The Unity forums were hacked, but they say no passwords were taken

All sites should use 2FA if resonably possible.

Kinda sucks somebody did that.
Wonder why though ?
Was it just for shits and gigglez or did somebody have a bone to pick with unity devs ?


Last edited by razing32 on 1 May 2017 at 3:58 pm UTC

Another company?

Quoting: meggermanAll sites should use 2FA if resonably possible.

The problem with 2FA is that it's a complete PITA. There are about as many authenticators around as there are applications using 2FA, which is bad to begin with (If you use 30 services protected by 2FA, chances are that you will have to deal with at least 25 different authenticators). But the worst thing about 2FA is that most services want you to use your smartphone as authenticator, which is a really, REALLY stupid idea. Smartphones have a much greater chances to get lost or stolen than (good) passwords have, so doing that is adding a security liability, not an asset.
You also cannot use smartphone based authenticators without exposing your identity, at least to the provider of the authenticator. Which is a significant privacy concern, for using such services anonymously is neigh on infeasible.
And since people tend to replace their smartphone quite often, you will have to reset every single authenticator app when doing that. Fun! Not.

2FA is one of the things that look good on paper, but just don't work in real life. The one possible solution to this dilemma would be a global standard provider of 2FA tokens you could purchase anonymously and that would work with every single service on the planet. But when has standardization ever worked anyway! And even then this would result in a single point of failure you better not ever lose. That's the intrinsic problem with 2FA - it's very point is to make you authenticate with something you HAVE and not just know (unlike passwords). But what you have, you can lose!

In the end, 2FA would be totally unnecessary if people would pick good passwords, not reuse them anywhere, and the service providers would stop being daft and start properly hashing/salting them. 2FA does NOT protect services from getting hacked. All it really does is protecting stolen passwords.

Quoting: Kimyrielle

I totally disagrees with all you say, Kim. A good password is unique to each account. And a collection of unique passwords WILL have to be stored in a password file of some sort, and that file WILL, for most persons who do practise good password policy, be stored on the mobile phone too (typically via cloud). And then you're pretty much back to square one if you do lose your mobile and someone gets past the login of the phone.

To argue against 2FS and for good password policy is pretty much counter-productive. 2fs makes the requirement of good passwords less vital and a system much, much more robust. That's the way to go.

In my opinion, absolutely everything even remotely vital (ergo store important data) should be 2FA - preferably all using the same token technology, but today all but one service that I personally use are using the algorithm used in Google Authenticator (it's an open standard, can't recall the protocol right now).


Last edited by Beamboom on 2 May 2017 at 11:11 am UTC

Quoting: Beamboom

Quoting: Kimyrielle

I totally disagrees with all you say, Kim. A good password is unique to each account. And a collection of unique passwords WILL have to be stored in a password file of some sort, and that file WILL, for most persons who do practise good password policy, be stored on the mobile phone too (typically via cloud). And then you're pretty much back to square one if you do lose your mobile and someone gets past the login of the phone.

To argue against 2FS and for good password policy is pretty much counter-productive. 2fs makes the requirement of good passwords less vital and a system much, much more robust. That's the way to go.

In my opinion, absolutely everything even remotely vital (ergo store important data) should be 2FA - preferably all using the same token technology, but today all but one service that I personally use are using the algorithm used in Google Authenticator (it's an open standard, can't recall the protocol right now).

The vital difference is that if I lose the phone with my encrypted password file (people who put unencrypted password files on phones or cloud servers are stupid anyway), I still have a copy of it in my backup, or on my desktop PC. So, if I lose my phone with my encrypted password file, I can simply recover the copy from my backup and carry on. OTOH, losing a 2FA token is a major disaster, since that's the exact thing you need to authenticate with. Recovering lost 2FA tokens is a completely unsolved security problem, btw. There is no satisfying way to prove that the lost token was actually yours, because the possession of the token IS what the system is using to identify you. A service provider will usually resort to asking you things you know, essentially opening possible social engineering attack routes and eliminating most of 2FA's additional security (authenticating with something you KNOW is what passwords do...)

I find it also hilarious that people use Linux to escape MS's monopoly, but would be willing to handle Google the keys to each and every online service they use. Just sayin'.

Quoting: KimyrielleI find it also hilarious that people use Linux to escape MS's monopoly, but would be willing to handle Google the keys to each and every online service they use. Just sayin'.

No, you don't understand how this works.
The token you are given by the app is based on a private key that is stored locally on your phone. The application (who doesn't have to be Google's, but any that support that same protocol) uses the timestamp as the second key, and calculates the token based on that. That's why a token only last for a minute - and this is why you need to re-tie the account to your phone when you get a new phone.

So the app doesn't (and shouldn't) require network access privilege, nothing whatsoever is sent across any network - it can forever work on an offline phone -it doesn't even need to have a simcard. Just like those RSA "dongles" that some have from their bank to supply temporary 2nd password. Exact same.

There are of course those who do offer a "cloud storage" of your private key, so that it'll always work across devices. But yeah - it's up to you if you trust that provider or not. I'd not do it, that's for too damn sure.

So why is the Google Authenticator so popular? Because it offers a nice interface to your various keys. It's user friendly. That's the simple reason to use that offline app.

But again - once you understand how this works you'll realise that this system is, in fact, very good.

Two password walls are better than one. And if that second password is valid for only one single minute before it's scrapped, it's even better.
And the service providers do of course offer a functionality for the case where you have lost/stolen your phone. Just like if you've lost/forgotten your password.

Bu this is the way forward. By far not all users practise good password policy, but this enforces proper password practise for all users just by its very nature. From the service providers perspective it doesn't really matter anymore of the user uses one single password across the entire internet - it doesn't put your service at risk unless they *also* break into the users phone. One more barrier to break, and let's face it, it's a tough one for online hackers.

An offline encrypted password file can be hammered forever with no risk - billions of attempts every minute - it's just a matter of a pile of CPU cycles to break that open. Especially since most users use a simple password on that file - since they have to open it quite regularly.

So if a hacker gets their hand on that file, you may just as well consider the content exposed. One with know-how will be able to pry it open.


Last edited by Beamboom on 2 May 2017 at 8:32 pm UTC

Quoting: BeamboomBut again - once you understand how this works you'll realise that this system is, in fact, very good.

I find it both funny and a little offensive that you're basically suggesting that I don't understand how 2FA works. But I guess rule #1 for internet debates applies: Whenever you're running out of good arguments, take a stab at the other person's qualifications!

I know that you're not -technically- handing your keys to Google. You're still making yourself dependent on them and their service. Which is in the end just as bad.

QuoteTwo password walls are better than one. And if that second password is valid for only one single minute before it's scrapped, it's even better.

The problems with 2FA I tried to point out isn't related to that. I already said it's a good idea on paper. Unfortunately one that doesn't survive a reality check. See my above postings.

QuoteAnd the service providers do of course offer a functionality for the case where you have lost/stolen your phone. Just like if you've lost/forgotten your password.

Yes, that's my point. Most of these recovery procedures are really weak security. As weak as a bad/lost password. "Answer this silly question about you, that every halfway determined person can find out in 5 mins". Yeah, right!
To me, the recovery question is actually THE central weakness of 2FA as a concept. I can't remotely think of a good solution to that problem that wouldn't completely do away with any notion of privacy/anonymity online. Which is unacceptable.

QuoteAn offline encrypted password file can be hammered forever with no risk - billions of attempts every minute - it's just a matter of a pile of CPU cycles to break that open.

You do realize that brute force attacking a file encrypted using a proper cypher and a -good- password takes multiple lifetimes, yes?

QuoteEspecially since most users use a simple password on that file - since they have to open it quite regularly.[quote]

Can't cure stupid. But if they can't be bothered using a good password for the most important file they possess, what makes you think they'd want to add a super-inconvenient second authentication layer on top of that? And that 2FA is super inconvenient is just an objective fact, sorry.

[quote]So if a hacker gets their hand on that file, you may just as well consider the content exposed. One with know-how will be able to pry it open.

No, they can't. I'd die long before they'd be finished. In contrast to Darth Helmet I don't use 12345 as a password. That being said, I'd still change my passwords if I'd ever lose my phone. Chances are that I am done before they brute forced my password file. *shrug*

Quoting: KimyrielleI find it both funny and a little offensive that you're basically suggesting that I don't understand how 2FA works.

No - I don't think you knew how the tokens - the temporary passwords - work. If you thought that it was giving your keys to Google (or whoever) then yeah, it would be stupid. But it's not.

Quoting: KimyrielleI know that you're not -technically- handing your keys to Google. You're still making yourself dependent on them and their service. Which is in the end just as bad.

Oh come on. It's an offline tool - one of many of whom you can freely choose. The algorithm is open and freely available for anyone to implement. You're trying to create an argument that's not there, now.

Quoting: Kimyrielle

QuoteAnd the service providers do of course offer a functionality for the case where you have lost/stolen your phone. Just like if you've lost/forgotten your password.

Yes, that's my point. Most of these recovery procedures are really weak security. As weak as a bad/lost password. "Answer this silly question about you, that every halfway determined person can find out in 5 mins". Yeah, right!

Well, then criticise that, then. But this is the same regardless if there's one of two layers of password security!
And it then becomes a task for the service provider to handle. Look at how Facebook and Google handles it. Their systems are far more compex than a stupid "secret question" request.

But this is a different discussion.

Quoting: Kimyrielle

QuoteAn offline encrypted password file can be hammered forever with no risk - billions of attempts every minute - it's just a matter of a pile of CPU cycles to break that open.

You do realize that brute force attacking a file encrypted using a proper cypher and a -good- password takes multiple lifetimes, yes?

You're cherry picking the quotes now. I stated that this password often is not secure, because it's a password the user have to remember and use often. I can promise you this, the majority of encrypted password files are not using a long, complex password. It's incredibly impractical when one need to open it regularly.

Quoting: KimyrielleCan't cure stupid. But if they can't be bothered using a good password for the most important file they possess, what makes you think they'd want to add a super-inconvenient second authentication layer on top of that? And that 2FA is super inconvenient is just an objective fact, sorry.

If it was up to average joe there would barely be any security at all, they'd disable most of it. 2FA must be enforced. Like the banks do today, for example.


Last edited by Beamboom on 2 May 2017 at 10:02 pm UTC

Quoting: BeamboomWell, then criticise that, then.

That's indeed what I do and what I called the "reality check" that 2FA doesn't survive. The entire concept has several really fundamental problems that just aren't solved and probably never will be. Like how to solve the lost token recovery WITHOUT trampling on your privacy (and please don't point me at Facebook or Google...we know for a fact that neither of them gives a flying shit about your privacy). Which is a hilarious circumstance given that the most popular token is a device people are super prone to lose - their smartphone.

In the end, my fundamental problem with 2FA that it doesn't really provide any significant additional security for people who use good passwords or service providers that aren't completely inept. Basically 2FA is an attempt to cure stupid. And we all know that in the end you can't. For people who are NOT stupid, it doesn't do anything except making their life more complicated. And introducing a lot of new problems, like making one lose access to -everything- if they happen to lose the single point of failure in that system - their phone.

But go ahead and convince me: Tell me how to design a 2FA system that's foolproof regarding people losing their token, WITHOUT compromising its security in the process, that STILL lets people use the system 100% anonymously if they so desire, AND doesn't put any sort of market leverage in the hand of the token provider, despite them having to be a monopoly by definition (we still want to avoid having to deal with more than one token system!)