Scheduled Maintenance: We are aware of an issue with Google, AOL, and Yahoo services as email providers which are blocking new registrations. We are trying to fix the issue and we have several internal and external support tickets in process to resolve the issue. Please see: viewtopic.php?t=158230
Two-factor authentication?
Two-factor authentication?
Is there any way to enable two-factor authentication (preferably TOTP, or Time-based One-Time Password)?
- GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: Two-factor authentication?
Yes there are ways to do that.
"What we expect you have already Done"
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
Re: Two-factor authentication?
Hmm, I tried going under Profile -> Edit account settings, but couldn't find anything there.GarryRicketson wrote:Yes there are ways to do that.
- GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: Two-factor authentication?
Oh, you mean here on this forum, no we don't use that. I did do a search for you, well not just for you, for myself as well, from what I read in the search results, this so called 2 factor authentication, is done with apps , specially written for some devices, and you can setup a 2 factor authentication method for your device, PC, etc,... it is mostly used on mobile devices, such as phones , There was a lot of information in the search results, sufficient to answer your question:
I did not go into that part when I searched, since I really do not have much interest in this, but I am sure if you do some searches you can get more details and info,...
Any way, fortunately this forum does not use that and make things overly complicated, there is no need for it here.
Yes there are ways to do this.Post by chaanakya » 2019-06-02 12:23
Is there any way to enable two-factor authentication---sinip-- ?
(preferably TOTP, or Time-based One-Time Password)
I did not go into that part when I searched, since I really do not have much interest in this, but I am sure if you do some searches you can get more details and info,...
Any way, fortunately this forum does not use that and make things overly complicated, there is no need for it here.
"What we expect you have already Done"
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
==========
Old Website
======================
For the Birds
==================
What Does a Parrot Know About PTSD?
Re: Two-factor authentication?
I thoroughly and respectfully disagree. Given the frequency of hacks at this point in time, it seems prudent to enable 2FA for any web service which allows it. This includes things like email accounts and bank accounts (obviously), but imho, every service should offer 2FA. I've been going through all my accounts and turning on 2FA if it exists and requesting it if it doesn't, and this was part of that.Any way, fortunately this forum does not use that and make things overly complicated, there is no need for it here.
- Head_on_a_Stick
- Posts: 14114
- Joined: 2014-06-01 17:46
- Location: London, England
- Has thanked: 81 times
- Been thanked: 133 times
Re: Two-factor authentication?
We don't even provide https here, what makes you think 2FA is a possibility?
deadbang
Re: Two-factor authentication?
Yeah, that's fair. I guess I'm just tired of websites taking data security as a joke.
Generating HTTPS certificates is free with Let's Encrypt. I'm sure 2FA is a little more complicated (I've never set it up on my end, unlike HTTPS), but like...that's my next task on the sites I control.
I don't get this attitude of "Let's (basically) not worry at all about security" (and it's far from just this site...I've submitted so many emails over the last couple of hours it's kind of ridiculous).
Generating HTTPS certificates is free with Let's Encrypt. I'm sure 2FA is a little more complicated (I've never set it up on my end, unlike HTTPS), but like...that's my next task on the sites I control.
I don't get this attitude of "Let's (basically) not worry at all about security" (and it's far from just this site...I've submitted so many emails over the last couple of hours it's kind of ridiculous).
- GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: Two-factor authentication?
For example,...Like the recent things at Git Hub ? https did not do them any good, and then there is FaceBook, they are https, and also even offer a app for 2factor authentication, but can they be trusted ?
A good attitude would be: Do what you want with your sites, ones that you control, and don't worry about the others, let them do what they want.
So what is the solution ?
Good topic for trolls though, thanks for sharing. Bye
A good attitude would be: Do what you want with your sites, ones that you control, and don't worry about the others, let them do what they want.
So what is the solution ?
Do you propose some law or rule, that requires all sites to do what you think is best, and if they don't obey, spam them with e-mails, and posts like this until they do ?----but imho, every service should offer 2FA. I've been going through all my accounts and turning on 2FA if it exists and requesting it if it doesn't, and this was part of that.
Nobody has this attitude here, ....that is one reason I avoid using sites with "Let'ts pretend to be secure," Types of false security. How ever it is impossible to really avoid all the corrupted and non secure sites on line now a days, which is why I concentrated on keeping my system here at home as secure as I can, and am careful to not put anything online, any where, if I don't want the rest of the world to have access to it.I don't get this attitude of "Let's (basically) not worry at all about security"
Good topic for trolls though, thanks for sharing. Bye
Re: Two-factor authentication?
I presume you're talking about this? That has nothing to do with Github's security practices, though.GarryRicketson wrote:For example,...Like the recent things at Git Hub ? https did not do them any good, and then there is FaceBook, they are https, and also even offer a app for 2factor authentication, but can they be trusted ?
Let me be clear: HTTPS and 2FA are not silver bullets. But they certainly make compromising accounts much harder.
Sure, except someone else's shitty data security has the potential to compromise my data. I could just stop using any service that doesn't provide 2FA, but I don't think that's productive. Instead, I think it's reasonable to ask services that don't have it yet to consider it, and that's why I opened this thread.GarryRicketson wrote:A good attitude would be: Do what you want with your sites, ones that you control, and don't worry about the others, let them do what they want.
So what is the solution ?
Who said anything about laws? And it's not what I think is best - 2FA has pretty much become the accepted practice, especially at this point, given how frequent data breaches are.GarryRicketson wrote:Do you propose some law or rule, that requires all sites to do what you think is best, and if they don't obey, spam them with e-mails, and posts like this until they do ?
Please don't speak for other people. And HTTPS and 2FA aren't just security theatre. HTTPS makes MITM attacks harder and prevents packet-snooping. 2FA actually useful in preventing large-scale password breaches from actually yielding anything (assuming it's implemented correctly - SMS-based 2FA is fairly insecure, since texts can "easily" be intercepted - TOTP and U2F/WebAuthn are fairly secure).GarryRicketson wrote:Nobody has this attitude here, ....that is one reason I avoid using sites with "Let's pretend to be secure," Types of false security. How ever it is impossible to really avoid all the corrupted and non secure sites on line now a days, which is why I concentrated on keeping my system here at home as secure as I can, and am careful to not put anything online, any where, if I don't want the rest of the world to have access to it.
Good topic for trolls though, thanks for sharing. Bye
Also, it's not really that hard to avoid non-HTTPS sites. 99.9% of the sites I visit are HTTPS-enabled. It's at the point where I can enable HTTPS Everywhere's EASE (Encrypt All Sites Eligible) mode and not have to worry.
Also, no, I'm not a troll, just a concerned user. It scares me that people still have this kind of mentality, to be honest. HTTP sites are vulernable to phishing attacks. All traffic is plain-text and thus susceptible to interception and packet-sniffing. To intentionally ignore that and call HTTPS false security is bullshit. It's not a silver bullet, but HTTPS does protect against a whole class of attacks, which is good.
In the same way, 2FA similarly protects against a whole class of attacks. A password is no longer sufficient to gain access to an account, and that has real, material security benefits. You can't just wave that away as "security theatre" or "false security".
Re: Two-factor authentication?
chaanakya, i like your approach about https
all major distro forums are https
but here, just forget it, many times it has been brought up by lot of concerned users to no avail
having said that what data of yours are you concerned about? all the posts are publicly available as it is. if u referring to your profile data then you can obfuscate it, i am sure no one is going to ring ur door bell to verify your location
i dont think its an issue if anyone intercepts what is posted here, it is already available publicly
all major distro forums are https
but here, just forget it, many times it has been brought up by lot of concerned users to no avail
having said that what data of yours are you concerned about? all the posts are publicly available as it is. if u referring to your profile data then you can obfuscate it, i am sure no one is going to ring ur door bell to verify your location
i dont think its an issue if anyone intercepts what is posted here, it is already available publicly
Re: Two-factor authentication?
Honestly, in my case I'm not too worried, since I've taken the proper precautions (unique password for each site, generating passwords using my password manager, etc). But I'm fairly sure many users here (as with most users anywhere) are reusing usernames and passwords (or emails and passwords as the case may be), which means that most of the users are in danger of having their credentials sniffed or MITM'd. I still can't get over the fact that a user here said that HTTPS gives a "false sense of security".sickpig wrote:having said that what data of yours are you concerned about? all the posts are publicly available as it is. if u referring to your profile data then you can obfuscate it, i am sure no one is going to ring ur door bell to verify your location
In the same way, 2FA protects their account should their password be hacked on another site which isn't using HTTPS or stores their passwords in plaintext or stores their passwords without hashing them (making them vulnerable to rainbow table attacks) or stores them with insecure hashing algorithms (MD5/SHA1) or any number of shitty things that are outside of the user's control.
It's absurd that the forum isn't doing all it can to prevent abuse of compromised credentials.
Re: Two-factor authentication?
ooh i hadn't thought at all about same username and passwords on multiple sites!! thanks, i might change my password here then
but 2fa would be overkill if it makes me fidget with my phone before logging in, just username and password is convenient i think, with https though, as u pointed out, but that ship has sailed i have added it to the list of things i cant have in life
but 2fa would be overkill if it makes me fidget with my phone before logging in, just username and password is convenient i think, with https though, as u pointed out, but that ship has sailed i have added it to the list of things i cant have in life
Re: Two-factor authentication?
But...there really isn't any other way to prevent abuse of compromised credentials as far as I can tell.sickpig wrote:but 2fa would be overkill if it makes me fidget with my phone before logging in, just username and password is convenient i think, with https though, as u pointed out, but that ship has sailed i have added it to the list of things i cant have in life
Unfortunately, from what I can tell, it's probably likely that any reasonably secure 2FA method would require the forum to move to HTTPS, and that ship, as you said, has sailed. I genuinely don't get it (just serve it both on HTTP and HTTPS and allow the HTTPS users to set up 2FA), but it's pretty clear that at least some of the admins here don't care about protecting users from shitty decisions.
But it's not even just about the users, right? Because compromised accounts = more spam. Cutting down on how compromised accounts can be used would also cut down on spam, which is always a good thing.
/shrug I don't know. To me, it seems to be a no-brainer, but it looks like at least some people on here have reservations about taking even the most basic steps towards better security.
- GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: Two-factor authentication?
Well, the biggest problem, and this includes better methods of filtering and blocking spammers, no one here has the administrative permissions or access, to the server, so even if any one wanted to change forum software, and using something that does have the the 2 factor authentication, or add ssl certificates, etc. Well there is no active admin here that could do that.
The only active admin we have, 4D696B65 only has limited permission, and access. But 4D696B65 does the best he can, I certainly appreciate everything he does do.
You say you are not a troll, but first you ask a question, it was answered,
In any event, thank you for visiting, and telling us what is wrong with us and the forum,
Now, would you do us all a favour and go troll another forum.. please.
The only active admin we have, 4D696B65 only has limited permission, and access. But 4D696B65 does the best he can, I certainly appreciate everything he does do.
You say you are not a troll, but first you ask a question, it was answered,
======chaanakya wrote:Is there any way to enable two-factor authentication (preferably TOTP, or Time-based One-Time Password)?
And then you come back, without even a thank you, and start bashing us, the team members here, we do the very best we can, with very limited tools, etc. And almost never a thank you or anything.GarryRicketson wrote:Yes there are ways to do that.
It is not because no one knows how to install a ssl certificate, or even modify the existing forum software, to use 2 factor authentication, it is not because anyone has reservations about doing these things. No one here ahs the authority or permissions to make any kind of changes on the server that hosts this forum, nor the forum software.by chaanakya » But it's not even just about the users, right? Because compromised accounts = more spam. Cutting down on how compromised accounts can be used would also cut down on spam, which is always a good thing.
/shrug I don't know. To me, it seems to be a no-brainer, but it looks like at least some people on here have reservations about taking even the most basic steps towards better security.
In any event, thank you for visiting, and telling us what is wrong with us and the forum,
Now, would you do us all a favour and go troll another forum.. please.
Re: Two-factor authentication?
I was asking that question about this forum. I very much know that 2FA is a thing in general (I just set it up for a bunch of my accounts). So no, that initial reply wasn't actually helpful.
I wasn't trying to bash you or the other team members. You responded with an assertion (that 2FA and HTTPS give a false sense of security) and I felt that that was an unfair representation of the measurable improvements in security both of those bring, so I responded. Sorry if it felt personal - I did not intend for it to come across that way.
I honestly wasn't aware that no one who visits the forum has the required permissions, thank you for making that clear. Why not just say that in the beginning rather than trying to make the argument that 2FA (and, indeed, HTTPS) give a false sense of security (a claim which is demonstrably false)?
Anyway, maybe it's worth putting that last statement somewhere in the FAQ or a pinned post or something, so that everyone's aware of that when posting what are essentially RFE (requests for enhancement).
I wasn't trying to bash you or the other team members. You responded with an assertion (that 2FA and HTTPS give a false sense of security) and I felt that that was an unfair representation of the measurable improvements in security both of those bring, so I responded. Sorry if it felt personal - I did not intend for it to come across that way.
I honestly wasn't aware that no one who visits the forum has the required permissions, thank you for making that clear. Why not just say that in the beginning rather than trying to make the argument that 2FA (and, indeed, HTTPS) give a false sense of security (a claim which is demonstrably false)?
Anyway, maybe it's worth putting that last statement somewhere in the FAQ or a pinned post or something, so that everyone's aware of that when posting what are essentially RFE (requests for enhancement).
Re: Two-factor authentication?
thank you GarryRicketsonGarryRicketson wrote:we do the very best we can, with very limited tools, etc. And almost never a thank you or anything.
your other post about apt-netselect helped me find the closest mirror near to my location. I did not comment there because if u reply to an old post u get heckled for necromancy.
- GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: Two-factor authentication?
There is a extension for phpBB, but it still is in development, it is not recommended for any production sites, yet.Head_on_a_Stick wrote:We don't even provide https here, what makes you think 2FA is a possibility?
https://www.phpbb.com/community/viewtop ... 6&start=45
Anyway, I appreciate the fact that the server owner at least keeps the server running, and
allows us to have the forum. It might not be the best "soup kitchen" in town, but any way, at least it is available. And easy to access. There is nothing more frustrating then trying to get on-line, and access some so called support forum, but you can't, because your system is very crippled, the clock / and date is not set and you don't know how to set it,...., or some other problem, that triggers the ssl mal ware to block you, ...so any way, I appreciate what we have here, and am comfortable with the way it is, makes me sad when I see that others simply do not appreciate it, of course they can all ways go somewhere else to beg for a free meal, or pay for more secure services, that offer good technical support.
Re: Two-factor authentication?
Yeah, I saw that. And as you said, it's not recommended for production sites yet.GarryRicketson wrote:There is a extension for phpBB, but it still is in development, it is not recommended for any production sites, yet.
I honestly don't know what the options are in terms of phpBB, I just thought it was worth looking into.
And I very much appreciate that the forum is still running and it's useful and everything. As I said initially, I'm frustrated when websites don't take security seriously and end up jeopardizing their users in the process, which is what drove me to make this post in the first place.
As for the clock setting preventing you from accessing the site, that could easily be fixed by providing both an HTTP and an HTTPS version of the site (no automatic redirect). This way, people could go to the secure version if they are able to and could fall back to the insecure version if everything's screwed up. And no, ssl isn't "malware". Transport security is very much necessary, especially in the case of login.
I genuinely don't get why you are being so derisive towards me when I am simply trying to make suggestions to make the site more secure. I have tried to be as polite as possible when responding, and it's very frustrating to be told to essentially f*ck off.
I appreciate the forum as it is, but that doesn't mean it's perfect or that there aren't improvements that can be made. It's very disconcerting to be told that I either must like the forum exactly as it is or I should leave. If so, what's the point of this entire category/subforum/forum/whatever it's called? Why not just relabel it "self-congratulation"?
Look, I understand y'all work hard, and it's often a thankless role. You probably have tons of people yelling at you and you probably need to answer the same damn questions all the time. I get it. But I've been nothing but polite in responding to you and have tried to respond to your points rather than attack you personally, and it feels like you're not extending the same courtesy to me, which is disheartening.
- GarryRicketson
- Posts: 5644
- Joined: 2015-01-20 22:16
- Location: Durango, Mexico
Re: Two-factor authentication?
Oh, well , sorry about that, , so any way Thank you for your suggestions, and ideas, and taking the time to share here. You are right, and I apologize for my bad attitude, I will try to do better in the future.
Re: Two-factor authentication?
As long as a 2FA is unavailable, you could look into requireing new people who register to answer one question like "In what city are the United Nations located?" with the correct answer "New York".
That is good enough for robots to fail and people worldwide to answer correctly, at least if they speak English. A lot of spammers who register seem to have no grasp of the English language...
That is good enough for robots to fail and people worldwide to answer correctly, at least if they speak English. A lot of spammers who register seem to have no grasp of the English language...