How storing passwords let hackers bypass two factor authentication
Вставка
- Опубліковано 17 тра 2024
- Somehow my main channel got hacked again.
Not sure how they got in, but I realized letting my browser store passwords was a big mistake that made it much easier for the hackers.
Check if you are still subscribed to my main channel:
/ matthiaswandel
If a hacker got control of your machine remotely, the security key still cannot be used remotely. All security keys have a button and/or fingerprint sensor that must be pressed to authenticate/sign in. It would likely be the best two factor option, and you don't have to keep the key plugged in all the time either.
That button is a great idea. Maybe I'll buy one then.
And furthermore, a password manager on your phone that backs up to storage of your choice would be resilient to someone getting control of your PC.
Buy at least 2. One you use day to day, one you only use if the first one is lost. Maybe even add a 3rd from a different vendor
@@matthiasrandomstuff2221From the security standpoint, you actually don't even need the button, you simply unplug the key when you're not trying to log in. An attacker can't plug it back in remotely.
If somebody got a hold of your whole PC remotely, you do have a bunch of worse things to look into, lol
One of the first things I've always done when setting up a new computer is turning on "show file extensions". That one simple step basically eliminates falling for these executables disguised as PDF files, or any other file disguised as something it's not.
I turned it on. after the reinstall. Then turned it off again. I do a lot of renaming files, and having to cursor around the file extensions every time really got in the way.
@@matthiasrandomstuff2221 Total Commander cycles the file rename selection highlight between with and without the extension when you press the F2 key. TC also has a multi-rename tool with regular expressions and other neat features. Microsoft PowerToys has a similar tool called PowerRename.
@@matthiasrandomstuff2221 When you go to rename a file it highlights just the name by default. You can either type out the new name or use the arrow keys to move the pointer. Shift+arrow key to select a range of text.
Hiding the file extension is one of the most idiotic "features" ever!
Shouldn't be. If you slow-double-click a filename (or F2) then it should just highlight the name and not the extension -- start typing or paste in your preferred filename and hit , job done. If you're bulk renaming, you should be using BRU to do the job(s).
A family member used to have a small notebook by their computer with the front cover clearly labelled "passwords and I suggested that it might not be the most secure way of storing them. The book was then re-labelled "not passwords" 🤔
having a physical media for password storage is nice , but it should be out of sight as well, especially not under a webcamera.
also "Not" Passwords soo screams "Passwords, come look!"
Your comment creased me up............and I'm still giggling at it.😄😆😂
What a smart move 🤓
This is a serious lack of forethought on Google's part. The possibility of losing your phone is NOT a good reason to make disabling 2FA so easy. Losing your phone is a separate problem and should have it's own ways of recovery regardless of your UA-cam security. Removing 2FA should ALWAYS require 2FA confirmation if not MORE (e.g. security questions, 2FA phone, AND secondary e-mail).
Not to be "that guy" or anything, but this is exactly why I don't let browsers store passwords or credit cards or anything else like that for me. I don't blame people for using those convenience features, but I do blame the browser makers for not doing more to educate users about the security tradeoff they're making when using those features.
at the very least, it should have suggested I set a master password or something like that. I didn't even know there was a master password.
I have never used the inbuilt browser password store for the reason of if someone can get onto my computer, they can just log in to things. I had NEVER considered that the password store could be copied and then used remotely in the manner used here 😞
Chromium actually uses the system Keychain is available, these days.
It's just that to my knowledge windows doesn't have one.
But at least on Linux it does.
The Keychain is encrypted on disk, -and AFAIK their decrypted memory is protected using all kinds of tricks that are available on the OS and by the CPU-
All the browsers would have to do is encrypt the password and auto-fill vault by requiring a master password which opens it for a specific length of time then locks it automatically .
In general, whether in the context of computers or not: The price of security is convenience, and the price of convenience is security.
IMO disabling 2FA should be a ~24h lockout operation, where it requires you either input the code or wait for the timout to expire before it takes effect. That would be already a step in the right direction.
Doesn't really help when the owner doesn't know that he has been hacked. Hackers can just start hijacking after the timeout elapsed.
@@cklamNL Usually emails and other alerts are sent when someone tries to switch off 2FA.
@@cklamNL This should obviously trigger emails and notifications, I already get those if a new device logs in, let alone someone changes a password or 2FA...
@@Dries007BE That doesn't do much for the typical YT user whose email is under the same Google account. The attacker could just delete the security notification. It would work for entirely separate services.
I've said a similar thing about Twitter and Verified accounts. Changing the "name" or "display name" on a verified twitter account should automatically flag it should review...
Granted this was before Twitter let anyone pay for "verification".
many of the hardware encryption keys require physical interaction specifically to break the link of "left attached to a compromised computer"
Keepass or keepassxc is a offline / self hosted password manager that supports syncing on most platforms
Matthias, thank you for pointing out that people had unsubscribed to your main channel! I had done that while it was hacked, and didn't realize that it was YOUR channel I was unsubscribing from. I love your videos, and I've re-subscribed!
Most password managers require you to type in a master password any time you want to access something stored in it - and all the data inside of it is stored in an encrypted format. Essentially the same as storing your passwords in an encrypted file, but with a browser plug-in to make it more user friendly
Bitwarden has a nice feature that lets you mark particularly sensitive passwords (or credit cards) as requiring the master password every time. So you can have a more relaxed unlock rule for most things to avoid the hassle.
Firefox has this built in but it is oddly turned off by default.
That's mostly true; except typically you'll only need the master password to open it - essentially a key to decrypt. For many of the ones i've used once they're open, they're open until you close them.
@@NoCoolNamesRemain I had it turned on and then when I updated Firefox, it was turned off. Took me a while to notice.
If I wanted access to as many peoples data as possible, Id create a service exactly like that and bait people into actually PAYING ME to collect it all with the master passwords I make them type into my site. Governments have been intercepting, copying and routing information since before the days of wax seals. Now people actually pay them billions to do it.
QUESTION: Firefox has a feature called a Primary Password. If enabled, Firefox will not show usernames, passwords, or saved payment info unless and until that password is entered, and it will ask for it every time Firefox resets. My question is: a) did you have that set? b) can a session hijacking attack circumvent that?
Glad you're back in business.
Primary Password encrypts your stored password on the disk, so they wouldn’t be able to get those.
But session hijacking would still work as that session data is what authorizes you to use the account without typing your password for every request. Browsers could maybe do a better job of protecting that data, but at some point it needs to be unencrypted and someone with access to your computer would be able to see it.
Someone gaining access to your computer is about the worst possible security failure. If that happens, any other measures can only go so far. Diligence is important.
When Firefox is running and master password has been entered, a malicious process can try to get the password from process memory.
@@jpa3141Absolutely nothing is safe from that attack. Or nothing that current OSs support anyway.
( i believe macOS actually has the basic capabilities to mitigate this, but it doesn't )
@@jpa3141 yes but that affects every password manager or every program for that matter, unless it encrypts the contents in memory. If malware gains admin access to your machine, it can do pretty much anything. Even if you don't use a password manager, it can log the keys you press. Only way to prevent this is by using a good anti virus software and having basic common sense.
It's what i use. Firefox as my password manager. With a good master password to prevent brute force attack to the database, it's a decent password manager if you use the browser on all devices.
Both times your channel got hacked, I went on a "Mattias watching binge." I am literally so familiar with how you built your router table with built in dust collection, I could probably recite it. Almost the same with your 26" bandsaw wheel making video. Again, glad you're safe and back to secure.
I had unsubscribed the first time not realising who it was, but have resubscribed, glad you got things fixed up
A hardware device like the YubiKey requires that you touch the key to do a login. So even if you leave it plugged into a USB and the computer running, and hackers take over the PC remotely, they can't touch the key to activate it.
Just looking at buying one now for that very reason!
You need two (one for backup)
Yea make sure to buy 2 and set them both up together just incase you loose or break one of them
@@matthiasrandomstuff2221I use keepass. Like lastpass etc but open source and locally hosted.
@@hArDsTyLe2259if you loosen one you could always tie it back up again.
Thank you for taking the time to share your experience so that the rest of us have a better chance of avoiding your woes.
Reminds me of a conversation I had on Reddit where several people called me an idiot for keeping a password book and extolled the many virtues of password managers. "What if someone steals your book" blah blah. Clearly getting your session info hijacked is a much more meaningful threat.
I did unsubscribe initially but saw your video on here and resubscribed. Commenting just to increase visibility. Thank you for making great content all of these years. ❤
Matthias, thanks for the heads-up about being unsubbed to your main channel. I was one of those people, I have re subbed! :)
I'll be curious how many re-subs I'll get. Will have to check analytics in a day or two.
Very interesting discussion - both on the video and in the comments. Thanks for sharing, Matthias, and good luck avoiding the third time. :)
Happy to hear you got your channel back!
Thank you for the explanation Matthias. As another Firefox user now I know what I need to do. I never realized how many holes" there are for bad guys to get into.
You have to enable advanced protection to get those security features because for normal users it can be quite annoying if they travel and get tons of security questions. Yubikey is also very nice you have to enter a prompt. Also credit cards do have hardware security it is in the chip part. The pin you have for canadian credit cards actually encrypts the card data.
"Most people don't watch videos to the end."
I guess I am not most people! Hi Matthias!
On top of what others have said, you can also host your own instance of BitWarden. Turn a spare computer into a Linux server and run BitWarden on it then point the browser extension to your server’s IP. From there the extension will no longer use BitWarden servers.
Of course you have to make sure your server is secure, but since it’s on a separate computer it’s safe from your computer being compromised. Unless you have an active ssh session to it, but that should be rare and can even be never if you just plug a monitor and kbm into the server.
Or use KeepassXC.
I just sync the database across devices using Syncthing. There is no need to sync on-line for a password manager.
Was gonna say that, and honestly, using a Docker container template and Portainer (a web GUI manager for Docker containers) made it pretty easy to setup, even though it was my first time doing something like that
Running your own Bitwarden server doesn't help much in terms of security. Bitwarden encrypts everything on the client side so even if the server is exploited, no secrets can be revealed. You have to trust your local machine and the local Bitwarden app or extension. As Matthias says, if your local machine is compromised, it's kind of game over already. If you don't trust the Bitwarden software, you shouldn't use it at all. A hardware key like a Yubi-key or U2F key does help, as people mentioned. For the roughly $40 they cost, they are worth it, IMHO.
@@naschemebitwarden is open source and pretty big in the cyber security space, so I'd trust it more than a random password manager as everyone can audit the code for vulnerabilities, and fix them (and they do)
The good thing about password manager programs is that they ask you for a master password (that you can secure how you like) before automatically entering the website's password, making it impossible to do stuff such as disabling 2fa like they did here. Session hijacking would still work of course, but it would "only" end there and they wouldn't have been able to change his password for example.
Self-hosting Bitwarden is overkill for anyone not competent enough to securely administer their own server. Just make an account on the main Bitwarden site, your data is still end-to-end encrypted.
Windows 11 has a feature called Windows Sandbox. It looks and feels like a standard windows box, but is completely dismantled when you end your session. I'd suggest doing your sensitive work through that. Even if the sandbox gets compromised, there is no other info for the bad actors to gather and your host does not to be reloaded. Couple that with two factor on the host computer or your phone and it becomes very hard to compromise overall. The usb keys with the button are also solid solutions.
6:55 Spot on, thanks for suggesting that we check! I remember unsubscribing from a weird crypto thing, wondering how it got in my feed in the first place. Now I see it was your main channel and I just re-subscribed
You got me back as a subscriber by pointing out that I may have unsubscribed from the hacked channel....which is exactly what happened!
Some USB security keys require you to physically touch a button on the key each time to access the credential. That would prevent someone from remotely accessing your machine from accessing a USB security device.
Google started to go the next way with FIDO2 by allowing a cellphone to be a keypass which can be a middle ground.
Yes a good practice is using multiple factor authentication (in stead of multiple step authentication) Using at least 2 factors as a combination from: of 1. Something you know (password) 2. Something you have (some hardware with a key) 3. Something you are (retina /iris, fingerprint, gesture, heartbeat etc) 4. Somewhere you are.
BTW a password should not be ‘difficult’ with limited various characters but with high entropy (very long such as a password phrase)
Two-factor is cool and i love and use it. But it still wont stop session cookies from being stolen.
Good point on the password manager considerations.
Also, initially I did unsubscribe before I realized what had happened, and I went back and resubbed so that I would be subscribed when you recovered it.
Thank you for sharing such a detailed breakdown of the situation! I'm sure it was immensely frustrating but I appreciate the transparency!
Google's advanced protection program might be worth considering.
Thanks Matthias, I’ve been needing to completely overhaul my security and this was a wake up call.
I had an old coworker who was the victim of a SIM Swap attack and it was absolutely devastating. He purchased a new phone thinking it was okay, only for the hackers to regain access.
Some of the password managers allow you to self host. Plus you can salt the entries. Also keep IDs AND passwords unique for accounts.
So I was unsubscribed! Now resubscribed and I was actually missing your content, thanks for the video!
Thanks for keeping us updated and pointing out things like this. Constant vigilance is important.
These kinds of problems suck, but it's helpful to raise awareness. Thank you.
I you use a password manager with a browser plugin to automatically fill in the passwords, make sure to have it require a PIN to unlock the database each time you want to use it, or at least each time after restarting/unlocking the PC. If you run a high risk, like you apparently do, you should have it require the PIN (or even more secure, a security key) each time you use it (with a few minutes timeout).
Same here, keepassxc and works like a charm
I watch all your videos to the end and I'm glad you are back in your acount👍
My brother told be to unsubscribe, but I was skeptical about it since I know I wouldn't have subscribed to begin with if the channel was supposed to be just crypto, so I resubscribed within minutes. Only after looking through my list of channels, I only then realized it was your channel, looked it up, saw the channel and found your video on this channel.
"I should be able to turn it [2FA] off without my phone, but, well, what if I lost my phone I still need to get rid of it right? so I guess it does make some sense" Nope, it still make no sense on a security maner. Either you need to contact the company (which "isn't secure" most of the time), or you have a backup 2FA: like unique recovery codes or a second emergency 2fa setup
A lot of time it just asks me to confirm the login on my iPad (that's logged in). That would have saved me. I suspect UA-cam will eventually take a few simple measures to make these hacks much less likely to succeed
Absolutely true! All 2FA methods should have some secure way of renewing/changing it in case the current method is unavailable. Usually it's done with recovery codes that can be used to reset it.
Allowing to disable 2FA without actually verifying a 2FA method is a major security issue.
@@SammysHP It doesn't need to be fully secure, but it should be clunky, annoying, and slow. Meanwhile you should be getting blasted with alerts that someone is trying to do that to your account. That way you can get back in, but alarm bells are sounding and allow you to block the process.
@@matthiasrandomstuff2221 they haven't done ANYTHING for the last 5 years while this is an ever growing problem. I have seen it in three people I am subscribed to. Google is a billion dollar company. They have the money and technical resources to do what you suggested. I am sorry to say it but their priorities are lying elsewhere. They don't care about the creators and viewers at all! They only care about their ads revenue.
Did not know there was even a main channel. I subscribed for the random stuff only...
oh my sweet summer child
How the heck would you even find this channel without going through the main one??
@@Koushakurrecommendations. i didn't know Matthias main channel before the hack.
@@Koushakurit came to me in a fortune cookie
@@Koushakur The best fan placement video got recommended to me... It has a decent 6.5M views now.
I very nearly unsubscribed when I saw the scam video... but I paused and thought as I hovered over the video, and clicked "Not Interested" instead. After I saw someone else post a screenshot of the same vid on twitter, I knew what happened. I'm glad that I didn't unsubscribe, but I hope hitting "Not Interested" didn't affect your discoverablity for future uploads.
I like that you mentioned the credit cards. When spying out data in real life was relevant (think putting cameras on ATMs), putting the three digits on the back was a great idea. A lot of credit card issuers now put the three digits on the front next to the 16 digit card number and I have absolutely no clue why.
Cheaper to print the parts that are unique to your card all on one side than have to do so on both sides.
They do it on purpose to create the problems to convince people to go into things like Central Bank Digital Currencies.
Once you realize that they Money we currently use is FAKE, everything starts to make a lot more sense
Thaannkkkk you, for pointing it out: people need to finally stop storing passwords in their browsers. It was always a very bad idea and just because of laziness
Looks like I’m one of the people who unsubbed, so I’m glad I watched this one! Thanks for the education.
The Dell Monitor at 7:51 looks like a Dell P2210T or one like it. Those have a barrel jack to provide 12V to the optional sound bar. I have similar monitors that I use for raspberry PIs. A 3D printed bracket clips into the monitor's sound bar tabs and holds the PI and a buck converter which plugs into the barrel jack.
The fail on Google's part is allowing 2FA/2SV to be turned off without a second factor being presented. Defeats the whole objective.
It’s a trade-off. Yes, in this case it didn’t help. But consider the genuine loss / destruction of your phone: being able to remove the 2FA with an “active” session prevents people from being forever locked out of their account. No solution is perfect.
This and only this. No matter if you use a 'hw security key with a user action/touch requirement'. I store my passwords on an almost air-gapped raspberry that 'types' in the passwords, just like if I've been using the keyboard, using a serial port link. This only protects you if password is being asked to turn off 2FA (which is the case for google).
TL;DR: Get your password off your computer. No matter if it's encrypted.
@@Jubijub Google pushes you to add a backup authentication method every time you log in.
Re-subscribed to main channel.
Cheers for the heads up
Thanks for sharing, Matthias.
1. Are you running Windows? Did it ask you if you want to run this executable?
2. What kind of anti-virus program do you use? Might have prevented the exe file from running...?
Not sure if this would have helped, but...
3. Do you use the Brave web browser? It has auto java script (and ad) blocking, built in.
FYI, you can add the ScriptSafe extension on Firefox & Chrome browsers to automatically block Javascripts from all websites until you whitelist them.
PS - I'm still subscribed to your main channel.
PPS - I use uBlock Origins add-on on Firefox & Chrome web browsers to block all ads, on all websites.
I was one of your subscribers who uses the subscription feed and immediately unsubscribed from the cryptoscam channel that suddenly showed up. I was puzzled by how it got there and then I saw your 2nd channel video, so I checked it out and resubscribed later when I saw that this was why.
Suggestion: Password manager for a random hard to remember password prefix, and then you type in a common, reasonably cryptic suffix that you have memorized. All passwords are different, hard bits are stored in cloud where you can use them anywhere, but are useless with knowing your suffix.
Never have faith in such mechanisms. As there are neath tools for key analysis
@@peli71 no system is without faults. But if you have keyloggers in your computer, then no system will protect your passwords.
A suffix might work, but if you know a target's email address it's usually not too hard to find a dump of passwords people have used at sites that have been compromised, and if I compared your list to one of those I'd find out the suffix.
Keepass appears to be a good password manager.
Glad I stuck around in the video. I was one of those people who un-subbed.
I usually watch interesting videos till the end :)
Thanks for sharing Matthias. 7:58 Whats the name of that PC? I need a new one. Thanks 👍
a refurbished Lenovo off Amazon. core i4 2017 generation. went for it cause not too old. can do 4K video
@@matthiasrandomstuff2221 awesome thanks so much Matthias 🙌👍
I did unsubscribe from that channel and thought it was strange at the time, I didn't bother digging deeper to see that it was your main channel. Anyway, resubbed now, thanks for the heads up
just checked and still subscribed to both channels and yes I do watch to the end of a video
7:45
I was able to get my old computer to boot off USB by burning a prog to CD called PLOP V 5.0.15. Once PLOP is running you tell it what USB port to boot from. Works great. For my computer I had to go into PLOP settings and set "force USB mode 1.1" to make it work.
Plop is nice but doesn't always work reliably on old PCs. Matthias' PC is clearly new enough that it should flawlessly support USB boot, I wonder why he was having problems.
if its not an ancient computer i just use ventoy, its a really easy setup.
it sets itself up as a middle man for a list of isos you put into its "iso" folder.
boot it up and then run the selected iso, rather nice and easy.
has a network version as well, so it could be used with another computer over PXE.
@@xerr0nVentoy is just a custom bootloader designed for some convenience features. If the machine can't boot from USB drives at all in the first place, Ventoy is useless.
It is good security practice to physically logout of websites when you are done. This will help with session key hijacking. Also using a random password manager helps quite a bit.
Thanks for mentioning checking the main channel. I had indeed unsubscribed without realizing it was you. I figured I accidentally subscribed to something dumb. Sorry you had to deal with that mess.
Yep, I got unsubscribed from your main channel! And, I might add, I only buy refurbs now. For 20+ years I managed a company's IT and during that time I built from scratch every PC they had. Once upon a time, it was economically feasible. Not so much these days, hence my switch to refurbs. I built my last new on in 2021 and it will be my last build.
I think by all the things algorithms do in the background they should definetly be able to detect when a account gets hacked.
100% if they wanted to. This is google afterall we are talking about, not some small website.
@@YourFavouriteCommentExactly, which is why we have what we have.
yeah, i unsubscribed both times, because i don't support criminals. but when you got your channel back, i re-subscribed.
thanks for the update I wasn't subscribed to the main channel
Is there an advantage to uploading video on one dedicated machine and emails+ whatever else on another machine ? Separation of functions ?
Great analogy at 6:20. Thank you for your knowledge.
Matthias, I'm sure you've thought about this already, but as a long-time Windows user at work, now retired and using a Mac system, I've had zero issues since switching. It may only be pure luck but is that something you've considered? I also keep a copy of passwords (not evident to anyone who looks at them) on my iPhone which I can Airdrop directly to my Mac, using Bluetooth so the password does not go through a Cloud server.
Mac apps run in a sandbox, which should make them more secure. I figured Windows was doing something similar these days.
@@RickmakesThis is false. iOS apps are sandboxed, but macOS apps are definitely not (unless you get them from the Mac App Store).
Haha, I thought this was your main channel and never actually knew about your main channel.
I wonder about your thoughts about the USB security key though. I have it on my keys and only insert it in the PC when needed. Additionally I need to physically touch it to work. So from my point of view, having control over my PC wouldn't be enough to use that method without my explicit permission.
Would using an OS like Linux for your uploads prevent things like this from happening? You could dual boot between Windows and Linux while also having a shared drive you can access your files from while in either OS. You would use Linux for uploading and any UA-cam business related activities. This would create an extra step, but if Linux is immune from these attacks this would provide an extra layer of protection.
Nothing is immune, but Windows is a massive target because of how prevalent it is, so the variety of attacks that have been developed for it is vast.
The real question is how the computer became compromised in the first place. Depending on the cause, this may be just as likely to happen in other environments as it is on Windows.
Do I understand correctly that you did not change your password after last attack??? Or do you use FF account to sync passwords that was used to get the new password? If yes, all your pwds are compromised.
BTW, using security key is safe in a sense that you need to physically touch it to activate. Problem with the key is that you need two of them for backup and it is extremely inconvenient keeping them in sync.
I have done something similar with a password list. I write down well-formed-for-me hints and have the username or service the hint is for.
For banks, they err on the side of decline, and have us confirm.
Regarding Credit Card Fraud - They use different security protocols, the seller gets different levels of fees and different levels of fraud reimbursement after chargebacks depending on if the card is used physically versus remotely (over the phone, etc) since almost all cards now have a chip that provides rolling codes.
For remote transaction they typically require the users zip code since that information is not stored on the card anywhere.
And of course, they monitor remote transactions much more closely and will call if there are any large or multiple transactions occurring.
As the old saying goes, "If a bad guy can run code on your computer, it is not your computer any more".
What do you think about using an offline file manager (e.g. KeyPass) with a USB hardware key (e.g. YubiKey)?
You can get some fantastic deals on the used PC parts market, haven't bought a new pre-built since 2006 when I got a Dell laptop
Just a question Matthias, when you clicked on the fake PDF didn't windows ask you whether you agree to run that unknown program? That should be the typical behavior with downloaded files.
The PDF file format itself, and PDF readers, can contain vulnerabilities/bugs that can be exploited to execute arbitrary code without being actual executable files / programs themselves. Search "PDF arbitrary code execution" if you want to find some further reading on the subject.
I never trust any password storage, and if its on the cloud thats even worse. Network attacks are much easier to do. I would say the best thing as a programmer is to make sure your auth system has really audit.
Just re-subbed to your main channel.
Safe manufacturers figured this out years ago with timed safes. Why not require a 48 hour delay before certain changes take place?
thanks for this, just removed 325 passwords from Firefox
I think having the password on paper like you have done is by far the most secure way. However for me I've been using a self hosted bitwarden server on a PI type device which has worked very well for me.
I know it is different in the home environment, but that is one of the most common ways for security in office set ups to be broken. People write their login details down on a label, and stick it on the underside of their keyboard. Pizza delivery anyone? Sorry, wrong office.
"too much money for social media companies" is a hilarious sentence
"If somebody shows up with a different IP address and the same session"
A legitimate user could be playing with his VPN settings, or they're using an anonymous service that keeps them from being tracked by malicious state actors.
But they should be used to refreshing their session anyway, so yes, bad Google.
I checked and still am subscribed to your main. cheers
I never save passwords, to any of my important accounts. I never let the sites I log onto "recognize" my computer either, so that I always am asked to use two-factor ID by the site I'm logging into. I don't use incognito or a VPN or proxy browser to log into most sites though, even though I do that with at least one site (use a proxy browser to log into a site).
In any case. Thanks for the content.
Keep up the good work.
בס'ד
I think your idea about sites doing some form of session "deviation" (checking sudden changes in IP, location, etc.) has merit, similar to how credit card companies flag transactions when one is travelling (or not if someone stole your card info). I suspect large sites, Google et al, would have no issue doing this since they already do similar deep scan on content and flag those.
I would recommend a password manager. I do not know about the venerability to hijacking via the session token but all of your passwords are encrypted and stored securely. Even the online hosted ones will not compromise your passwords if there service gets hacked. There is a good computerphile video on how they work.
the concern is that if my computer gets compromised that hackers may hijack that account.
For my important passwords I save fake ones and memorize the passwords. Saving the passwords lets me know if I end up on a phishing page cause my saved credentials wont auto fill and I hope if I ever get compromised it frustrates them.
Use a firefox master password, its not bullet proof cause the encrypted password files can be brute forced opened cause the encryption isnt that great but at least it will slow them down.
Thank you for telling what happend and all the security risks 🤦♂️... good to have you back!
I was one who got unsubscribed. It’s all good, I’m resubscribed. Thanks for the warning.
resubbed... thanks for the heads up. i am one of those that 1)watches their subscription feed and 2)watches videos to the end LOL
Thumbsup, before we know it he will have to become a security expert too. Matthias, did you considered switching entirely to GNU/Linux yet?
I use google password manager thinking that those passwords would be encrypted, havent heard of a leak or scandal with that. How come firefox doesnt use encryption for the password saving feature? Are we sure about that? In todays world having a card with passwords you have to type in sound unreasonable, I mean I have about 120 password saved, do I put all of them on a card? Do I reuse some to keep the number lower??
Last two PC's (mb mem cpu) I've bought was used. Last two gaming gfx cards also used. It's a gamble, but so far stuff has been ok.
To the contrary: The the 4 gen older gfx card I bought from a store, that was sold at a discount (but full warranty) as "store demo or returned from customer" was not ok. Sadly I could not pin point / attribute the error to the gfx card in time. Sneaky error, of the (roughly) 50 games I ran only 2 had issues like intermittent crashes. 4 years ago I figured out the issue in gpu core by using OCCT. Damn card ran all 'visual' gfx stress programs.
I'm glad you said something, I somehow got unsubbed from your main channel. Cheers
A good password manager on windows should be using a secure password input, which works similar to the UAC prompts and runs in a separate windows login session, that should basically be un-keylogable. Excluding any physical hardware key loggers, at which point you're kinda screwed already.
I still reckon your plan of writing them down on a piece of paper is still a better option though, just less convenient!
How tf google allowed them to disable 2fa without reauthentication?
they just wanted the login session and the password. yes, too easy.
@@matthiasrandomstuff2221astonishingly easy. It really ought to require 2FA (or some sort of contact with Google support if you can't do that) to change it back!
I _think_ there's a notion of a "trusted device" that allows you skill 2FA/MFA on auth.
Consider checking if your main browser on your primary device is listed in the trusted device list and removing it. Then every login will require 2FA/MFA (IIRC)
Ok, NOW I understand your answer to the comment I made on your main channel about being unsubscribed. Indeed, I did unsub from a weird-fake-money-scam channel. Never would've guess how I was sunddenly subbed to that. Now I know. Anyway, glad you were able to regain control, sir!
There's a neat bootable cd image that allows for booting from the USB on computers that don't support it.
Oh, knowing that would have helped!
@@matthiasrandomstuff2221 the keywords to search for are “plop boot manager”
@@matthiasrandomstuff2221 the name of it is plop bootloader
@@matthiasrandomstuff2221 for some reason, my further reply seems to be not here. The name of the boot manger that can do this is called plop.
I use a password manager that keeps the passwords encrypted unless it's actually in the process of being used; and I have to unlock it every time I use it. I happen to have a Mac with TouchID, which makes this process more seamless, but 3rd party biometric hardware keys work also.
Indeed, if somebody manages to run malicious code on your computer - it's not your computer anymore; it's THEIR computer. I agree that even a pretty good pwd mgr like keepass may not be a solution in such a case.
The only reasonable choice is to keep passwords in your head only, and to have a card with some hints which help you not to forget those passwords.
Nope, wasn't subscribed, but now I am again.