How real is cyber risk?

Have a question about your personal investments? No matter how simple or complex, you can ask it here.
User avatar
Vulcan
Posts: 255
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan » Fri Sep 21, 2018 6:57 am

damjam wrote:
Tue Sep 18, 2018 8:04 pm
No there is no way to disable the SMS at this time
I believe we discussed this earlier. Use Google Voice. You will get your SMS via email.
If you torture the data long enough, it will confess to anything. ~Ronald Coase

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Fri Sep 21, 2018 7:01 am

Vulcan wrote:
Fri Sep 21, 2018 6:57 am
damjam wrote:
Tue Sep 18, 2018 8:04 pm
No there is no way to disable the SMS at this time
I believe we discussed this earlier. Use Google Voice. You will get your SMS via email.
Yes. You can also have your verification code sent to a land line via voice rather than SMS.
All these work around tactics that firms are requiring are exhausting.
Also it should be recognized that users who are unaware of the dangers of SMS are being ill served by Vanguard in this instance.

User avatar
Vulcan
Posts: 255
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan » Fri Sep 21, 2018 9:32 am

damjam wrote:
Fri Sep 21, 2018 7:01 am
Vulcan wrote:
Fri Sep 21, 2018 6:57 am
damjam wrote:
Tue Sep 18, 2018 8:04 pm
No there is no way to disable the SMS at this time
I believe we discussed this earlier. Use Google Voice. You will get your SMS via email.
Yes. You can also have your verification code sent to a land line via voice rather than SMS.
All these work around tactics that firms are requiring are exhausting.
Also it should be recognized that users who are unaware of the dangers of SMS are being ill served by Vanguard in this instance.
Concerns about security of SMS are overblown. Well over 99.999% of people will never have their phone number ported out by a malicious actor, a couple of well-publicized celebrity cases notwithstanding. For them, using SMS as a second factor is a HUGE improvement over not having a second factor at all.

That said, I think GV is a superior solution in many regards, and using it for SMS authentication is but one of them.
If you torture the data long enough, it will confess to anything. ~Ronald Coase

User avatar
VictoriaF
Posts: 18630
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: How real is cyber risk?

Post by VictoriaF » Fri Sep 21, 2018 9:55 am

Vulcan wrote:
Fri Sep 21, 2018 9:32 am
Concerns about security of SMS are overblown. Well over 99.999% of people will never have their phone number ported out by a malicious actor, a couple of well-publicized celebrity cases notwithstanding. For them, using SMS as a second factor is a HUGE improvement over not having a second factor at all.
Concerns about security are overblown until you, or someone close to you, becomes a victim.

- Russian population is 144 million.
- Average monthly salary in Russia is equivalent to $437.
- 99.999% of Russians are not hackers.
- The remaining 0.001% have nothing to lose and much to gain from emptying a Vanguard account of any Boglehead, including those who are not celebrities.

Add to that Ukrainians, Belorussians, Romanians and others with the skills, information and motivation to become orders of magnitude wealthier than they are now.

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Fri Sep 21, 2018 10:48 am

Vulcan wrote:
Fri Sep 21, 2018 9:32 am
damjam wrote:
Fri Sep 21, 2018 7:01 am
Vulcan wrote:
Fri Sep 21, 2018 6:57 am
damjam wrote:
Tue Sep 18, 2018 8:04 pm
No there is no way to disable the SMS at this time
I believe we discussed this earlier. Use Google Voice. You will get your SMS via email.
Yes. You can also have your verification code sent to a land line via voice rather than SMS.
All these work around tactics that firms are requiring are exhausting.
Also it should be recognized that users who are unaware of the dangers of SMS are being ill served by Vanguard in this instance.
Concerns about security of SMS are overblown. Well over 99.999% of people will never have their phone number ported out by a malicious actor, a couple of well-publicized celebrity cases notwithstanding. For them, using SMS as a second factor is a HUGE improvement over not having a second factor at all.

That said, I think GV is a superior solution in many regards, and using it for SMS authentication is but one of them.
I apologize for not being clear. SMS while an issue in and of itself, is also often a factor in certain kinds of phishing attacks.
Using Google Voice or even a land line does nothing to protect you from this type of attack. And if I may quote myself:
damjam wrote:
Fri Sep 21, 2018 6:47 am
Google has found security keys are a big improvement in security. Requiring employees to use security keys eliminated successful phishing attempts.
https://krebsonsecurity.com/2018/07/goo ... -phishing/
I hope we can agree that phishing is a very real concern for just about everyone even if SIM swaps and number porting are not.
Last edited by damjam on Fri Sep 21, 2018 10:49 am, edited 1 time in total.

User avatar
Vulcan
Posts: 255
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan » Fri Sep 21, 2018 10:48 am

VictoriaF wrote:
Fri Sep 21, 2018 9:55 am
Vulcan wrote:
Fri Sep 21, 2018 9:32 am
Concerns about security of SMS are overblown. Well over 99.999% of people will never have their phone number ported out by a malicious actor, a couple of well-publicized celebrity cases notwithstanding. For them, using SMS as a second factor is a HUGE improvement over not having a second factor at all.
Concerns about security are overblown until you, or someone close to you, becomes a victim.

- Russian population is 144 million.
- Average monthly salary in Russia is equivalent to $437.
- 99.999% of Russians are not hackers.
- The remaining 0.001% have nothing to lose and much to gain from emptying a Vanguard account of any Boglehead, including those who are not celebrities.

Add to that Ukrainians, Belorussians, Romanians and others with the skills, information and motivation to become orders of magnitude wealthier than they are now.

Victoria
Victoria,

As a computer networking professional, and a Belarusian (as my friends and relatives like to point out, this is the preferred spelling), I remain utterly unconvinced that there is any measurable chance that any Boglehead's cellphone number will ever be ported out by a Russian hacker.

To try to convince them otherwise is to stock ungrounded fears that would potentially distract them from taking real-world security measures, including, yes, enabling 2FA, even if SMS-based.

That said, I am, again, a strong advocate of utilizing Google Voice numbers for that purpose.
Last edited by Vulcan on Fri Sep 21, 2018 11:16 am, edited 1 time in total.
If you torture the data long enough, it will confess to anything. ~Ronald Coase

User avatar
Vulcan
Posts: 255
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan » Fri Sep 21, 2018 10:52 am

damjam wrote:
Fri Sep 21, 2018 10:48 am
Google has found security keys are a big improvement in security. Requiring employees to use security keys eliminated successful phishing attempts.

I hope we can agree that phishing is a very real concern for just about everyone even if SIM swaps and number porting are not.
As was pointed out earlier in other threads, browser-based password managers very effectively thwart phishing attempts without the hassles associated with hardware keys.
If you torture the data long enough, it will confess to anything. ~Ronald Coase

User avatar
damjam
Posts: 942
Joined: Thu Mar 25, 2010 7:46 am

Re: How real is cyber risk?

Post by damjam » Fri Sep 21, 2018 11:12 am

Vulcan wrote:
Fri Sep 21, 2018 10:52 am
damjam wrote:
Fri Sep 21, 2018 10:48 am
Google has found security keys are a big improvement in security. Requiring employees to use security keys eliminated successful phishing attempts.

I hope we can agree that phishing is a very real concern for just about everyone even if SIM swaps and number porting are not.
As was pointed out earlier in other threads, browser-based password managers very effectively thwart phishing attempts without the hassles associated with hardware keys.
Yes they (password managers) can assist by alerting you to being on the wrong web page, but human behavior is a funny thing.

Google's results by testing thousands of employees using security keys is a strong enough recommendation for me.

I also find physical keys logically simple to understand. I know how to secure my house keys; my smart phone - I must misplace that thing at least once a week.

Also, using smart phones as the basis for 2FA can easily lead to circular dependencies when all of the moving parts are not thought out thoroughly. How many people have yet to figure out that needing a 2FA for their Apple ID means they might be locked out just when they need to engage the 'lost iPhone" application. I realize using Google Voice could address some of these issues if implemented properly. If being the operative word.

I get it, physical keys are a hassle for some people and they will eschew them. However if you are willing to endure the downside of using security keys it would be nice to get the full benefit of using them.

jsmoove123
Posts: 26
Joined: Sun Oct 22, 2017 12:01 am

Re: How real is cyber risk?

Post by jsmoove123 » Fri Sep 21, 2018 11:44 am

Given the length of this thread and the depth of technical discussion, we really need a hero to step up and provide succinct "best practices" guidelines in layman's terms. Maybe one "essentials" guide for the majority of people, and maybe another guide for those who want absolutely rigorous security (though maybe those people don't need a guide).

User avatar
Vulcan
Posts: 255
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan » Fri Sep 21, 2018 12:08 pm

jsmoove123 wrote:
Fri Sep 21, 2018 11:44 am
Given the length of this thread and the depth of technical discussion, we really need a hero to step up and provide succinct "best practices" guidelines in layman's terms. Maybe one "essentials" guide for the majority of people, and maybe another guide for those who want absolutely rigorous security (though maybe those people don't need a guide).
1. Enable 2FA on your Google account.
2. Enable Google Smart Vault (Chrome's built in pwd manager)
3. Configure all other accounts to send verification codes to your GMail and/or Google Voice, but even SMS is better than nothing.
4. Item 3 notwithstanding, don't click on any links in emails. Use browser bookmarks to go to sites of financial institutions.
5. Item 4 notwithstanding, if you did click a link, absolutely don't enter a password if your password manager did not enter it for you.

So, really, just following items 1-3 will make you better protected than, well, statistically speaking pretty much everyone else. And that is your goal. There is no such thing as absolute protection in IT.

Unrelated to this, do backup your own important data offline and offsite (external hard drive plus for irrecoverable things like photos and documents also high quality optical media where it can be stored for decades). Including periodically downloading Google takeout archive. But that is sort of a separate conversation.
If you torture the data long enough, it will confess to anything. ~Ronald Coase

User avatar
tadamsmar
Posts: 7885
Joined: Mon May 07, 2007 12:33 pm

Re: How real is cyber risk?

Post by tadamsmar » Fri Sep 21, 2018 2:47 pm

Vulcan wrote:
Fri Sep 21, 2018 12:08 pm
jsmoove123 wrote:
Fri Sep 21, 2018 11:44 am
Given the length of this thread and the depth of technical discussion, we really need a hero to step up and provide succinct "best practices" guidelines in layman's terms. Maybe one "essentials" guide for the majority of people, and maybe another guide for those who want absolutely rigorous security (though maybe those people don't need a guide).
1. Enable 2FA on your Google account.
2. Enable Google Smart Vault (Chrome's built in pwd manager)
3. Configure all other accounts to send verification codes to your GMail and/or Google Voice, but even SMS is better than nothing.
4. Item 3 notwithstanding, don't click on any links in emails. Use browser bookmarks to go to sites of financial institutions.
5. Item 4 notwithstanding, if you did click a link, absolutely don't enter a password if your password manager did not enter it for you.

So, really, just following items 1-3 will make you better protected than, well, statistically speaking pretty much everyone else. And that is your goal. There is no such thing as absolute protection in IT.

Unrelated to this, do backup your own important data offline and offsite (external hard drive plus for irrecoverable things like photos and documents also high quality optical media where it can be stored for decades). Including periodically downloading Google takeout archive. But that is sort of a separate conversation.
Earlier, I mentioned that a Vanguard client might fail to live up to their responsibilities under Vanguard's reimbursement promise while doing a bunch of other security stuff. The pledge requires:

"Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." I think this might perhaps include your router, not sure. Probably includes your password vault software if you use that.

"Don't use a public computer unless you know it has up-to-date security and you can log off completely."

"Review the account-related information we send or make available to you as soon as you receive it, such as account statements, confirmations, and changes to your mail preferences (such as an address change), bank information (such as the addition or deletion of a bank), and other services." Failing to detect and report fraud within a reasonable amount of time could be a problem.

Also, be prepared to tell the truth about your practices. Bogleheads have claimed or implied in other threads here that they would lie to Vanguard and the police about sharing their passwords with between spouses. Don't do that or, at least, discuss the matter with a lawyer before you do. Under the current responsibility list, you don't have to completely avoid sharing passwords. Any transactions done by the person who you share with is considered an authorized transaction.

Here's the promise:

https://personal.vanguard.com/us/help/S ... ontent.jsp

User avatar
Vulcan
Posts: 255
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan » Fri Sep 21, 2018 3:06 pm

tadamsmar wrote:
Fri Sep 21, 2018 2:47 pm
Earlier, I mentioned that a Vanguard client might fail to live up to their responsibilities under Vanguard's reimbursement promise while doing a bunch of other security stuff. The pledge requires:

"Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." I think this might perhaps include your router, not sure. Probably includes your password vault software if you use that.
These are satisfied by allowing Windows Defender and Chrome to download and install latest updates.

Any home internet router acts as a firewall, but if you are on public wifi, they seem to want you to enable Windows Firewall.

I see no reasons for concern here.
If you torture the data long enough, it will confess to anything. ~Ronald Coase

User avatar
VictoriaF
Posts: 18630
Joined: Tue Feb 27, 2007 7:27 am
Location: Black Swan Lake

Re: How real is cyber risk?

Post by VictoriaF » Fri Sep 21, 2018 4:30 pm

Vulcan wrote:
Fri Sep 21, 2018 10:48 am
VictoriaF wrote:
Fri Sep 21, 2018 9:55 am
Vulcan wrote:
Fri Sep 21, 2018 9:32 am
Concerns about security of SMS are overblown. Well over 99.999% of people will never have their phone number ported out by a malicious actor, a couple of well-publicized celebrity cases notwithstanding. For them, using SMS as a second factor is a HUGE improvement over not having a second factor at all.
Concerns about security are overblown until you, or someone close to you, becomes a victim.

- Russian population is 144 million.
- Average monthly salary in Russia is equivalent to $437.
- 99.999% of Russians are not hackers.
- The remaining 0.001% have nothing to lose and much to gain from emptying a Vanguard account of any Boglehead, including those who are not celebrities.

Add to that Ukrainians, Belorussians, Romanians and others with the skills, information and motivation to become orders of magnitude wealthier than they are now.

Victoria
Victoria,

As a computer networking professional, and a Belarusian (as my friends and relatives like to point out, this is the preferred spelling), I remain utterly unconvinced that there is any measurable chance that any Boglehead's cellphone number will ever be ported out by a Russian hacker.

To try to convince them otherwise is to stock ungrounded fears that would potentially distract them from taking real-world security measures, including, yes, enabling 2FA, even if SMS-based.

That said, I am, again, a strong advocate of utilizing Google Voice numbers for that purpose.
Vulcan,

I apologize for the misspelling of "Belarusian". My first language is Russian and I have translated it without checking Google. I too was a networking professional and a cybersecurity professional in the latter part of my career. I also have spent enough time in the Bogleheads Forum to judge its spirit.

The Bogleheads are different from the American population at large in several key ways:
- The Bogleheads have more money to lose.
- The Bogleheads discuss their finances in this Forum and thus are more likely to become targets.
- Many Bogleheads are STEM, legal, medical and financial professionals. They have propensity for and satisfaction from detailed analyses and calculations, getting into the portfolio, insurance, tax, and other weeds that most other people avoid as a plague.

Thus, I would not worry about confusing the Bogleheads with excessive details.

Thank you for describing the Google Voice solution,

Victoria
WINNER of the 2015 Boglehead Contest. | Every joke has a bit of a joke. ... The rest is the truth. (Marat F)

User avatar
Vulcan
Posts: 255
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan » Fri Sep 21, 2018 5:00 pm

VictoriaF wrote:
Fri Sep 21, 2018 4:30 pm
Vulcan,

I apologize for the misspelling of "Belarusian". My first language is Russian
So is everybody's in Belarus. I find the whole thing funny, which is easier from the distance, and actually still say "Belorussia" myself. Cue Pesniary :wink:

I am mostly a lurker, but will gladly use this chance encounter to say I have been enjoying your contributions here :beer
If you torture the data long enough, it will confess to anything. ~Ronald Coase

User avatar
tadamsmar
Posts: 7885
Joined: Mon May 07, 2007 12:33 pm

Re: How real is cyber risk?

Post by tadamsmar » Fri Sep 21, 2018 6:15 pm

Vulcan wrote:
Fri Sep 21, 2018 3:06 pm
tadamsmar wrote:
Fri Sep 21, 2018 2:47 pm
Earlier, I mentioned that a Vanguard client might fail to live up to their responsibilities under Vanguard's reimbursement promise while doing a bunch of other security stuff. The pledge requires:

"Make sure that any computer or device you use to access your accounts has up-to-date anti-virus and anti-spyware software and is protected by a firewall." I think this might perhaps include your router, not sure. Probably includes your password vault software if you use that.
These are satisfied by allowing Windows Defender and Chrome to download and install latest updates.

Any home internet router acts as a firewall, but if you are on public wifi, they seem to want you to enable Windows Firewall.

I see no reasons for concern here.
I checked and my Chrome and Windows Defender is automatically updating. That seems to be the default.

So, what's the deal with routers? Suppose you have a home router with WEP security and a usename=admin and a password=admin? Is there any reason for concern?

No concerns about j random public routers even if you are using your own laptop?

How about your workplace computer?

Seems like public computers would be a no-no, keyloggers and all that. How could one feel that a public computer could be safe?

User avatar
foosball
Posts: 38
Joined: Mon Jun 06, 2016 4:45 pm

Re: How real is cyber risk?

Post by foosball » Fri Sep 21, 2018 7:02 pm

VictoriaF wrote:
Thu Sep 20, 2018 3:24 pm
Here is an excellent recent article "Before You Turn On Two-Factor Authentication…" Aug 14, 2018, https://medium.com/@stuartschechter/bef ... 148cc5b9a1

Victoria
Agree, that's a great article. Thanks.

User avatar
Vulcan
Posts: 255
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan » Sat Sep 22, 2018 12:41 pm

foosball wrote:
Fri Sep 21, 2018 7:02 pm
VictoriaF wrote:
Thu Sep 20, 2018 3:24 pm
Here is an excellent recent article "Before You Turn On Two-Factor Authentication…" Aug 14, 2018, https://medium.com/@stuartschechter/bef ... 148cc5b9a1

Victoria
Agree, that's a great article. Thanks.
And here's an article that mirrors my point re: using Google Voice for 2FA

How to Protect Yourself From SIM Swapping Hacks
If possible, you should remove your phone number from any account that could interest hackers. You can still link a type of phone number to those accounts, but we suggest using a VoIP number, such as a Google Voice number, that is SIM hijack-proof.
If you torture the data long enough, it will confess to anything. ~Ronald Coase

mikeyzito22
Posts: 96
Joined: Sat Dec 02, 2017 5:42 pm

Re: How real is cyber risk?

Post by mikeyzito22 » Sat Sep 22, 2018 12:46 pm

golfCaddy wrote:
Fri Sep 14, 2018 4:13 pm
Cyber risk is real: https://www.nytimes.com/interactive/201 ... heist.html, but it's nothing something I worry about much. If Vanguard or your bank account was hacked, I would expect you to eventually be made whole by the financial institutions.
:sharebeer

mikeyzito22
Posts: 96
Joined: Sat Dec 02, 2017 5:42 pm

Re: How real is cyber risk?

Post by mikeyzito22 » Sat Sep 22, 2018 12:46 pm

golfCaddy wrote:
Fri Sep 14, 2018 4:13 pm
Cyber risk is real: https://www.nytimes.com/interactive/201 ... heist.html, but it's nothing something I worry about much. If Vanguard or your bank account was hacked, I would expect you to eventually be made whole by the financial institutions.
:sharebeer

User avatar
watchnerd
Posts: 1432
Joined: Sat Mar 03, 2007 11:18 am
Location: Seattle, WA, USA

Re: How real is cyber risk?

Post by watchnerd » Sun Sep 23, 2018 10:58 am

All Seasons wrote:
Fri Sep 14, 2018 11:57 am
Very real. Be sure to have some gold.
Cyber gold or physical gold?
Tax Sheltered: 35% US Stock | 35% ex-US Stock | 30% TTM || Taxable: 35% US Stock | 35% ex-US Stock | 15% TTM | 15% Munis

User avatar
Vulcan
Posts: 255
Joined: Sat Apr 05, 2014 11:43 pm

Re: How real is cyber risk?

Post by Vulcan » Sun Sep 23, 2018 11:51 am

watchnerd wrote:
Sun Sep 23, 2018 10:58 am
All Seasons wrote:
Fri Sep 14, 2018 11:57 am
Very real. Be sure to have some gold.
Cyber gold or physical gold?
Though I do not have hard data, I think, statistically, one's risk of irretrievably losing their physical gold holdings is much higher than that of their permanently losing their Vanguard/Fidelity/Schwab holdings due to a cyber attack.

At any rate, I am not familiar with anyone being offered any guarantees against such a loss, even with caveats comparable to those offered by these companies.
If you torture the data long enough, it will confess to anything. ~Ronald Coase

User avatar
tuningfork
Posts: 416
Joined: Wed Oct 30, 2013 8:30 pm

Re: How real is cyber risk?

Post by tuningfork » Sun Sep 23, 2018 2:07 pm

VictoriaF wrote:
Fri Sep 21, 2018 4:30 pm
The Bogleheads are different from the American population at large in several key ways:
- The Bogleheads have more money to lose.
- The Bogleheads discuss their finances in this Forum and thus are more likely to become targets.
- Many Bogleheads are STEM, legal, medical and financial professionals. They have propensity for and satisfaction from detailed analyses and calculations, getting into the portfolio, insurance, tax, and other weeds that most other people avoid as a plague.
With this in mind, imagine what could happen if a hacker breaks into the Bogleheads server and steals the phpBB users table. They probably will get user names, email addresses and hashed passwords. With that information, they could identify email addresses of high value users (i.e. those who post messages like "I just retired with $5M in my Vanguard account"). If they decide to target you, they might go after your Vanguard account or your email account or some other high value account using that email address.

It would be wise to use a different email address for your Bogleheads account than you use for Vanguard or any other important account. Don't use that email address at any other website that can tie you to your real identity.

jsmoove123
Posts: 26
Joined: Sun Oct 22, 2017 12:01 am

Re: How real is cyber risk?

Post by jsmoove123 » Sun Sep 23, 2018 5:50 pm

tuningfork wrote:
Sun Sep 23, 2018 2:07 pm
With this in mind, imagine what could happen if a hacker breaks into the Bogleheads server and steals the phpBB users table.
Big yikes, hopefully there is a way to encrypt/hash this?

evestor
Posts: 114
Joined: Sat Feb 21, 2015 5:37 pm

Re: How real is cyber risk?

Post by evestor » Mon Sep 24, 2018 12:18 am

jsmoove123 wrote:
Sun Sep 23, 2018 5:50 pm
tuningfork wrote:
Sun Sep 23, 2018 2:07 pm
With this in mind, imagine what could happen if a hacker breaks into the Bogleheads server and steals the phpBB users table.
Big yikes, hopefully there is a way to encrypt/hash this?
Encrypt does not move the needle for most threats (though it is still worth doing if you have a reasonable way to protect the key). Hash does. That said, in the world in which we live (ASICs, etc.), the classic approaches are tough. PBKDF2 with small #s of rounds is easier to defeat than ever. ARGON2 is likely the best option these days (even though it is still imperfect). Willing to bet this service does not use that. :)

User avatar
tadamsmar
Posts: 7885
Joined: Mon May 07, 2007 12:33 pm

Re: How real is cyber risk?

Post by tadamsmar » Mon Sep 24, 2018 6:05 am

You can check the status of your email address here:

https://haveibeenpwned.com/

From what I find, I think you will likely find that your email address and name (if not a current or past password) is already out there.

I think this is a good argument for regularly changing passwords.

3-20Characters
Posts: 104
Joined: Tue Jun 19, 2018 2:20 pm

Re: How real is cyber risk?

Post by 3-20Characters » Mon Sep 24, 2018 6:31 am

tadamsmar wrote:
Mon Sep 24, 2018 6:05 am
You can check the status of your email address here:

https://haveibeenpwned.com/

From what I find, I think you will likely find that your email address and name (if not a current or past password) is already out there.

I think this is a good argument for regularly changing passwords.
1Password has a feature called Watchtower which checks for compromised sites and alerts you to change the password. It additionally checks for expired ssl certificates, weak passwords and the like. Anyway, when I see a red alert on a login, I attend to it. So far so good. Fingers crossed.

https://support.1password.com/watchtower/

It’s also nice to be able to keep all my credit freeze links, letters and PINs in a central, safe location. I’m up to 6 agency freezes X 2 accounts each (me and my wife) so 12 to keep track of. Add another 150+ logins of various importance...

Another thumbs up for a good password manager.

jalbert
Posts: 3922
Joined: Fri Apr 10, 2015 12:29 am

Re: How real is cyber risk?

Post by jalbert » Sat Sep 29, 2018 2:37 am

VictoriaF wrote:
Thu Sep 20, 2018 3:24 pm
Here is an excellent recent article "Before You Turn On Two-Factor Authentication…" Aug 14, 2018, https://medium.com/@stuartschechter/bef ... 148cc5b9a1

Victoria
I wish some of those were real defects all the time. Many service providers have password/factor recovery procedures that are so weak that they become the exploitable weak link, undermining the attempts to implement robust authentication.
Risk is not a guarantor of return.

Post Reply