Legacy Skype accounts and Two Step Verification

When Microsoft bought Skype, then added two-step verification to Microsoft accounts, I promptly enabled it. But wait. My original Skype login still works—without prompting for two-step verification. 😐

I just found the following reply (dated 2014-10-11) from a Skype Community forum thread:

You can union your Skype account from your Microsoft account but that won’t disable your Skype account. Not having an account joined or TV/Phone account enabled is the only way to eliminate the single authentication of a Skype account from a Microsoft account. You can abandon your old account and clear out personal info from a severed account but you can’t add a second form of authentication to a legacy Skype account.

Crud. If I want my Skype login to be more secure, I’ll need to:

  1. Go to Account Settings in Skype.
  2. Unlink my Microsoft account.
  3. Close my legacy Skype account.

Warning: the linked support page says a lot! 😓

If you have a legacy Skype account, did you change anything? Feel okay using a strong password?

P.S. I rarely use Skype.

Why We Encrypt

Great post from Bruce Schneier from June 2015:

Encryption should be enabled for everything by default, not a feature you turn on only if you’re doing something you consider worth protecting.

This is important. If we only use encryption when we’re working with important data, then encryption signals that data’s importance. If only dissidents use encryption in a country, that country’s authorities have an easy way of identifying them. But if everyone uses it all of the time, encryption ceases to be a signal. No one can distinguish simple chatting from deeply private conversation. The government can’t tell the dissidents from the rest of the population. Every time you use encryption, you’re protecting someone who needs to use it to stay alive.

Private/group messaging and calling with iOS or Android? Signal is fantastic. For email, James Huff uses ProtonMail.

Signal: Installed!

My pals, Paul Ciano and Ash Rhodes, recently posted about Signal for private messaging and calls with iOS and Andoid. I’ve had it for a few months (thanks to a nudge from James Huff), but Amy installed it today! 🎉🤓

We verified our fingerprints, and successfully tested a call. Exciting and comforting to know that messages and calls sent with Signal will only be seen by us.

Update: My mother-in-law set it up on her iPad, and called Amy. Pleased as punch.

PayPal, I’d like to use my password manager

After news broke of the eBay security breach, I updated my account passwords for eBay and PayPal1.

With my trusty password manager, KeePassX, I cloned my current PayPal entry in preparation to generate a new password. To my horror, I saw the following password requirement pop–up:

Screenshot: PayPal change password screen

I’d like to use much more than 20 characters, and not be able to easily type my password. Kthxbai. 🙂

  1. PayPal is owned by eBay Inc. 

Caveat when upgrading from Google Authenticator 2.0.0 to 2.0.1 (iOS)

If you upgraded to Google Authenticator 2.0.0 (see my last post) and recreated all your account tokens, I’d like to warn you.

Your old account tokens will be restored. This means it’ll be difficult to determine which ones are current.

Solution: Rename your current accounts before upgrading from 2.0.0 to 2.0.1 with these steps:

  1. Tap the pencil icon located at the top right corner.
  2. Tap on the name of each field to edit.
  3. When you’re done, tap the check mark located at the top right corner.

Google Authenticator 2.0.1 - Edit Step 1 Google Authenticator 2.0.1 - Edit Step 2

After you upgrade, you can confirm the new tokens still work, then delete the old ones.

Bye, Google Authenticator tokens

Update 2013-09-07: Google released a new version which restores the lost account tokens. If you’ve already re–added your account tokens, please see this caveat.

Before you update to Google Authenticator 2.0.0 for iOS, disable two–step (or wait until 2.0.1). It removed my tokens from the app, and I had to re–add them again. Boo.

To fix this with a Google account, you’ll need to do the following:

  1. Go to Account → Security → Edit (under 2–step verification).
  2. Under How to receive codes and across from Mobile application, click “Move to a different phone”.

As for the backup codes you printed, if you click the help icon (question mark) next to “Remove Switch to phone”, it says:

When you want to switch to a different phone, select “Move to a different phone” and follow the instructions to configure the Authenticator app on your new phone. This will not invalidate any of your existing application-specific passwords or backup codes.

Or, you can add your Google Authenticator Tokens into Authy. Thanks for the tip, James!

Dropbox: In Account → Security, click the Edit link next to Authenticator app.


Dropbox 2-step verification

Dunce of the night

Tonight, I’m one of those people who locked themselves out of their hotel room putting their room service dishes outside the door. I’m relieved there was a phone next to the elevators because I didn’t have shoes or my iPhone, which means it’s a really long walk to the front desk. (At the moment, I have a bum foot.)

Wireless security for new notebook users

My new router

My cousin, Narissa, just got a laptop for Christmas and asked me about wireless security. I figure now is a good time to revisit this because she’s probably not the only one that received a notebook for the holidays. Fortunately, she’s thinking about security; most people probably just connect to open wireless access points without a second thought. Very scary.

For wireless connectivity at home, I’ve been using a Linksys WRT54GL (hacked with DD-WRT) since July 28th, 2006. (link)

If you don’t want to use DD-WRT, make sure you’re using WPA security with a good password. I recommend Steve Gibson’s Ultra High Security Password Generator. People might scoff, but I don’t think I’m easily hackable.

When you’re out, you’ll need to either pay for a connection that’s available or find a free hotspot. You can also buy a Wi-Fi card from a provider, like Verizon, but you probably don’t rely on your laptop that much to justify the cost.

I stay secure wirelessly with the power of DD-WRT, PPTP, and VPN. That means that no prying eyes can see what I’m doing.

If that’s too difficult to grasp (which it is for me, even though I got it to work), HotSpotVPN or PublicVPN probably would be best suited for you. (via GRC Security Now! Podcast #10) Those aren’t free, but fairly inexpensive.

Also, prevent getting a branded notebook bag which screams, “I’m new and important – steal me!” I bought a SleeveCase from Waterfield Designs (SFBags.com), which then goes in my inconspicuous Jansport backpack or my Jack Bauer messenger bag.

Timbuk2 also has a wide variety of notebook bags, which I’ve heard are excellent.

By the way, do you notice that laptops are called notebooks now? They run way too hot to sit on your lap for long periods of time, hence the technical name change.

Am I overly paranoid by worrying about people sniffing wireless packets? Have you thought about wireless security before reading this? Where do you buy non-branded notebook bags?

Disclaimers: I’m not affiliated with Linksys, HotSpotVPN, PublicVPN, WaterField Designs, Timbuk2, or Jansport. However, I’m using an Amazon affiliate link for the Linksys router.