PRAISE - 2 factor auth for the win.

Submitted by john on Sun, 04/09/2017 - 23:43

I WIN Is 2 factor too much of a pain in the butt? Well, I tried it. I thought it was a pain and I borked the authenticator app for the account and lost access to the account and had to call tech support. BOOOO.. So why even bother, right? I make pretty hard password. Super lengthy, jack loads of complexity, upper case, lower case, special characters, numbers, weird phrases,... man, I pull out al the stops. All to find out, it doesn't matter. 

Long story short, I worked for a questionable company that does some questionable things. you guessed it, the US Government. They gave me a phone and I did the dumbest thing possible with it. I used it for personal matters like talking to my wife and kids. That was a hard lesson learned. I tied it to my personal iCloud account and went about my business. After some rough patches with my appointed temporary boss (who had a luke warm IQ at best) I found myself in a bad position. I was turning in my keys, ID card, and phone and wasn't given time to wipe it. They demanded I give them the pin number to unlock it and I complied (mistake number 2. I should have drug them through court but, I had nothing to hide, right?) Wrong. Every "I love you.", every personal text between my wife and I, everything... was thrown back in my face. They used my personal information to harass me because they "owned" the physical device. So, I did what any smart guy would do. I logged into iCloud and issued a remote wipe and detached it from my account. My outlook.com account was still signed into the tablet I was using as well. With the same pin (facepalm... yeah, I learn my lessons the hard way). So, I decided, let's give 2 factor a go again and change ALL my passwords, pin numbers, and not have the same pin or password on any 2 accounts or devices. Ok, that sounds like a good idea, right? So, how do you keep everything straight. That is for another post. 

So, I enabled 2 factor for everything that I could. I have since driven a hard wedge between work devices and personal devices. I will do research on my personal device like stack overflow stuff, but I will never edit a file locally on my personal device. The only exception I make is Citrix. I will use Citrix on my personal device because the files are still on a remote computer that I RDP into once I establish the Citrix connection.

Now, for the winning part. I am a little annoyed at the paranoid security measures I have taken to protect myself after the last position but oh well, I am getting along just fine. On Friday, April 7th, 2017 at 6:41 AM CST I got a 2 factor verification request on my iPhone for my iCloud account from Jiangmen, China. My eyes got wide as I realized that my complicated, long password was compromised and in the hands of someone in China that was trying to log into icloud.com. WTF!?!? I don't have even similar passwords on any other account that uses my icloud email address as my login name so this had to be leaked directly from Apple. Great. I immediately denied the request and changed my iCloud password and kicked all devices out forcing them all to sign back in with the new credentials and a 2 factor notification for each attempt. I have permanently marked that password for the graveyard now that it is in someones password dictionary. 

Now, my attitude towards password security, separation of work and personal, and 2 factor authentication has leaned more toward the secure side of the house like we are taught in college. To the jackwagon in China, nice try. Move on, you are not getting in to my account. Besides, you would have to have my private gpg key to read anything worthwhile in there anyways. The rest is all sales ads and spam.