[OCB]

Could the key logger do that to my password manager password?

Of course it could.

It wouldn't make the slightest bit of difference if the key service used 2 factor authentication in the first instance, then other "hardening" options such as trusted device, geo-aware IP filtering (you can't be in England on your iPad one minute then Russia on an untrusted Ubuntu VM the next ) etc.

With good 2nd factor authentication - what you type in is time limited/one use "response", thus rendering key logger useless in this instance.

Having an RSA/digipass style key might be a bit overkill for most - although many of my clients insist on them for remote login to their systems. Those that don't, now do the 2nd factor via one-time SMS to my phone.

I actually quite like the Microsoft Authenticator app on my iPhone. I always have my phone with me.

I don't know of any "key services" that use 2 factor authentication though - but then again I haven't looked...and I doubt it would be popular as it is always a "faff"....

[JonathanB]

It's quite unlikely that you would get a key logger on your machine, but it is probably more likely that one of your written down passwords could be brute-forced depending on it's complexity. (I don't know how hard your passwords are to crack). There is perhaps a smaller risk of any particular password being compromised by making your passwords for different sites unique, long and hard to crack - and a password manager is ideal to do this.

These days it's generally thought that substituting characters (like 0 for o) is pretty pointless as the crackers know all these substitutions anyway. Much better to pick 4 or 5 random words to make a memorable phrase (but which is unrelated to you in any way) using a system such as Diceware - http://world.std.com/~reinhold/diceware.html

That said, I'm a bit like OCB and re-use some passwords and phrases for some sites. Particularly those which it's useful for me to log on from a work PC where I cannot install my password manager.

I do use 2-factor auth for some sites such as Paypal, Google, Evernote and Dropbox. These either use SMS, Google Authenticator or Symantec VIP Access and now 1Password can be used for some sites too. I wish the banks would get behind this idea as it would be much better than having to have an easy password or phrase and being asked for random characters from it which is a right pain to manage in a password manager.

[OCB]

Why am I reminded of the password joke - from Fringe Festival Dave awards I think?

I needed a password with exactly 8 characters.
So I put in "Snow White and the Seven Dwarfs"....



I seem to recall some rumours that some upcoming version of iOS will have facial recognition to allow login/authentication. Curious to see how they avoid the obvious pitfall of using a photo....

[Colonel Panic]

AIUI there will be an element of infra red / heat detection in the imagery

[JoeC]

Photo with a heatlamp!?

[JoeC]

It's quite unlikely that you would get a key logger on your machine,.

I know. I was just playing devil's advocate. I can see how password managers can be useful. I'm atrocious at such things.

[stevelup]

Apple Touch ID currently can tell if you're dead or not, so I'm sure they'll manage the same with the new version.

[Ridders]

With good 2nd factor authentication - what you type in is time limited/one use "response", thus rendering key logger useless in this instance.

2FA is absolute must these days.
However the use of Phones for this is pretty questionable. The SMS system is not secure and there have been recent cases where someone has contacted the mobile provider and duped them into switching a phone number to a different SIM thus directing 2FA responses to another device and compromising a service.
There's a few interesting podcasts on security, Mike Gibson of security now (and of shields up! fame) has a weekly podcast that often discusses these subjects and delves deeper into hot topics, correcting the often seen journalistic tendency to exaggerate.

[flybymike]

Why am I reminded of the password joke - from Fringe Festival Dave awards I think?

I needed a password with exactly 8 characters.
So I put in "Snow White and the Seven Dwarfs"....



I seem to recall some rumours that some upcoming version of iOS will have facial recognition to allow login/authentication. Curious to see how they avoid the obvious pitfall of using a photo....

I have photo ID on at least two sites I visit. They require you to blink to prove you are alive and not a photo.

[OCB]

There's a few interesting podcasts on security, Mike Gibson of security now (and of shields up! fame) has a weekly podcast that often discusses these subjects and delves deeper into hot topics, correcting the often seen journalistic tendency to exaggerate.

ROFL! I thought he was dead

I'm so glad he's not, and still active - although I went to the GRC website not long ago, it's not changed it's look in about 15 years...hence my rash assumption.

I'll definitely check out some podcasts - thx! I was a big fan of his back when I had my own little security blog site.

Agree on the SMS weakness - I could give other examples that are much worse, but I'd never work in the financial sector again...

When it comes to facial recognition - I'm pretty sure that'll get "cracked" by some enterprising students.

I'm more worried about the privacy aspect of having Apple ending up with the world's largest biometric database, that's kept up to date on a daily basis.

[PaulB]

I'm more worried about the privacy aspect of having Apple ending up with the world's largest biometric database, that's kept up to date on a daily basis.

The biometric stuff is putting me off the new iPhone more than the supposed price!

[TheKentishFledgling]

Biometric data is stored on the iPhone only - nowhere near Apple's servers

[PaulB]

Hmmmmm........

[stevelup]

As TKF says, the biometric data never leaves the handset and is heavily encrypted. This has always been so.

Even the passcode and stuff never leaves the device, nor do any of your card details when you're using Apple Pay.

This is in stark contrast with Google where pretty much everything is server-side.

[Colonel Panic]

I see that the (US?) arm of Equifax has been hacked, with a mahoosive amount of personal information leaked. https://www.engadget.com/2017/09/07/equ ... 3-million/

The breach was between mid-May and end-July; love the way the Chairman & CEO said that they acted "immediately" to stop the intrusion