4 additional slots for Authenticator

[Deleted]

So I was expecting too much from ppl again (it's one of my weaknesses). Using the exact same password for different websites and services is lazy and irresponsible. For me, it's obvious to use different passwords everywhere.

But for most people it's not. They re-use passwords, because managing multiple logins and passwords is difficult and very inconvenient. People like to be convenient.

[Deleted]

Such harmful bullshit. The fact that a device is not 100% secure does not mean that using two-factor generator on it wouldn't increase your overall security posture.
The "ultimate security or nothing at all" is not good actionable advice.
Writing passwords down on paper is great - if that works for you. For most people it doesn't - they need to access their accounts on the move. Password manager is a better option - and yes, they're not 100% secure either. Neither is your piece of paper.

Don't tell me that a piece of paper is not safer than a smarthone, that automatically uploads everything to the cloud "for your own safety". That's the big BS that you, and so many actually believe.

- - - Updated - - -

But for most people it's not. They re-use passwords, because managing multiple logins and passwords is difficult and very inconvenient. People like to be convenient.

Being convenient =/= lazy, but you tell me that being convenient is actually = lazy.

[Deleted]

Don't tell me that a piece of paper is not safer than a smarthone, that automatically uploads everything to the cloud "for your own safety". That's the big BS that you, and so many actually believe.

Ok - do this simple test:
1) Take your piece of paper and set it on fire.
2) Now login to your sites.
How's that going for you?

Information Security is about confidentiality, integrity and availability. You're mixing Privacy into this - which is a factor in confidentiality but it's definately not 100% of the equation - it's just one thing in one branch. Learn a bit about security, ok? Google those three terms.

OK - so let's leave the privacy talk for later... now point out the real security flaws that mobiles + two-factor generators have?

[Deleted]

Ok - do this simple test:
1) Take your piece of paper and set it on fire.
2) Now login to your sites.
How's that going for you?

Information Security is about confidentiality, integrity and availability. You're mixing Privacy into this - which is a factor, but it's completely different thing. Learn a bit about security, ok? Google those three terms.

Why would I or anyone burn a piece of paper here and there? Get back to the reality, it's not a spy movie... omg... Also a house burn is not an everyday activity where I live. Don't be so infantile.

[Deleted]

Why would I or anyone burn a piece of paper here and there? Get back to the reality, it's not a spy movie... omg... Also a house burn is not an everyday activity where I live. Don't be so infantile.

So ok you don't want to talk about Availability. Ok then, I get to pick one bit I don't want to care about. So I don't want to talk about Privacy.
Now that we both have removed one part out of the dicsussion, let's get back to it, then:

Point out the real security flaws that mobiles + two-factor generators have?
Also - please include some attacks that are currently in the wild (include the CVE's if you can)

[Deleted]

Availability

I personally don't need such thing relating to my passwords. I'm not mobile, neither at my job or private life, and I don't mix up the two things either. I also just have the WoW game only on my PC, I don't need/want anything related to it e.g. on my smartphone, because I don't play when I work. I can separate these things. I live simple.

Point out the real security flaws that mobiles + two-factor generators have?

You can access them remotely on the Internet or other kind of network. While you can't do the same thing with a piece of paper.

[Deleted]

You can access them remotely on the Internet or other kind of network. While you can't do the same thing with a piece of paper.

This is just about as absurd as my claim of your house burning down. You need to be more specific.
Please point out how having an app that genetates 2-facor authentication numbers on my mobile is insecure (or a password management app)? I'm afraid you're going to have to point to specific attacks. Otherwise I'll keep claiming your house is going to burn down - because both of these are equally stupid arguments.

[Deleted]

This is just about as absurd as my claim of your house burning down. You need to be more specific.
Please point out how having an app that genetates 2-facor authentication numbers on my mobile is insecure? I'm afraid you're going to have to point to specific attacks. Otherwise I'll keep claiming your house is going to burn down - because both of these are equally stupid arguments.

Then I can also make up some other imaginary scenario, where I don't keep these important pieces of papers at my house, or at a place that can burn down.

You ppl have so strong belief in thechnology, you don't even sense real life anymore. What do you do with all of your technology when a blackout happens for a few days and you are cut off from civilization (yes, ppl live at places where a landslide or a tornado can happen). You just watch the black screen while I read my books.

And ofc I can't mention specific examples, because that's not my job, and I'm not interested at that high level either (I know you want to boil it down to this point, so you can bash me at this spot too). However you can't really say that your data has the same safety on a network connected computer/device, as on a piece of paper which is well hidden at the bottom of my drawer. No Korean hacker has access to it.

To steal the information that is written on the piece of paper, you actually have to break into my home and steal it, while on a network, you can do it from 5000km away. But that's also quite obvious. So which data has more security?

[Deleted]

And ofc I can't mention specific examples, because that's not my job, and I'm not interested at that high level either (I know you want to boil it down to this point, so you can bash me at this spot too).

I don't want to bash you about anything. Security is my job and has been for the past 15-20 years. And this trend of "absolute purism or nothing at all" is very harmful.

Yes, disconnecting everything from networks and keeping everything offline is very secure. You can even add fire-proof safe to your house and you'll get rid of the "house burning down" problem. It can't be argued.

But the world doesn't work that way anymore. It hasn't worked that way in the past 30 years and it's going the other way increasingly fast. Props to you for keeping your stoic pose and your simple habits, but surely you see you're not "average joe" in this? For the average joe having a 2-factor app or a password manager on their phone will instantly increase their security posture - by a huge amount.

No technology or science field can thrive if it's governed by absolute purism - same applies to security. Having common sense and relevant threat model is important. Mobile phones are secure enough for this purpose. The iPhone secure enclave is quite excellent place to keep your secrets in a modern world.

Can you at least see that?

[Gaidax]

Such harmful bullshit. The fact that a device is not 100% secure does not mean that using two-factor generator on it wouldn't increase your overall security posture.

This basically, I literally facepalm when I read that drivel.

Guess what, using two-factor authentication on potentially insecure device to protect logins is frikkin' shitton better than not using anything at all.

At my workplace two-factor authentication is mandatory for logins and of course remote access. Don't have smartphone? Tough luck, buddy, should not work in high tech. There are no exceptions.

[Deleted]

I don't want to bash you about anything. Security is my job and has been for the past 15-20 years. And this trend of "absolute purism or nothing at all" is very harmful.

Yes, disconnecting everything from networks and keeping everything offline is very secure. You can even add fire-proof safe to your house and you'll get rid of the "house burning down" problem. It can't be argued.

But the world doesn't work that way anymore. It hasn't worked that way in the past 30 years and it's going the other way increasingly fast. Props to you for keeping your stoic pose and your simple habits, but surely you see you're not "average joe" in this? For the average joe having a 2-factor app or a password manager on their phone will instantly increase their security posture - by a huge amount.

No technology or science field can thrive if it's governed by absolute purism - same applies to security. Having common sense and relevant threat model is important. Mobile phones are secure enough for this purpose. The iPhone secure enclave is quite excellent place to keep your secrets in a modern world.

Can you at least see that?

I can see and understand what you are talking about. However as I say consequently again and again, ppl beleive too strong in technology and put up all their asses to the public just to let a cock fly into it as easy as possible (to say it vulgar). They are irresponsible and lazy. Meanwhile they rely more and more on technology, they forget that living simple, yet still having access to information is possible, and can also be a layer of security, without any kind of extra technological protection needed.

Companies should teach ppl to be responsible, instead of selling/advertising an other security product/software (that can also have flaws and weak spots) to install on their devices. But where would be the business in it? It's all about money and propaganda to make even more profit. While living simple and being a bit more responsible can result the same level of security, without feeding an other company.

[Deleted]

I can see and understand what you are talking about. However as I say consequently again and again, ppl beleive too strong in technology and put up all their asses to the public just to let a cock fly into it as easy as possible (to say it vulgar). They are irresponsible and lazy. Meanwhile they rely more and more on technology, they forget that living simple, yet still having access to information is possible, and can also be a layer of security, without any kind of extra technological protection needed.

Companies should teach ppl to be responsible, instead of selling/advertising an other security product/software (that can also have flaws and weak spots) to install on their devices. But where would be the business in it? It's all about money and propaganda to make even more profit. While living simple and being a bit more responsible can result the same level of security, without feeding an other company.

I think we just have to agree to disagree on this.
2-factor auth on your phone is a great thing. It increases security. Too bad you can't see the wood for the trees. Software will always have flaws. That doesn't mean we shouldn't use software.

[Deleted]

This basically, I literally facepalm when I read that drivel.

Guess what, using two-factor authentication on potentially insecure device to protect logins is frikkin' shitton better than not using anything at all.

At my workplace two-factor authentication is mandatory for logins and of course remote access. Don't have smartphone? Tough luck, buddy, should not work in high tech. There are no exceptions.

I'm talking about simple WoW players that sit down to their computers and play the friggin game after a hard day, not about workplaces. It's not about high-tech security companies that work with sensitive data. It's just simple civilians at their homes... They really don't need such BS, just be a bit more responsible. Life is not necessarily a spy movie.

- - - Updated - - -

I think we just have to agree to disagree on this.
2-factor auth on your phone is a great thing. It increases security. Too bad you can't see the wood for the trees. Software will always have flaws. That doesn't mean we shouldn't use software.

I say (and live like) that I don't use/need such softwares that can compromise my sensitive data. I know that software will always have flaws, but I try to keep them as low as possile. Believe it or not, I have a smartphone, yet I don't have mobile internet, because I live a life where I don't need it at the slightest. Wifi is enough for me, thus I don't even communicate on mobile facebook app (or other chat software), so I don't even have that app installed. I also don't listen to music via an internet radio. 2 less software that can have flaws (and are unnecessary for me). Still I have a job, friends, a life.

On my smartphone:
- I call ppl
- I listen to music as mp3
- I use the camera to take pictures
- I use the GPS and an offline map for navigation (that I update via the wifi)
- I rerely browse the news (also on wifi), and check out the weather forecast
- I recieve/send SMS sometimes

I simply don't have time/need for more, because I have other ways of entertainment.

I don't believe that ppl with a full time job, a family, some real friends need more from their smartphones. These different chat softwares, social media services are all just distractions and you only have time/need for them if you don't have a real job - because let's admit what changes in my life if I follow a celebrity on Twitter? nothing, it has absolutely no impact on my wage. Also the games just drain your battery needlessly. These things are used mosly by young ppl that need something to twiddle, to play with and in reality, they have absolutely no positive impact on their lives.

[3DTyrant]

I've had an authenticator on my account for years now, but the +4 bag slots is nice, nothing hugely amazing, but still a nice addition.

[Deleted]

I say (and live like) that I don't use

It's ok - you obviously have built your threat model and you live accordingly.
I'm not going to comment on that - you do what you need to do to keep a security level that is acceptable to you. You defend against threats you see relevant to you. That's fine. But I don't want to talk about you specifically, because you are a special case.

I'm saying the 10'000 foot view looks quite different. In that context most of the threats that are relevant to you, are not relevant to most. People use Facebook and Twitter. They upload things to Dropbox. They play games. They pay bills from their mobile phone and do banking online. And they want convenient, easy access. They share same, bad password between all of the above sites. That's how the world looks at 10'000 feet.

And in that world, it's very harmful to push a purist view, because it actually hinders development and adaptation of security or helpful technology.

So - keep your 40 pages of written passwords, it's OK - you're safe and secure, you don't need anything else.
For the rest - who actually need security - please install authenticator on your mobile. It's secure enough.

[Wyrt]

I already have an authenticator so I'll get it, but I feel 4 really isn't enough. 20 slot bag is like WotLK level, we're way past that now.

[gutnbrg]

lol so many people in here worried about the boogie man watching them and invading their "privacy".....wtf are u people doing that ur so scared of anyone finding out?

[Mifuyne]

lol so many people in here worried about the boogie man watching them and invading their "privacy".....wtf are u people doing that ur so scared of anyone finding out?

Basically this.

[LanToaster]

I do not have one and I've never had my account hacked (playing about a decade). I've known people with them who've been hacked (at least one of them multiple times).

Security is not an incentive for me in this case.

Well, without added Security, one can basically "Luck" themselves in your Account, get via Fishing in your Account, or maybe even BruteForce it if you dont pay attention for a time.

With an Authenticator, you need to be Targeted Specifically, or be REALLY stupid.

I still stand with my Point I made in another Thread about this during Blizzcon:
If your Account isnt Secured with an Authenticator, and you get Hacked, they should charge you for the work they do in Restoring your Account.#

Because if a person is to Lazy to input ONE time a code, or push a button on their Smartphone, then why should Blizzard bother fixing your Security for free.

Yeah same. I have an email account that I only use for my battle.net account, so gfl tracking down my info, hackers.

You do actually know, that, while its a bit safer than using a single Email, its still possible to get that?

Blizz used a pet to try to bait people into getting it and it didn't work. You'd be shocked how much time and money they waste on account recovery for technically inept idiots.

Agreed.

Unpopular/triggering opinion here:

I don't want authenticator at all (at least not like this).

As I said in an other thread in the same matter before: It's risky to install anything to your smartphone, related to your WoW account. Smartphones are a security risk themselves - simply, because they can be easily stolen, lost, or hacked, so installing WoW stuff to them can compromise your WoW account security, not add an extra layer to it.

Also, these 4 extra bag slots are plain propaganda, just to install that thing to your phone, nothing more. And you ppl just swallow it with ease, you can't see behind the scenes - you don't even know that these apps have exploits or not. It's so easy to sell your souls to the devil. Next time they will ask money for 10 more bagslots and you'll pay for it, instead they could give it just in-game for some gold.


Now you cant start to bash me for conspiracy theory.

Reason why this is Dumb:
Without any form of Authenticator, people need just your Password for your EmailAccount, and can steal your Account. Which in itself is only as Secure as the Provider where your Email is held. (Or they Randomly Fish for information, which happens also)

With an Authenticator, while its true, that your smartphone my be stolen or Hacked, you still need to:
A: Have the Intend or Knowledge to actually steal a WoW Account from a stolen Handy.
B: Target Specifically a Specific Person to steal/Hack their Smartphone.

The Odds of that are really really really low.

[Deleted]

who actually need security

The other part of my special "issue" in this matter, above smartphones and relying on them is the marketing of this thing (I also mentioned it multiple times before).

Most ppl here actually don't need the security in the first place. They need the bagslots.