We’ve discussed the importance of properly implemented two-factor authentication before, but TFA is usually associated with computing fields or high-security facilities.  Earlier this year an InfoSec blogger wrote about his experience driving a new Ducati Diavel, in which he dealt with a dealer who did not provide a key for the bike he was test driving.  While the bike appeared to have been started before he left the dealership, apparently the dealer started it without a key, since new Ducatis can be started with an optional backup PIN in case you lose or forget your key fob.  To his surprise, the bike’s PIN was the last four digits of the bike’s VIN, although that was most likely an oversight from[…]

We all have passwords.  Most of us hate writing a new one for every new account we open.  The traditional thinking always said that for a password to be secure, it was necessarily unwieldy to memorize.  So who wants to memorize vRg5BoTA for your new Spotify account when you just solidified a mnemonic in your head for your Gmail password?  Many older account systems limited your passwords to be between 6 and 12 characters, so increasing complexity through a larger alphabet and using non-dictionary words was crucial to give yourself a chance against password guessing attacks.  If you’re still using 6 character passwords, I have bad news for you: you’re so laughably vulnerable, you don’t even register as roadkill for[…]

As some of our readers are well aware, last year many leading browsers finally closed a major privacy hole involving browser history that has been around for more than ten years.  Essentially, would-be trackers used JavaScripts to scan links with functions like getComputedStyle() to determine whether each hyperlink was styled as a visited site or unvisited (e.g. visited links are often purple and unvisited are blue).  This practice represents a serious threat, since not only can stints of browsing history be logged, but individual users can be tracked and identified with ease (this is one of several ways you can be tracked without cookies).  Since this practice of changing styles for visited links has been around since the early days of[…]

Several months back, we covered Google’s new and much-welcomed two-factor authentication process.  As mentioned before, enabling true two-factor authentication greatly enhances an application’s security profile, a crucial step for applications as important and ubiquitous as Gmail and Google Docs.  So after being painted with a giant bull’s eye last year following Firesheep‘s debut demonstration, Facebook has followed Google’s lead and added several new security features, including two-factor authentication. All of Facebook’s new security options have been conveniently grouped together under “Account Settings”.  There are several check boxes here, as well as a list of devices that have recently logged into Facebook with your account. First, be sure to enable secure browsing via https connection, so as to prevent sidejacking, à[…]