Norton and two factor authentication

I would also run Malwarebytes (free edition). You can download it from their website (https://www.malwarebytes.com/mwb-download/) or from https://ninite.com. If downloading from Ninite you need to select it from the lists then download the installer by clicking “Get Your Ninite” button and then running the installer It will require Administrator approval. If you install it as new you may get the full version trial and that is fine to use it just runs a resident process as well as the manual scans you can click to run. Once installed run an update then do a scan, hopefully it will be a clean scan for you.

Sadly the advice of Norton if 2 factor is failing is that “If all of the methods you used to enroll are not accessible to you, your Norton account is locked and NortonLifeLock cannot assist you with providing access to your Norton account. In case your Norton account gets locked, you may have to create a new Norton account” which is unhelpful.

Also try your SIM in another phone that isn’t locked to a network your SIM isn’t currently with (any network unlocked phone or a network locked phone on the same network will do). You could also backup your current phone then factory reset it and try getting the code again. If any of those work then download your vault contents and save on a USB stick so they available to you in an emergency or if the problem occurs again.

For password storage I recommend Keepass 2 or Lastpass. With Lastpass you can generate a list of one time passwords for emergencies or your estate executors/Enduring Powers of Attorney (just in case).

Use of an Authenticator App can be better than waiting on SMS, there are a few and many are supported by many programs that a person sets 2 factor up on.

A small sample of authenticator programs/apps

https://google-authenticator.com

https://github.com/google/google-authenticator (open source one)

Have you also tried this…

https://support.norton.com/sp/en/us/home/current/solutions/v55260946

The only other thing is did you change your password to your account 6 months ago by accident which resulted in the lockout?

It may also be worth posting your problem and what you have done to resolve on the Norton Community to see if other users/Symantec staff can offer alternative solutions.

Another thought…If you have been locked out of your account for 6 months but still able to access your Norton Password vault up until recently, it may be that it is your account that is the issue rather than the vault. The vault is created and linked to your Norton Account. It might be worth asking Norton or the Norton Community if your Norton Vault can be transferred to any new account which has been created with the same email address. It might work and Norton may hopefully have a solution if it does.

I haven’t been locked out of my account for 6 months. The issue with two factor authentication has been going on for 6 months. It is only recent that the lock out has occurred as a result of 2FA being corrupted. You should be able to use alternate email to get code, but I cannot select that option.

Often to change the option to email requires logging in then changing it, which obviously can’t be done…Catch 22 comes to mind.

@Gambs Have you tried using a different phone or doing a factory reset with the SIM (in case there has been software corruption on the phone). If not this may be worth a try as all other options seem to have been exhausted. I again note that Norton will not assist if the methods to get the 2FA code are not working, their answer is to create a new Norton Account.

@phb Norton are stating that the data is lost unless the user can unlock their old vault. Which in this case at the moment they can’t and as they can’t get 2FA done then the vault is not going to be able to copied in plain data. It will remain encrypted until the correct “key” details are provided to unencrypt that file. I’m assuming from this Norton statement that Norton do not have a backdoor into the encrypted file/vault.

Norton works differently to other password managers. It in effect has a built in 2 step authentication…a third if one choses a mobile/email code or additional pin. I have never used the third step as there is no need…as there is already two verification steps to be able to use their password manager.

Norton password manager works by having to open an account with Norton. Once the account is opened, then one can setup the use of the password manager (vault) including the password managers own unique password (which is different to the Norton account).

Every so often when an app or AV update comes through, it won’t work unless one first logs into their Norton Account and then separately logs into their password manager.

If the account log has been corrupted for some reason, the password manager should still work as it sits separately to the Norton account. If the password manager information can be migrated to a newly opened account, in theory, it should still work after a new account is created.

If the password manager log in has also been corrupted, then the password data file will be lost until they can work out what cased the corruption and provide a workaround.

If the account login has been corrupted, Norton may need to deactivate any product licences (e.g. Norton Lifelock) activated in the old account to allow the licence to be activated in the new account…otherwise the user licence may also be locked.

I gave up on Norton as they failed to understand that it was their system that didn’t recognise my phone number. What a relief to have made the decision. Which password manager would you recommend?

Well you’ve seen the problem with cloud based password managers so if you really want to use one keep it under your control. But why use one at all?
I have a small set of good core passwords that use a mix of characters that I will forever remember, and append to them part of the URL of the logon screen for each place I logon to. Thus I have a different password for every place I go, and if I get an email one day again from some scammer who knows my password, I know exactly which organisation is to blame. (Yes you Linkedin).

If you are an online Choice member, Choice has reviewed a range relatively recently…(member content)

Many consumers have scores of online logins (just checked and we currently have 168 individual logins stored in our password manager for the family) and trying to record/remember unique passwords for each login is impossible. One could write them down (this poses risks if lost or stolen) or use a limited number of passwords (or a core password modified slightly by the particular login, e.g. for ABC website, the password is a core password with ABC added at the end). Using a limited number of passwords or a slightly modified core password is not recommended. If a hacker got your password to one site, they can quickly have access to many other sites one has logins.

Internet security experts recommend for secure passwords that each is unique, is long in character count and contains a capital and lower case letters, characters/symbols, numbers and doesn’t contain whole words or the user name/personal information.

Many sites now require new passwords created meet this requirement and it is impossible to remember such passwords. Sites are also now more likely to, over time, to get its registered users to update passwords to meet these requirements.

For one that syncs across devices, I keep hearing good things about LastPass. If you want something that is purely local, then Password Safe will do the job.

Both are free (LastPass has paid versions with additional functionality). Both use decent security - even though LastPass stores your passwords online, they are hashed by you locally and so the company cannot access them.

Warning: most password managers do not have an option covering “oops I forgot my main password”. If you do lose your password to open the password manager, then you lose access to all the passwords it stores.

Finally, any ‘system’ you use can be guessed by half-decent password cracking software (and yes, this is easily available online). Anything that is not random is likely to be broken once one or two of your passwords are known (i.e. as soon as one of many websites has its password database stolen and decrypted). This is not if, but when. It is far more secure to record your passwords in an application that is designed for the purpose than to record them in a spreadsheet, physical copy of ‘by system’.

I recommend at least 2 but each one has it’s reasons.

If you prefer local storage eg on a USB device then Keepass 2 (Keepass Password Safe). You can use a portable storage of your Keepass program and database (a usb stick, portable drive) so then you can have your passwords wherever you go and on whomever’s Window’s device you need to run your password manager (it doesn’t need to be installed and it leaves no traces once the device is removed). You can share Keepass 2 over devices if you wish to do so eg Android, iOS as many “ports” of the program are available. You can save your database to a portable device and then have your passwords on the devices you may have as they only then need the program installed. Lots of other reasons but you can read much of the benefits from the linked site. It also supports using Key file/s to encrypt the database.

The other is Lastpass owned by LogMeIn, it has Cloud Storage of your database of passwords, and on Premium & Family (paid versions) storage of up to 1 GB of notes etc. It is encrypted by your Master Password (it does not yet support adding Key files) before it is stored so if you forget your Master password you may lose all access. Lastpass can help avoid disaster as they encourage you to set up a hint that they store for you and from inside your program you can generate as many one time passwords as you think may be needed…make sure to print them out and store them somewhere safe. The one time passwords can also allow your executor or Enduring Power of Attorney to access your database in case of your incapacity or death by giving them one each to be used in those circumstances. Business addition has multi factor authentication and single unified sign in available.

The benefit of Cloud Storage is that you don’t need a physical storage device to be with you to access your passwords on say your Android, then your iPhone, then your Mac and then Windows. The program is installed on each and they access the Vault over the Internet as encrypted traffic.

Another consideration if using a portable device is they can be misplaced, temporarily or permanently.
I’ve also had several fail. One failed physically after a high speed flight across the room (unintended), with the plastic housing failing and the connector breaking free. Potentially repairable, but unsuccessful. The other simply corrupted the file table when a newer windows device decided the USB storage required some type of repair action. There after nothing would read the device. I’ve recovered files previously using software tools, but not this time.

Having an alternate record of all the passwords as @grahroll suggests would be essential from my experience.

In my job as a Systems Programmer for big companies I had over 2000 servers to access of all types from IBM Mainframes to all sorts of flavours of Unix and Windows. Most forced password changes at least every 3 months and had a password history that prevented reuse until 12 password changes had occured. My password scheme worked on every one and no password manager needed. In fact, show me a password manager that would handle that!

Most password managers can easily handle that. Some have random password generators which one can use to generate unique passwords. These random password generators can allow selection of password length (as some sites have a minimum of characters), the type of characters to be included when generated (some websites require a range of different characters while others can be restrictive and won’t accept symbols for example) and each generated is unique and saved for the particular login. A lot also automatically update the password when one changes it…making the process very easy and streamlined. Using one of the past 12 passwords is irrelevant as long random passwords could have many trillions of combinations, meaning it would take many lifetimes for the same password to potentially come around again (if never).

For a 8 character random password, the number of possible combinations is around 3.026×10^15 or 3,026,000,000,000,000. If one uses say a 20 character random password, the number of possible combinations is astronomical. If one uses combinations or words, the number of possible combinations falls dramatically as each character is dependent on the ones to either side of it, unlike a random generated password.

For example a 8 character password like &of+IMl6 has the above number of combinations (3,026,000,000,000,000), where a password like oathave1 may only have tens of thousands of combinations based on words which are make a total of 8 letters. This simple example shows the importance of random passwords to maximum security over those easy to remember.

While one may feel that their own system is reliable, it if often the login website where leaks occur. Unfortunately if a site has been compromised and it allows a hacker to infiltrate that particular website or others one may have by using the same/similar passwords, it is often found after it is too late. As email addresses are often used for logins, it is very easy for other logins to be compromised.

I personally (risk adverse in relation to maintaining internet security) would rather a unique highly random, long character password made from letters (capitals and lower case), symbols and numbers for each login to reduce any future risks of one of the logins is compromised and one doesn’t know if other logins are compromised also.

Edit: should also have said that some password managers do audits of one’s passwords and advise when there are duplicate passwords used for multiple sites and also when passwords have been used for some time without being changed. The later is useful as one often doesn’t know for some time after a website has been compromised. Having a password manager remind one to change a password assists in maintaining one’s own login integrity as one doesn’t have to wait until the host to advise of the compromise and for users to reset passwords.

Before using a password manager, I also has a number of passwords that I used based on the level of risk. I now realise how problematic such can be to maintain integrity across all logins used and am pleased that now I have the ability to have far more secure passwords.

I use Norton Vault as it offers the above functions and also useable across a range of platforms (mobile devices through to desktops). It has audit functions also a random password generator. It also automatically updates password changes…but I always check that it has been updated following the onscreen notification. It also requires one to remember two passwords to gain access to the vault - one for the account and one for the vault…both are different to ensure that there is two step verification. It appears that the third step outlines above (mobile code verification) for some reason has a bug/failed for some reason, which has prevented access to the account and Norton Vault.

I prefer not to have hardcopy password lists as they can easily be seen and used by others.

Yes, it is best to export the encrypted password file from time to time and store it elsewhere…say on a portable device at a family members house. One can buy a portable drive for a few dollars for such purpose.

Different worlds; logging onto Web sites vs logging onto servers for support. Never seen or heard of a password manager to handle the latter. I have a system that incorporates everything that you mention but is in my head. Nothing written down, no central store that if compromised reveals all, no problem that if the store is lost, you are stuffed. Just takes a bit of thought to come up with a password scheme.

This advice, though still operational in some organisations, has been long replaced. The people who first developed it realised that someone using the password “Monkey” this month would simply change it to “Monkey1” next month. Passwords were made less secure by the need to update them regularly, as people used ‘systems’ to remember their passwords rather than using one complex, hard-to-remember password.

As long as you manage your exit procedures decently and passwords are properly stored, you should not need to force password changes.

So the servers are available on the Internet? Why do you say that there is a difference, or that there is no password manager that can handle that situation? Certainly if you’re accessing the server via VM you might have some difficulties - but generally your host will allow you to copy data (e.g. from a password manager) into the VM, just not the other way around.

Sure, if I lost my ‘central store’ I would be in trouble. That’s why my wife knows the password, and I have local and online backups as well as monthly USB key backup. (I also use the built-in ransomware protection that comes with Windows.)