as the file containing the actual passwords is encrypted as well (regardless of whether it’s someone’s text file or a database of sorts..)
I have just a desktop computer, only one, and nothing else now. So, no laptop either. Generally I just don’t believe that I would have even a decent chance at computer security for a mobile computing device.No. No encryption. In principle I’m vulnerable to some cases of malware. Apparently in principle everyone is — really big bummer for the industry.I know that in principle I’m vulnerable and don’t like it, but for now that’s a problem in the queue but lower priority than some other problems in the queue. There are a lot of problems in the queue! I pay attention to the ones at or near the top of the queue!So, I handle floor vacuum cleaning, floor mopping, much of laundry, much of grass mowing, all of car washing, installing a new tub boot seal in my Maytag washer, and more in the classic way of entrepreneurship!It appears that my efforts to protect against malware are being successful.My view is that my current approaches to computing would be much more vulnerable to security leaks if they were on mobile devices.Sure, I very much wish that the guys who write operating systems would make much more clear and explicit just how things work relevant to security. E.g., what software I really don’t want and don’t know about is listening on what IP ports and is vulnerable to buffer overflows — programming 101 errors? What the heck is this stuff about auto start in the Windows Registry? “Auto start”? Outrageous. There should never be any such thing without really clear documentation and my very explicit permission. And I should be able easily to set, save, and restore any such things. And this stuff about reading what’s on removable media as soon as the media is inserted? What a wide open security hole. I’ve clicked and clicked, and, still, some Sony movie DVD still with its own movie playing software gets loaded and run by Windows without my permission. I never, never, never, under any circumstances, ever, just never want any Microsoft software ever, not even once, not under any conditions, ever to read anything on any removable media, ever, without my very explicit permission and a lot of documentation. Ever.Nadella, is that clear enough? Due to the iron clad, feet locked in reinforced concrete, OCD determination of Microsoft to create security holes, likely not even 1% clear enough.I’ve been known to scream loudly enough to get a sore throat.By far, the biggest problems in my startup have been (1) security holes in Microsoft’s software and (2) the need for me to work through 8000+ Web pages of Microsoft’s documentation. The rest — everything unique to my project and much more — has been fast, fun, easy, as expected, no serious problems at all — routine, piece of cake, fun, relaxing, especially fun to see it work.Supposedly Microsoft is interested in “developers, developers, developers”: Well, my view is that while Microsoft does have some excellent work, in total, developers on Windows are going through daily “barbed wire enemas” with self-inflicted, unanesthetized, upper molar root canal procedures.I have a friend that tried to have a business based on selling some essentially shrink wrapped software, and the main problem he encountered, which nearly sank his business, was just the software installation process. He was good enough to get PBK, a Ph.D. at Courant, and be a Member of the Institute for Advanced Study at Princeton, but the Microsoft software installation process was too much.Microsoft, from your documentation, I can’t in reasonable time figure out just what the heck you have in mind for Windows Presentation Foundation (WPF), Windows Communications Foundation (WCF), or Model, View, Controller (MVC — and, no, I didn’t learn it from its version on Java), would have absolutely no idea how to write a Windows graphical user interface (GUI) application or handle the installation process. None. It would be easier to learn Plancherel’s theorem in Fourier theory — indeed, it was. Microsoft — you and your hacker culture don’t know how to write and, thus, struggle horribly in describing your work.So, what I want: I insert a DVD and Windows ignores it. Just flatly ignores it. Never but never reads even a single bit from that DVD. Ever. Just don’t do it. The same for all removable media. Then if I want that media read, I will select and run the relevant software. Microsoft, stay the heck out of that picture, totally out, unless explicitly, each time, definitely, clearly asked.Instead, Microsoft is just OCD about looking at the media, seeing what is on it, if there are any programs, then reading, loading, and running them. On and on. Just OCD about just will not just leave the DVD alone, just alone. Do, in one word, nothing. Just what the heck is it about nothing that is too difficult for Microsoft?Each time Microsoft and its bug ridden software, still until recently vulnerable to the Programming 101 error of buffer overflows, tries to read a bit from removable media is a LOL security hole seen clearly everywhere between the Black Sea and the Baltic Sea.When GM gets the Microsoft OCD disease, then whenever I come within 10 feet of my car, GM, to do me big favors, will automatically open the door, start the engine, and put the transmission into Drive. Crash, tinkle, tinkle, catch fire, burn, burn down the garage, the house, and the two houses in the neighborhood down wind. All to do me a favor.Microsoft, in two words — stop it.Your new features? No thanks. I no more want your new features than I want to let in a dog with fleas, the Black Death, ticks, and Lyme disease.Microsoft, with your outrageously horrible history of computer security, no way can I trust your software to read data on removable media.Why? First rule of computer security: Never permit data from an untrusted source to be treated as software. Second rule: Never permit questionable software, e.g., anything from Microsoft, that might have absurd software errors, e.g., outrageously incompetent, irresponsible, and dangerous buffer overflows, to read data from an untrusted source. So, right away, with removable media, Microsoft insists that I violate these first two rules. I’m torqued.There have been e-mail security problems: Got to be working really hard to get security problems from e-mail. Why? All of e-mail, i.e., based on SMTP, POP3, etc. is just simple text. For multimedia, pictures, sounds, etc., it’s all just simple a-z, A-Z, and 0-9 text in just old ASCII.Can receive such e-mail with just the old program Telnet that outputs what looks like just simple typing.Got to work really hard to get security problems from that situation, but apparently Microsoft long did.Similarly for HTTP and HTML — we’re talking just a simple way of sending data that is just simple text with just a simple text formatting markup language, but, still, Microsoft found ways to create massive computer security problems with it. IIRC one of the worst problems was Microsoft’s ActiveX where any HTML file could contain an executable program with full applications capabilities on Windows that Microsoft’s Web browser leaped to run automatically. Outrageously bad security hole. Unbelievable.I’m totally torqued, outraged, at the security vulnerabilities in, say, Windows.Really, net, we should be able to run any applications software at all, any list of bytes, at all, with complete safety. AFAIK we’ve been at or close to that on various operating systems in the past. That more recently far too much of the industry has ignored that level of security is a total bummer.With virtual machines, containers, more use of the classics of capabilities and access control lists, etc., maybe we will get caught up.So, for now, Windows 10 looks to me like a sprawling new barn with a lot of unlocked doors. Maybe a barn with 100 all new walls and 10 unlocked doors per wall. Bummer.Sorry, Nadella, with the emphasis on nifty, new, anticipate what I want features, the outrageous phone home data leaks, the unbelievable appropriation of users’ computers in essentially a Tor network as a means of distributing Windows 10, the horrible record of Microsoft on computer security, the horrible record of Microsoft on being clear on how to set, save, and restore system options, maybe as in your ads you can get children on Windows 10, but you have a really big rock to push up a really big hill for me to touch a Windows 10 system. And Windows 10 on a mobile device? LOL.Set, save, restore options? My e-mail is from Outlook 2003. Just this month I finally learned that could and how to click and click and set, save, and restore the list of blocked e-mail addresses and domain names. It’s nice. And I have the list saved. Sure, to get the list I had to read it into Notepad and copy it to the clipboard and pull it into my favorite editor just to be able to read the list, but it’s nice. Documented? Got to be kidding.
Whats to stop anyone from just typing in “key whatever” an retrieving the pw?
They’d need either physical access to my computer, which, thus, is not mobile, or have managed to get some serious malware onto my computer.
Well, speaking of passwords…i.e. security…We’re living in the age of Feature Fail Friday, what with the Uber and Ashly Madison leaks…the US Gov’t hacks…Sony a while back. It’s all for the taking, no matter what your password policy is.
Target too. Did you see Albert’s post on that topic.http://continuations.com/po…
Yes. Protect people, not the data, right?
Yes
When will it be this?* https://www.youtube.com/wat…
When sunglasses become illegal.
You didn’t mention eye transplants! Did you see the ‘EyeScan spiders’ scene?
Forgot about that! Can’t wait for this future…. “Hello .. Mr Bachman, your eyes look red today, might be you interested in an extra large bag of Funyuns?”
You forgot the words…”FREE Funyuns, no strings.”Not even strings of “string theory of Blockchain” type!!!
I love Authy. I use it over Google Authenticator. However I for one hope that something like SQRL becomes the standard for authentication soon.
Splashdata’s analysis of over 3.3 million leaked passwords from users in North America and Western Europe.
To me the list is suspect that splashdata compiles. For example “football” being new and “mustang” being new. “Football” because it’s a well known common password and contrarily no particular reason why “mustang” or “michael” would appear out of the blue (as apposed to the others some of which make sense).
One potential issue with using authy (and thinking you are all warm and fuzzy and well protected) is that it needs to contact api.authy.com in order to be able to do it’s thing. However when setting it up (at least in the video I just watched about ssh and using authy) they give you the option of being able to not use 2 factor if api.authy.com can’t be contacted. I will assume the setup for other options is similar although I didn’t check.https://www.authy.com/integ…As such you are confronted with two choices:1) Always required the authy api to be able to be contacted and therefore potentially not be able to login if that is not available.2) Choose the option to be able to login if the api is not available which means opening up the possibility of removing the two factor by something as simple (and there are other ways) of changing DNS (for a particular user or for authy) in order to force that option.Note: This is off the top I haven’t tested this and haven’t run through all the scenarios….
Security is huuggggje as Trump would say. There were people on the Ashley Madison list that never signed up for it! I think I get 5-7 phishing emails per day.
We’re fans of 1password. There’s nothing to remember except your master password, which is a sentence that is meaningful enough to you that you won’t forget.
‘ensure’ not ‘insure’
Even this should have happened earlier; http://www.bloomberg.com/ne…
I’ve seen a lot of pain, “barbed wire enemas”, in computing, but that little way of handling passwords is as nice as one of the pretty girls at my local ice cream stand handing me a banana split!Sure, my Web browser stores and inserts a lot of passwords, but sometimes I need to enter one. So, I type something likekey faceb pwThen the password is right there. Then a little editor macro puts the password on the system clipboard, and then I paste it into the specified single line text box. Works find. No pain.The editor macro is GPS for global put to the clipboard with leading and trailing blanks stripped off.Ah, for the macro: Parse Arg all macroName = ‘GPS.KEX’ line = curline.3() line = Strip(line) ‘clipboard put’ line ‘msg’ macroName’: Put ===>>>’line'<<<=== on clipboard’ ReturnDirt simple. I have 187 more such macros I wrote for my text editor!
Yup, in love with KEdit. It and Firefox compete for the most time with my eyeballs.By far my most important work is with just KEdit.Why? I stay with simple characters, 8 bit bytes, mostly the first 127 of those which are just the old ASCII characters.And I put a lot of emphasis on just simpletext files.Why? Solve a big Tower of Babel problem.Also, POP3 e-mail and HTML are essentially just such text.My technical writing goes into Knuth’s TeX, and it is just simple text, sure, from KEdit. Most of my posts to AVC, Hacker News, etc. are just from KEdit.My most important work is writing software, and it, of course, is just simple text, right, from KEdit.And the software log files? Yup, simple text,analyzed with KEdit.On and on.Works great.My guess at why Notepad was so bad is that Gates clearly saw that a good text editor would greatly reduce the need for a lot of software that otherwise he could sell for big bucks.
KEdit is my Swiss army knife in the woods. Or its my French chef’s knife and cutting board in the kitchen. With that analogy, to me Microsoft Word is some contraption for slicing tomatoes, chopping onions, shredding cabbage, peeling carrots, etc. that takes 10 minutes to set up, often doesn’t work, costs a lot of money, needs a lot of maintenance, and is next to impossible to clean. An old theme is that a good worker needs good tools and is careful about the tools they use.For Excel, sure, I use it. I have the 2003 version, and it’s plenty fancy for me. I won’t use it for computations — way too slow and clumsy. But I do use it for drawing graphs. I don’t like it, but I do use it. In time I will get a good subroutine library I can call from some procedural programming language and use that to develop graphs.But, now, for a graph, I use whatever software and KEdit to prepare the input data as just blank separated values in a simple flat ASCII file and then have Excel import the file and draw the graph. That’s all I want from Excel, and in time I won’t want even that.
Thanks. I’ve added your suggestion to my main place to keep such things!There I also see old entries on some graphing packages that run on R, Python, etc.To do just one graph a month, okay, just use and curse at Excel. When I want 100 graphs a week, after I have it all set up, just from typing just one command line, then, sure Matlab, R, Python, etc.Yes, there’s a VBA or some such to automate Excel, but it seems that Microsoft no longer wants to encourage people to use that.Microsoft has a complied Python they call Iron Python, and it likely also has access to .NET, etc.And I guess there’s a chance I’d try to use SVG via HTML.Ah, before seeing how to do 100 graphs a week from just one command, need to get the data for 100 graphs a week — back to it!Thanks.