Get the top HN stories in your inbox every day.
TedDoesntTalk
sundarurfriend
The originally submitted link was the LessWrong version of this post, and there too the top comment was about this: https://www.lesswrong.com/posts/ESp3SsuqWrht7SApu/not-gettin...
knaik94
I trust Google login and oAuth to be protected with better security practices than the general login. AdSense and other cookies means they probably know where you have an account regardless of if you login. I like that "Sign in with Google" allows me to not make another login and password. For certain sites, after using "Sign in with Google", they have made me make a local account anyway as backup. I don't think a generalization like "don't ever do this" is helpful.
I am curious why you say blocked accounts happens regularly. I have heard of it happening to people, but not often.
TedDoesntTalk
What will you do if Google decides you’ve broken some terms of service and you lose access to gmail and all other Google resources? You are giving them the power to disable access to non-Google websites. And you’re ok with that?
HN is littered with people who’ve experienced Google bans. An article hits the front page about it seemingly monthly (and those are only the ones that get publicized). It happens again and again. You have no recourse. There is no one to call. There is never an explanation.
I’m not here to convince you. To each his own. If you dont care about the privacy leaks, then surely you can overlook the risk of losing access to your non-Google accounts whenever Google decides.
hardware2win
>You are giving them the power to disable access to non-Google websites. And you’re ok with that?
I dont care.
The only services important for me are: bank, email and hosting. Losing my gh would suck but it is not serious
The rest of services I treat as "nice to have"
My accounts on them are irrelevant for me. Losing account on random forum, random game, some streaming platform wouldnt change my life. I would just create a new one.
It would suck, but thats not important
Arainach
Then I create an account with my new email.
Sure, for the few sites I care deeply about a long history with, a unique account might be worth it. Those sites are few and far between.
My password manager has more than 500 entries. A huge majority are sites I used once and never again. I don't want an account there but was probably required to create one to check out. If Google deleted them they'd be doing me a favor. Google knows I went to those sites anyway since I probably found them through search results.
undefined
kodah
> I trust Google login and oAuth to be protected with better security practices than the general login.
It's not about security. It's about that the oAuth protocol relies on good faith providers. Google is demonstrably not a good faith provider in terms of tracking. Part of oAuth includes refreshing that token and validating it with the provider.
> I am curious why you say blocked accounts happens regularly.
As for the blocked accounts bit, it's not so much the frequency that matters. It's that Google has zero and I mean literally zero humans to contact if their security machine flags your account for something. Their appeals process is a joke and a bad one at that.
If you're searching for frequency, use Algolia to get an idea of how many people have appealed to this site: https://hn.algolia.com/?q=Google+blocked+account
Next, load up the Googler and search Twitter and Reddit for the same thing. There's a lot of occurrences, horror stories, and news articles about it. Google does not care about addressing this.
sundarurfriend
I did a few different versions of that search for the LessWrong discussion about this (https://www.lesswrong.com/posts/ESp3SsuqWrht7SApu/not-gettin...) and learned that a large majority of these blocked accounts are developer accounts.
There are still cases where individuals' accounts get banned randomly (and if there's enough ruckus, reinstated), which I've posted about there. And thinking about it, it might be the case that developer accounts with $$$ invested in them might just be the most likely to post on HN and complain, while individuals just suffer Google's "support" and give up. In any case, they're not as easily visible as the dev account bans, so we don't know how often they occur (unless someone trawls through support.google.com posts and creates a list of such).
murderfs
> If you're searching for frequency, use Algolia to get an idea of how many people have appealed to this site: https://hn.algolia.com/?q=Google+blocked+account
83 results, and the first page has like one actual appeal from a person?
eks391
Perhaps my anecdote is not as strong because I got locked out rather than blocked out, but it still was inconvenient. I degoogled my life some time ago, long enough to have a new phone and computer. At a point I needed to log into my old gmail acct, and I couldn't because it was a new device, the old devices were gone to verify my identity, and knowing my password and passing several captchas wasn't enough. Months later I went to log into fb/ig for something and similarly wasn't allowed in and also don't have access to my gmail for verification. Luckily during my degoogling adventure, I had changed the email for all important accts, so the impact is minimal, but I would not like to imagine the impact if I had ever relied on oAuth
jefftk
The question of how large the risk is that Google or whoever you pick for SSO will lock you out over some misunderstanding around TOS is the main one I see upthread, and is pretty tricky. I'm working on follow-up post that gets into this question.
I think avoiding the situation you ran into, however, is a very different question. How likely you are to get locked out for security reasons depends a lot on what security configuration you choose. The big risk here is that you set up 2FA and then lose access to your second factor. If someone were to follow the approach I advocate in the post, of always maintaining three registered security keys and adding a new one if you lose an old one, I think the risk of a security lockout ends up being super low.
knaik94
I feel a little more comfortable relying on oAuth because I have my 2FA secrets backed up. This story does make me reconsider and want to revisit how I manage certain services. I don't know if there's a reasonable self hosted alternative to all the google services I use. I even have a Google Voice account I've had for over 12 years now, I feel like that'd help if I ever do get locked out. I try my best to practice good account security hygiene. I already have multiple backup accounts, for email but also in terms of recovery emails for third party accounts too. But I appreciate your story.
jefftk
> the old devices were gone to verify my identity
Do you mean you had a phone number configured in the account but it was out of date, or something else?
piokoch
Blocked google account is one of those things like not having regular backups, you'll realize how bad it is when it will happen, even once in your lifetime.
undefined
cybrexalpha
Good list, but I think it actually understates the advantage of security keys over other methods of 2FA. It's not just that they're physical objects, it's the protocol (either FIDO U2F or FIDO2/Webauthn) is fundamentally resistant to phishing attacks. Take the author's example of accidentally logging into accounts.google.com.evil instead of accounts.google.com:
If you and/or your password manager are tricked and enter your username and password, all other 2FA methods are vulnerable to an active pishing attack where the attacker site relays the login information to the real site in real time. You enter your TOTP code or hit "yes" on a push notification or whatever, the real site logs you in and passes your session cookie to the attacker and you're hacked.
With a security key when you log in the browser tells the key what website you're connecting to and about its TLS certificate. If the security key wasn't registered with it exactly, it won't work.
It's almost impossible* to get phished if you use a security key as your 2FA method.
* There are few ways. If you're phished during first time setup of the security key, or if the attacker gets a valid TLS cert for their website and impersonates accounts.google.com with a network level attack, or if they manage to get a trusted private CA onto your machine and do the same, or if they can exploit a 0day in the browser or the key to disrupt that communication and lie to the security key about the site's identity. But the bar for these forms of attacks is significantly higher.
jefftk
I do think the post covers this? This is specifically why I advocate for security keys over TOTP ("they protect you against fake login pages").
abhaynayar
I think self-pwning by running executables downloaded from torrents/shady websites might be a common way people get hacked. A while back I was talking to a bunch of software developers and even they were not convinced that you can get hacked by running games from torrents. What's worse is people also run that stuff as administrator, and then ask their anti-virus to ignore it.
rl3
>A while back I was talking to a bunch of software developers and even they were not convinced that you can get hacked by running games from torrents.
Untrusted executable code that's expected to be a modified version of the real thing, making hash-based assurances impossible in most cases. Sounds secure to me. /s
It's kind of sad, in the days prior to torrents security used to be reputation-based. Not to mention a dynamic where reversers look at each other's work. Since the advent of torrents and with just the sheer amount of games now, I imagine that's suffered quite a bit.
Some forms of DRM are arguably malware in and of themselves, so it's ironic that attempts at bypassing that end up as a vector for serious malware.
What worries me is since Steam opened its floodgates, theoretically lesser-known titles could be vectors for malicious code. Or heck, even larger titles. What assurances are there, actually? Trust in the publisher and developer is about it.
intelVISA
Last I checked a decent amount of games on Steam ship with malware like Denuvo so you're probably right.
devdiary
Using "password manager for everything" comes with a critical disadvantages of making the pass mgr a single point of failure, increasing attack surface area. Take an example of recent Lastpass breach, I am pretty sure it will lead to hacking almost all services for some Lastpass users. Although Lastpass is saying - don't worry, your passwords are encrypted with your master password and it will take million yrs to crack them. No, it won't take even a month/day to crack master password of many of those users. You're overestimating people's ability to create strong master password and the efforts needed in cracking a password.
I'd rather be very specific in suggesting password managers, use them only for non-critical services.
xcdzvyn
Hard disagree. The problem with Lastpass being pwned was Lastpass being Lastpass. Put your passwords in a password manager, don't put your passwords on the internet in The Cloud™.
> You're overestimating people's ability to create strong master password and the efforts needed in cracking a password.
Okay - so we're establishing that many people use insecure passwords. Password managers mitigate this risk completely by generating incredibly secure passwords - however, people may use an insecure master password.
> I'd rather be very specific in suggesting password managers, use them only for non-critical services.
And your proposed solution is for people to use NO secure passwords, but to use their poor password creation abilities on every site they use.
This only leads to people using insecure passwords _everywhere_, rather than in one, local file, which is far less likely to be attacked.
darkwater
> Put your passwords in a password manager, don't put your passwords on the internet in The Cloud™.
Which doesn't work well in a multi-devices landscape as the one we live in for many people (even if not the majority, because the majority probably just owns and uses a smartphone).
albuic
It works well for me, you just need to synchronize your password manager's file once in a while. Are you really creating that many accounts ? And you can use anything even cloud providers to easily synchronize the single file.
I don't use cloud password managers, history has shown it is too risky.
xcdzvyn
Syncthing has never failed me for this.
devdiary
That's what I meant to say - don't put your critical services passwords in one cloud password manager
debarshri
Having reduced threat vector is sometime better that having multiple threat vectors spread all across. You can make the same argument for VPN server. Apart of lastpass hack, I cannot think of any other password manager hacks that have lead to password being compromised. I absolutely agree that in an enterprise setting there has to be another layer of security on password managers. But with password managers, credential usage and sharing becomes seamless that can lead to less leakage.
kkfx
Mh, I found this article really strange:
- firstly tie ourself to a service is the best thing to do to get lock-out of something "belonging to us" but not under our control, A TOTAL NO GO. We need to own, in person, not give something to others pockets "because their are safer";
- secondly I do not want to use ANY not-personal password managers and recent attacks prove very well why;
- thirdly the most simplest form of being "locked out" is that a service we depend on does not work anymore, the simplest form of protection is NOT depending on third parties.
Have your own files, on personal hw, with offline LOCAL copies and a good backup strategy (of course on encrypted storage, but that might prevent a thief access the information NOT ensure the availability of something) is a good lock-out prevention. Having a personal mail infra is hard, but owning a domain name and have a LOCAL mailserver at home that just use someone else service as a replica ensure you have the mails and the domain, being "locked out" means just being offline until you restore, still being able to read your mails and eventually move your domain somewhere else and that's far less harder. Having a personal website instead of using some platform is another nice way, especially if you advertise you have also a ZeroNet and similar P2P systems copy, so even if the website is hosted by some provider your readers know there is a LIVE copy in a P2P distributed system and eventually they even have a local copy.
seee-I-Told-you
While the list is certainly good precautions which everyone for the most part should be implementing and thinking about, it is not a complete list. Even though the author would say "it was not intended to be" it still kind of promises "these mitigations are enough".. and of course the world isn't black and white.
Protecting a company or even a sole personal computer is a time staking challenge with multiple dimensions. It involves implementing processes and routines which you stick to, it involves technical solutions for mitigating threats in different categories and it involves planning, configuration and monitoring.
It certainly involves staying well informed on vulnerabilities, present threats and the modus operandi of attackers.
That's why we security consultants (on a senior level) are more or less useless unless we are developers ourselves and stack 30 000 + hours in experience. And still, with all this experience and knowledge the work is not a piece of cake at all.
You have to be prepared to make exceptions, be pragmatic, a good communicator and a good skilled presenter. You have to be prepared to work uncomfortable hours, holidays, weekends etc.
dataflow
> Use a password manager that fills in fields automatically
(EDIT: To everyone saying this is a bad idea: yes I agree, and that's unrelated to my question. Before reading my subsequent paragraph, note this sentence can be interpreted two different ways. I thought it meant "automatically" as in "without needing to manually copy-paste" (to avoid phishing), but it seems maybe the intention was "without prompting the user"? The second one seems like bad advice and not what I was asking about regardless - I'm asking about the anti-phishing fill where the program enters the text, NOT about unprompted filling, which I already agree is a bad idea.)
It's not this simple in reality is it? Surely it's not just me whose password manager often has to prompt to fill in a legit website it can't recognize, because the domain or URL isn't the same as what it has stored in its database? Are non-technically-inclined folks expected to be able to follow this advice in practice?
TechBro8615
Aside from the phishing issue, which I don't find convincing anyway, auto-filling vs. copy/paste is a choice between browser extension security and clipboard security.
Personally, I use 1Password without any browser extension and I choose to copy/paste my password from the 1Password app into the password field on a website. Usually I type the username/email manually.
If my clipboard is compromised, then an attacker will get only the password for only the current website. They won't even know the username or website it's associated with.
On the other hand, if a browser extension for my password manager is compromised, the impact could be much more severe and widespread. In some scenarios an attacker could read my entire vault.
Also, if my clipboard is compromised, then probably so is my entire OS, in which case all my browser extensions are too.
This is my personal preference, but frankly I think it's just bad advice to use a browser extension with your password manager, and especially bad advice to use one with auto-filling behavior.
latchkey
I turned this off. It is possible that the site gets hacked and your password manager automatically fills it in, the attacker now can read the password (via embedded javascript) that you've filled into the field without even submitting it first. By making this a manual process, it at least gives you a fighting chance.
knaik94
It shouldn't matter as long as you don't reuse your password. If the site is hacked to the point where someone can inject javascript, I'd assume all of my data has already been compromised without logging in.
latchkey
> I'd assume all of my data has already been compromised without logging in.
Not entirely true. If the site requires your login in order to, say, decrypt your server side data, then even if the site is compromised, your data is still secure, until you log in. I'm making this up as a possibility, I've never seen or heard of a site that actually did that.
Regardless, I'd rather error on the side of caution. There are too many things that I don't know about here that could be possible. Automatically filling in my password somewhere seems like an obvious thing to be cautious about.
brigandish
How would you know that the site's been hacked, and if you do, why would you visit it?
latchkey
I don't know that the site has been hacked, that's the point. I'd rather not automatically throw my password into a form when I visit a site. It seems like a kind of obvious thing to me.
autotune
I recently was looking into the possibility of finding a local tax prep service for the mess that is my taxes from 2020. I stumbled upon a website that was highly rated on Google and looked completely professional, so naturally I let my guard down a bit while browsing it. Before I knew it one of their navigation links in this otherwise professional looking site redirected me to some malware spewing porn site that probably would have downloaded and installed itself on my machine if I was not using uBlock Origin and on Mac. It's super easy to get tricked these days even when you are security conscious 95 percent of the time, it only takes that one 5 percent chance to go wrong.
chrsjxn
I'm not sure I get the issue people have with autofilling passwords, instead of making the user copy and paste.
Every password manager I've used associates those credentials with a URL. One of my accounts used to get them confused, because the company offered a dedicated login page and login via the home page on separate subdomains.
So that feature might make it harder to get phished by adding friction. And if an attacker has malicious code running on the legitimate website, how would you know?
senectus1
I'd suggest that auto filling is a bad idea. i have bitwarden auto fill when i use a hotkey combo. That, in my mind is safer.
For the very reason he mentions down the page :
>Use tools so you can't mess up even if you're not paying attention.
*Note its worth noting that this hotkey combo only works on sites that you have logged against that password. it wont just blurt out the next password.
blondin
nice list, but not sure about password managers... especially in light of what is currently going on with lastpass. a lot of phishing will come out of that to trick users to give away their master password. then what? or what if google, apple, what have you, ban your account?
there is no silver bullet. we need a lot common sense and not preaching in absolute terms.
dylan604
>not sure about password managers... especially in light of what is currently going on with lastpass.
i would counter with don't use cloud based password managers. i'd go so far as don't use cloud based anything, but that ship has sailed. i use a password manager, but do not use the cloud offerings of it. i can sync all of my devices to the same database, but yes i have to do it. >99% of people will prefer the convenience over security, so as a founding father once said, give them neither (or something like that).
cuu508
> a lot of phishing will come out of that to trick users to give away their master password
One thing you can do to mitigate is to set up WebAuthn 2FA for the password manager as well. If your master password somehow leaks (say, a keylogger), the attacker still cannot access the vault since they don't have access to your security key.
civopsec
You know how “cloud stuff” are remote files, right? And that files can be stored locally? Well there exists a thing called encrypted password managers that are just files (a file) that are stored locally (as in not on the cloud. The storage thingy on your computer. Yeah, your laptop, exactly!)
Local storage: it’s a thing.
knaik94
At least Google's password manager is tied to your login, which should be a lot better protected and people wouldn't give away that password as easily.
You can always export your passwords, they're not locked into a password manager.
albuic
Password manager database are almost standardised for open source products.
knaik94
I am frustrated by password managers auto-generating nonsense. It increases the friction in moving away from a specific manager and people essentially become locked out of accounts if they can't access their password manager. I imagine that leads to weaker passwords anyway for things like shared accounts. I like the encrypted sync between my devices but never use the suggested passwords.
Using TOTP 2FA should be the primary second factor enforced everywhere. If you use Aegis on android or Raivo for ios, you control your 2FA secrets and can make encrypted cloud backups. I can't see myself ever using YubiKeys or Passkeys because I don't want to worry about hardware failure. Additionally, the chrome/ios roll out of passkeys requires it to be associated with your Google/Apple account and is tied to your login. Google passkeys don't support linux and don't plan to.
Veracrypt is stable and replaced truecrypt for me years and years ago. I am not sure why bitlocker would be recommended over Veracrypt. For true full-disk encryption, I thought it was still best to use a BIOS/UEFI set password so the prompt happens before boot. My understanding is that this is independent of OS. From the last time I checked, bitlocker has slightly better OS integration, but veracrypt allows compatibility and decryption with linux. I like veracrypt for situations where I need things to be portable and able to be backed up in the cloud or need access across OSes. Is there a benefit in using bitlocker?
I like GitHub's push in this area. When ssh keys were first being forced for signing/authentication for commits, I was annoyed that I couldn't use passwords. But I realized that I was more annoyed about having to change my workflow, and it doesn't slow me down now that I've done it a few times.
Get the top HN stories in your inbox every day.
> use oAuth login. This looks like "Sign in with Google", "Sign in with Apple", "Sign in with GitHub", etc. I'm pretty happy using Google's oAuth everywhere
No, don’t ever do this.
1. Google or Facebook or Apple now know everywhere you have an account
2. If they choose to disable your access to their service (as happens regularly and without due process), you can’t login to any website.