Ok... so you haven't explained what real 2 factor authentication is? And I really don't buy Apples system being any more secure when it works in the exact same, way as googles.
Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Responds to Hack Threats, Says There Were No iCloud or Apple ID Breaches
- Thread starter MacRumors
- Start date
- Sort by reaction score
Ok... so you haven't explained what real 2 factor authentication is? And I really don't buy Apples system being any more secure when it works in the exact same, way as googles.
Do you actually read what I write!
Most people use dictionary words (or variants of these), especially those linked to them in some way (info obtained through social engineering)
that's why its actually even possible to brute force these things.
which password is easier to guess from the encrypted hash? : lovebird3 or l,j6!lo:y
They'll go first through the dictionary because the factorial combinations for numbers+letters+symbols is around
3.856204823 E+215 combinations for 8 letters (ifI use an unicode letter, then the combination explodes to over 10 E+10000 (and more), call me back when there is a quantum computer that can run this comes around.
Hackers go for the low hanging fruit.
The low hanging fruit are in order SOCIAL ENGINEERING, brute forcing with a dictionary password files, then the MTM attack.
Two factor is authentication based on something you know and have. Two step authentication can be made up of two things you know.
Apple's system is more secure because they don't allow you to use an app. I can use various apps with Google to authenticate.
[doublepost=1490384474][/doublepost]
You're relying on a person not making a mistake and falling for scams. Long passwords are better than short ones, but having 2FA turned on is even better. What makes something more secure is the collective sum of multiple security measures.
what makes something secure is USING IT.
For a lot of people two factor is a bother so they don't use it (thus no security).
That's why touch Id is more secure than the password, because people will actually use it instead of having to input a long password.
Anything that reduces friction to security is a plus. If someone just has to remember not to click and login on links from unsolicited emails they receive once and a while, that's still less friction to security. If my 70 year old mother can do it, I think most people can do it.
The user is weakest link in any security and that's why education and reducing friction to security is the best bet.
I'm all for biometric keychains where new device can be authorized to use it (the first time you try to log in with something in the keychain).
You're arguing about different things. Is it easier to not use 2FA? Yes.
Could you get the same security without it? No and that's the point I'm stating. A user suggested a long password is enough, when that's false. At no point did I bring up usability.
Yeah it's easier to not have 2FA, but you're also less secure without it.
Well, usability is critical cause that's why he was probably asking in the first place...
Why would people not use what's more secure, or any security at all, well because its often a pain in the ass (or perceived to be).
A very good password used with care is secure enough, and provides less friction if the person is attentive.
Even better, a good password you don't even have to remember and will not be cracked (like biometric ones).
The lesser the user is involved in managing his own security, the better it will be.
If you got 30 different services all with 2FA, then it will become properly hellish (even more hellish than trying to remember to 30 passwords). Of course, you can then get into frameworks like OpenID that simplifies this kind of thing.
Security is a mess and people dealing with are also a mess. With IOT and automation (car, home), on top of this and the dilettante way those devices and users deal with security, it will get mucho bad in the near future.
His/Her talking point was long passwords are hard to guess and thus secure enough. That's a false sense of security and I stated 2FA is more secure. At no point did I bring up usability.
2FA is more secure, period. I would agree with you that 2FA is more of a hassle, but that's not what I was discussing.
Real hackers are constructive and without them they would be no web, computers, e-mail.
Calling them Hackers is the same as saying a Muslim commits acts of terror.
Exactly, so in the scheme of life, anything can happen. Losing your device with 2fa on is just one of them. As the old boy scout motto goes: "be prepared".
I'm not going to lose any sleep over this. Good luck guessing my unique password & my 2FA code.
Um... English is my third language but this is reading comprehension fail on your part...
Let's break down the sentences, kids:
1. "There have not been any breaches in any of Apple's systems including iCloud and Apple ID," the spokesperson said. = NO COMPROMISES DETECTED on any Apple systems.
2. "The alleged list of email addresses and passwords appears to have been obtained from previously compromised third-party services." = The list is a rehash of a previously obtained list.
Where does it blame anyone for anything? LMAO
Do they teach reading comprehension anymore in the States?!
I log in here to read some pithy and funny reactions and the occasional positive/smart reactions. This is plain ridiculous.
The quotes were supposed to imply derision (i.e. these aren't real hackers). Sorry if that was unclear.
What about strawmanlovebirdcorruption59849129 vs l,j6!lo:y ?
Nobody advices to use a common word followed by a single digit. You start with multiple words, or other items that are memorable to you.
which is likely very true. Folks don't like to admit it but social engineering, via phishing etc is far far more common than brute force server attacks. it's simply way too easy to fool the F out of folks to get access to their accounts.
I got an email saying someone used my Apple ID to sign into iCloud on an iPhone 7 this morning.
My account showed an extra device so it looks like the email from Apple was genuine.
I have Two Factor Authentication turned on so how would this be possible?
**EDIT**
On further inspection it looks like the email was fake (the address isn't Apple but the display name says Apple).
I changed my password but didn't click on any links in the email - I never do.
I think the device that was showing on my account must have been my old iPhone 7 Plus that went faulty and Apple replaced.
I don't think anyone actually managed to get into my account after all.
My account showed an extra device so it looks like the email from Apple was genuine.
I have Two Factor Authentication turned on so how would this be possible?
**EDIT**
On further inspection it looks like the email was fake (the address isn't Apple but the display name says Apple).
I changed my password but didn't click on any links in the email - I never do.
I think the device that was showing on my account must have been my old iPhone 7 Plus that went faulty and Apple replaced.
I don't think anyone actually managed to get into my account after all.
Last edited:
Did you click the link in the email or type iCloud.com in the browser. Was an alternate authentication method hacked or did someone use your phone? Or your computer hacked or something like that? Did you call Apple?
2FA is certainly important and in my opinion, too many iPhone users have no idea what it is or how to enable it. And nor do some care to, until they fall victim.
On further inspection it looks like the email was fake (the address isn't Apple but the display name says Apple).
I changed my password but didn't click on any links in the email - I never do.
I think the device that was showing on my account must have been my old iPhone 7 Plus that went faulty and Apple replaced.
I don't think anyone actually managed to get into my account after all.
except when have a "complicated" password, I would say although two-factor makes it "more secure" the fact that u have a complicated password means two factor is "less of a need" than having a weak password..
Basically, as long as all your passwords are secure and never repeated anywhere else, there is less of a need for two-factor. As if u have done it right, u wouldn't need extra protection. (including but not limited to, complicated/impossible to answer secure questions).
Two factor is a bother to use, but *if* u have a simple passwords then u'r fooling yourself by not using it. Your more higher risk than those people with a complex password, and don't use two factor.
Last edited:
I like to go to these pages with NoScript enabled after stripping any identifying nonsense from the URL and enter what I think about these jerks as my username and passwords. Sometimes their mothers too.
My mother received the same thing... This is basically phishing, you examine the header and the actual links (not the text for the links). Even if you click on the links there is actually no harm unless you actually enter your password in those fake sites.
[doublepost=1490762697][/doublepost]
Not sure what you argument here, we're talking about dictionary attacks because people are dumb enough to use one very common words (with small variants). Even a very short password using unicode letters, say (élèyà) would be much safer than a 10 letter dictionary word. If you use dictionary words, at least mispell them on purpose, that alone makes the task much harder!
Nobody's using a 30 letter combination of words no matter how safe they are; you're lucky if your stupid users (yeah, I've had to deal with many in my own company) are not using password123 as their password on your network plus every other account they have on the internet. I do enforce something better than that though ;-).