The new password craze...

[Midwayman]

how does that work with both apps installed on a android device?

say lastpass and google authenticator?

for example i sign into gmail on my phone, then GA sends me a text with a code, i then copy/paste that code into the GA. soooo how does that keep somebody out of my gmail or lastpass if my phone gets lost and they somehow get past my droid login pattern.

Well they need both your password and physical access to your authenticator device. That's a substantially higher bar than hacking/social engineering a PW. I only really use 2 factor in a couple places. 1) Lastpass and 2) The email account all my PW get reset to. If either of those got compromised I could really get screwed. However it allows me to use really strong and more important- unique passwords on every site. That way if one gets hacked, I only maybe lose that one site.

I don't really use the LP mobile app, but it looks like it works pretty much like the desktop. If you have 2 factor authentication on the only way they can login is with both the PW and the authentication code. Presumably if you have the phone, you have the code (and I would set it to trust the device for the authentication anyways.) So someone steals your phone. They probably have access to your email if they get past your pattern lock. Fortunately 2 factor authentication allows you to revoke your google related PW unique to a device from any PC. Also you can revoke the lastpass authentication from the last pass site- kill sessions even. So so long as you don't leave a thief with gobs of time to crack your hopefully somewhat secure PW you can disable it once you notice your phone is gone.

So I figure you're pretty safe from an average theft at a bar, etc. Unlikely you'll come up against someone who will have your passwords and you can shut down anyone else. The biggest security risk is the email accounts you leave signed in and only a pattern lock away from access. They could use those to reset bank PW. However if your PW reset account is one that you don't use imap, etc to sync you'll probably avoid any real damage in a theft.

So yah- something like a password vault can be a vulnerability if you really expect a directed attack, even with 2 factor authentication. However if you really expect that I'm sure you have way more info on security than I do.

 

[Puppies04]

The worry isn't that someone will hack your bank's files and steal your login info. Banks are pretty secure.

The worry is that someone will hack some stupid lolzcatsbl0g.org site that uses simple md5 hashing or even just stores login information in plain text. They then notice that there's a "JamesV" user, with a "jamesv@gmail.com" email address and has used the password "ajskdlf;2013".

They then log in to gmail using "jamesv" and "ajskdlf;2013", then get all your other logins and passwords, including paypal and other such things.

You can't control whether a website uses plain text, md5, or bcrypt to hash their passwords, and you can't control which ones get hacked. You can control what passwords you use where. This is why using completely random 24 character passwords that are different for each site is the best way to go. These passwords are very resistant to brute force attacks, and even if the site stores it in plain text, they only have the password for that site.

Why would I use a 24 character unique password for lolzcatsbl0g.org? I would just use the word cat. Same for any other trivial site that has no banking details on it, as long as I don't replicate that password anwhere else I don't see the point in going to the effort of making my www.funnypopcornpics.com password FGgthghssw732jd8329{{};@.

 

[Puppies04]

Finger prints are terrible.

1. They can be used to identify you
2. You can't change them

3. Creates a market for severed fingers.

4. If you damage your finger you are fucked until the print grown back, you are even more screwed if it has a scar on it.

 

[Train]

It's all moot once mind scanners are out. Even an uber crack-proof password is only safe if you never think about it. Someone will be like "DON'T think of your password!" and you'll be like "oh shit, I can't not think of it, fuck, did you just scan me bro?"

 

[Midwayman]

Why would I use a 24 character unique password for lolzcatsbl0g.org? I would just use the word cat. Same for any other trivial site that has no banking details on it, as long as I don't replicate that password anwhere else I don't see the point in going to the effort of making my www.funnypopcornpics.com password FGgthghssw732jd8329{{};@.

Sure, but part of it is just getting in the habit of good password practices. Once you have a system setup its not really any more work to have a unique secure password even on trivial sites. If you're not in the habit, its really easy to get lazy and use duplicate/easy to crack passwords on site that could burn you. Like sites with saved credit details, or enough info in the registration/shipping that they can social engineer your really important ones.