Do you use Google or Facebook Logins when prompted for a new website?

7 posts were split to a new topic: Do I need a licence to distil alcohol at home?

The reason they are called ‘cell phones’ in some less sophisticated corners of our globe is because they rely upon a cellular network architecture.

I am often annoyed at the differences in English as she is spoke, but it turns out that many of our differences do have a sound historical basis. Aluminum vs. aluminium, for instance, came about because the people originally deciding on the name couldn’t make up their minds. Aluminum was an earlier version of what most of the English-speaking world now calls aluminium.

I hate to break it to you, but you have almost certainly broken laws that you did not even know existed.

2 Likes

Never, ever sign in with anything but an email address. I have my own domain name, so in the vast majority of cases would create a site specific email address and give minimal details. If I have doubts or suspicions about the site I use one of my pre-prepared spam magnet email addresses not tied to my domain.

2 Likes

NO…prefer to overview before keeping…

Nice to see Optus will commence two factor authorisation such as pin no. sent to smart phone. Hard to understand why they hadn’t done it earlier.

2 Likes

It wasn’t done earlier as it wasn’t mandated. The Australian Communications and Media Authority has now mandated all mobile carriers to use two factor verification, the main driver being to prevent fraudulent mobile porting.

2 Likes

The only problem being that it permits SMS - a communications method that is ancient and insecure - as one of those authentication factors.

Here is a link to the ACMA announcement, and one to the relevant Determination. Unfortunately the official version does not provide a decent English language interpreter, so one of my previous links is to a sales-critter’s website.

Poking a little further, it is not at all clear what the Determination means by “account information authenticator”. This term is defined as:

account information authenticator means a process used to establish that the requesting person is the customer, or is the customer’s authorised representative, for the telecommunications service based on the requesting person’s knowledge of a piece of the customer’s account security information.

That is one of the two required factors, the other being:

personal information authenticator means a process used to establish that the requesting person is the customer, or is the customer’s authorised representative, for the telecommunications service based on their knowledge of a piece of the customer’s personal information that is not account security information.

And of course telecoms carriers are expected to interpret this. It is always fun to try to make sense of regulation.

3 Likes

Not the only problem. Another problem is a mobile service that is data only (e.g. not being used in a phone) and hence doesn’t have the interface to receive an SMS (and also doesn’t have the interface or capability to run an authenticator app).

It remains to be seen what is done about that. I think they will accept email as an alternative which, also, for all intents and purposes is insecure.

While SMS is insecure, it is still better than not using a second factor at all.

This is sensible. I do the same. No No No FB, i use YuToob but dont have an account nor any subs. Yes i am honest with banks and important useful sites (Choice) but mostly if I cannot quickly sign in with an alias ID then I will lie. However, using an android phone it appears that i can do little without the knowledge of ggl.

1 Like

I should have mentioned that some password managers allow login details including passwords to be exported into a readable file (such as ascii text files). While this isn’t generally recommended, one can export the file and use a extremely strong encryption program (128+ bit) to save a copy locally (or part of a standard routine backup) in the event the password manager crashes.

Alternatively, if one has a safe or secure storage location, a unencrypted version could be kept (electronic or paper print).

Any kept copies of password manager export data files has risks which one must consider before using this as a form of backup.

Don’t print it while you are in the office. Many business-grade printers now store everything they print on internal hard drives. This is a problem for a lot of businesses that would like to dispose of the printers while keeping their proprietary information to themselves, but also for individuals who use the office printer for personal purposes.

I listen to an IT Security podcast whose host routinely prints out QR codes when enabling two factor authentication on his phone app. Next time he changes phones, he unlocks his cabinet and pulls out the printed codes and rescans them on the new phone - in some cases saving quite a lot of work in reactivating all those existing accounts.

There is a big difference in security risk between online and the physical world. Online attacks can come from any other Internet user, but to get to your printed passwords one needs to physically break into your home and access the storage where those passwords are kept. When weighing up relative risks, unless you work for ASIO or in some other extremely secret squirrel area the physical attacker is more likely to steal your computer and TV than a stack of paper.

If you do work in some secret squirrel job, what are you doing posting in this forum and giving away potentially valuable information about yourself (including the way you write)?

4 Likes

No.

1 Like

No, I avoid using FB or Google logins.

I use:

  1. 6 free email addresses from Firefox. These are for sites that are a bit risky
  2. A few other slightly less disposable email addresses for subscriptions etc.
  3. My 2 main email addresses for anything important for sites that I would generally trust

I also use a password manager and unique passwords for each site.
This has only been a problem once, when I had left both my laptop and phone at home and needed to access some websites from a friend’s phone… the password manager wanted to verify the new device using either email or other 2FA and I didn’t have access to either of these. So I think it’s worth knowing the password for the email address used for the password manager!

3 Likes

The words “10 foot bargepole” spring to mind.

That comment may be a bit terse.

I think what you mean is:

“password manager” - good

online password manager” - not so good - don’t touch with 10 foot bargepole

I would like to add

Accessing anything from someone else’s device carries with it some risk. You must trust the friend and you must trust that the friend’s device has not been compromised by a third party.

1 Like

true enough. In this case, it was actually my mother’s phone and I set up the security on it for her, so I was confident with that. Even so, I would be careful to delete anything, not save any passwords, etc. since she’s still not great at security.

3 Likes

I never use FB to log in, but use a google (or Yahoo mail) email address which I have set up for privacy and spam. I recommend if you are using Firefox and extension called Facebook Container. It alerts you when logging into sites and blocks FB tracking your web movements etc.

1 Like

Apple have good password management. I sometimes use my Apple ID to log in. Wouldn’t use FB as I don’t think their platform is secure.

1 Like

I never use Google or Facebook. They’re predatory consumer data collectors. Stick to my own email and use a different password with each one.

3 Likes

I never use Facebook or Google to log in and I log in to Google only when I have absolutely no alternative (usually when I have to use one of those documents that everyone can add to or share and to be honest they’re more trouble than they’re worth because sooner or later someone stuffs up and then we have to fine and reinstate the previous version using the ‘document history’.

2 Likes