Thread: Amazon Sign In Password Hacked

Use a password manager to store all these different passwords.

so for us drongos please recommend a good one.. please

Originally Posted by Tonyz

Use a password manager to store all these different passwords.

so for us drongos please recommend a good one.. please

There are many excellent choices.

KeePass is a free option if you are a Windows user. (KeePass Password Safe). There are other apps for Android/iOS/MacOS/Linux but they are not all free. The storage can be a local file or stored on a cloud drive service. That is both good and bad. It means the data is never held by anyone else, but it also means it is vulnerable to a crypto ware attack. Make sure you have offsite backups that you can allow you to reach back in time and cannot be attacked.

Considering crypto ware is probably the biggest risk, I would recommend having a backup solution as a minimum anyway. I use BackBlaze as my offsite backup solution (Backblaze Invitation Full disclosure -- This is an affiliate link that gives me a month free if you sign up with it).

I use LastPass as my password manager (LastPass | Something went wrong). There are apps for all platforms and browser support. You can try it for free for 30 days. The family package is $57/year and you can share it with your family. You can also nominate a second person in the family who can take it over in the event you are incapacitated or die. You would be surprised how many people I hear about that are trying to pick up the pieces after a family death and don't have access to passwords for mundane things like internet and electricity providers which causes massive problems. Data is stored encrypted in the cloud. Crypto ware (theoretically) can't touch it.

LastPass also includes a two factor authenticator that is linked to your account. This means it is backed up so if you lose your phone you can recover all the 2FA data when you get a new device. This app also authenticates you by face or fingerprint, if your phone supports that. Which means if your phone is stolen and they manage to break in, the thief will still be locked out of that.

Other options are 1Password, Dashlane, Keeper and many more; I am sure.

Originally Posted by markharrison

note that Amazon does offer genuine 2FA) that is not based on text messages makes it pretty damn hard.

Amazon has two levels of 2FA?? Mine is done by text.

Originally Posted by Chris Parks

Amazon has two levels of 2FA?? Mine is done by text.

Check this webpage: How to Turn on Two-Factor Authentication For Your Amazon Account

For 2FA I use Authy. Its free across all platforms: Authy | Two-factor Authentication (2FA) App & Guides

On internet passwords, I simply use the embedded password manager in Brave Browser. Its an excellent browser. Its based on the Chrome open source program Chromium (Chrome is a slight branch of Chromium)¹.

Brave is a security and privacy focused browser and it is released with the deliberate focus of being strict on what it does well (security and privacy) and letting other do the adblocking via plugins (such as AdBlock, DuckDuckGo, uBlock Origin, etc).

It also has an excellent feature set.


¹ yawn everyone says! Sort of true, but this project is very exciting in there is a desktop OS soon to be Get Good. The Microsoft Windows is hideous. The invasion of privacy and data fed back is astounding. I was using AdGuard VPN to watch traffic sent and it was a torrent! Utterly shocking the quantity of background info spewed from ones PC to various Microsoft servers. I'm astounded governments allow windows in their environments. It is little more than spyware.

I use KeePass, however it's not the simplest solution and other password managers may be better if you are not that comfortable with computers.

I like KeePass for:
Open source
Secure
My passwords don't go to the cloud / some companies servers (well, I do sync the encrypted file). (You can probably trust most password managers, however ultimately you are taking their word about the security.)
Free (life has become death by a thousand subscriptions - the yearly price of a lot of things is ridiculous these days)

Multi device use is possible by file syncing but is not as seamless as other (mostly paid) cloud password managers.

Some 2FA pointers:

• An authenticator app is more secure than SMS messaging (as SMS's can be re-routed). The authenticator does the code math on your device, so it never travels through the etherwaves.
• All the popular authenticator apps use the same protocol, so all will work - as long as you scan the QR code you get when you set up 2FA with the app (or apps), it'll generate the correct code. So google authenticator, Microsoft authenticator, twilio, lastpass auth etc etc etc - takes your choice. They all do some math based on that QR code you scanned and the current time, using the HOTP protocol.
• You can use multiple authenticator apps on multiple devices - as long as you scan that QR code with all apps/devices when you register for each 2FA, all apps and devices will generate the same OTP when you need it. This is useful if (like me), you buy a new phone and forget to port the 2FA app before erasing the old phone! There is usually no-way of getting an erased auth app's data back. If you have a 2nd device with the same 2FA registered authenticator, you can still log in (and re-do the 2FA registration with a new code)
• You could, in theory, screenshot the QR code generated when you set up 2FA's and save this. You could then scan it whenever you get a new device/authenticator app, and it will generate valid OTP's. However, if anyone ever gets hold of that QR code, they'll be able to duplicate the 2FA registration (so don't do it)

If you really want secure log-in protection, then you need a security key (like a Yubikey). This is another version of 'something you have'. If the device or website fully supports key login, you have to plug the key in (or tap it on a NFC-enabled smartphone) in order to log in. No physical key, no log in.

The problem with them is their native mode isn't widely supported - (google will if you have advanced security enabled, my university supports it, Microsoft does... but that's about all I have at the moment). However, Yubikeys also have a native authenticator app built in. So rather than using your phone app to generate the OTP, you use the yubikey. Now you need a password, the yubikey, and your phone or computer set up to read the key. So you need 2 x 'something you have'!
If this sounds like a pain in the harris, it is. But a pain in the harris for you/me = too much trouble/impossible for the Scrote trying to steal your retirement savings.

The advantage is the code generator is on the key, so it doesn't matter if you get a new phone or computer or whatever, and forget to port the authenticator before erasing. But if you lose the key, you lose the OTP's... so it's wise to have a backup key, registered with the same info. Which makes it pricey - 2 x yubikey 5c NFC's cost me $178 here in straya.

I use Dashlane for my password manager. All much of a muchness I think. From memory they had a better deal than lastpass when I signed up, and I wanted the family option to force my ho-hum nearest and dearest to start using something more secure than Joey777 as a password. Remember that no matter how secure you are, if your other half/delinquent child isn't, and they have access to your network, you're potentially vulnerable through them. I'm willing to pay the small annual premium for that.