Laziness and one-time passwords Yandex. Money
A few months ago, Yandex.Money introduced an additional alternative method of protection.
Instead of a payment password, it is proposed to use either a one-time notebook in the form of a picture, or eToken.
At first, eTokens did not betray mere mortals, but instead, ordinary users are offered miracle pictures with codes.
Now eToken is sold for not very small money ... but for me it is not attractive for the following reasons:
')
Therefore, for myself, I chose “one-time images” and for now I prefer this method of protection.
It is assumed that the picture will be printed on the printer ... and you need to carry it with you ... again in the bag (see above).
And if there is no printer? .. Carry a picture with you?
Not ice.
In order not to raise his fifth point from the chair, not to break away from the computer, and to keep a hint of safety, the following decision was invented.
We will need a Terminal, a Git repository and a couple of Perl scripts (tested on Mac OS X, but should work on any * NIX).
The algorithm is as follows:
Download the following Perl scripts .
Unzip them to a secret folder.
When you receive a new picture, you activate it on the site, and launch the loader (load.pl). Next, enter line by line all codes.
On the 2nd pass, the loader verifies the input and offers to correct errors.
Formally, the codes from your image are saved in text form. The previous database is stored in the old folder (just in case).
This procedure is performed when receiving a new picture and takes a couple of minutes.
But then you will not have to poke your eyes and fingers on the plate ...
When Yandex requests a code, you run the key.pl script — you give it codes from Yandex to the input, and you get 3 pairs of alphanumeric characters at the output to enter the Yandex cells. The script is able to recognize input values ​​with or without spaces.
An example of the script:
You can store scripts and the database in a folder on some 10 Gb Sparse-disk (encrypted connectable partitions of Mac OS X), which is easy to create using Disk Utility - the main thing is to remember to enable AES 256 encryption.
In the folder, initialize the Git repository and mark the database as unsafe for storage on an external server:
.gitattributes:
(see my article about encrypting secret files in Git: habr.ru/blogs/Git/95481 )
That's all! Now, you can “calmly” send this data to a remote repository. The original image can be destroyed - you can even not print it.
It remains to come home and get a clone of this data.
The base is synchronized wherever you update it at home or at work.
Yandex-assistant in the console is always with you, you do not need to get up anywhere, and you do not have to load the mail of the Russian Federation.
How can I improve the method?
You can equip the loader by autorecognition - screw OCR to it.
You can also write a plug-in for Safari or Firefox, which will automatically pull the key out of the database for a Yandex request, but this is a blatant security crime.
Instead of a payment password, it is proposed to use either a one-time notebook in the form of a picture, or eToken.
At first, eTokens did not betray mere mortals, but instead, ordinary users are offered miracle pictures with codes.
Now eToken is sold for not very small money ... but for me it is not attractive for the following reasons:
- When the batteries sit down you need to bother again with the "favorite" mail of the Russian Federation
- He should be carried with him in his bag so that he was ready.
- To bag you need to drag your ass every time to get it and again to remove it.
')
Therefore, for myself, I chose “one-time images” and for now I prefer this method of protection.
It is assumed that the picture will be printed on the printer ... and you need to carry it with you ... again in the bag (see above).
And if there is no printer? .. Carry a picture with you?
Not ice.
In order not to raise his fifth point from the chair, not to break away from the computer, and to keep a hint of safety, the following decision was invented.
We will need a Terminal, a Git repository and a couple of Perl scripts (tested on Mac OS X, but should work on any * NIX).
The algorithm is as follows:
Download the following Perl scripts .
Unzip them to a secret folder.
When you receive a new picture, you activate it on the site, and launch the loader (load.pl). Next, enter line by line all codes.
On the 2nd pass, the loader verifies the input and offers to correct errors.
Formally, the codes from your image are saved in text form. The previous database is stored in the old folder (just in case).
This procedure is performed when receiving a new picture and takes a couple of minutes.
But then you will not have to poke your eyes and fingers on the plate ...
When Yandex requests a code, you run the key.pl script — you give it codes from Yandex to the input, and you get 3 pairs of alphanumeric characters at the output to enter the Yandex cells. The script is able to recognize input values ​​with or without spaces.
An example of the script:
MBP15: /Volumes/aVerySecureDisk/finances/yandexMoney $ ./key.pl enter query: a1b2c10 yh yz ddYou can store scripts and the database in a folder on some 10 Gb Sparse-disk (encrypted connectable partitions of Mac OS X), which is easy to create using Disk Utility - the main thing is to remember to enable AES 256 encryption.
In the folder, initialize the Git repository and mark the database as unsafe for storage on an external server:
.gitattributes:
*.db filter=private(see my article about encrypting secret files in Git: habr.ru/blogs/Git/95481 )
That's all! Now, you can “calmly” send this data to a remote repository. The original image can be destroyed - you can even not print it.
It remains to come home and get a clone of this data.
The base is synchronized wherever you update it at home or at work.
Yandex-assistant in the console is always with you, you do not need to get up anywhere, and you do not have to load the mail of the Russian Federation.
How can I improve the method?
You can equip the loader by autorecognition - screw OCR to it.
You can also write a plug-in for Safari or Firefox, which will automatically pull the key out of the database for a Yandex request, but this is a blatant security crime.
Source: https://habr.com/ru/post/95516/
All Articles