Cybersecurity and passwords

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Topic Author
Cpadave
Posts: 214
Joined: Wed Nov 22, 2017 11:53 am

Cybersecurity and passwords

Post by Cpadave »

So I have been trying to enhance my internet security recently and have taken the following steps;
Using a dedicated device (laptop) connected directly to cable modem (no Wi-Fi). The device is only used
for logging into my financial accounts on the web, Quicken and tax preparation program. I also have
Microsoft 2010 words and excel. I am running window 10 with its antivirus and firewall activated. I also
have turned off as many of privacy and other settings that I won’t be using. The programs installed are
updated on regular basis. Outside of those programs listed, I have not installed any other programs or
extensions. I also do not access my email on this device. I also do not use any other device ever to log in
those accounts
I have activated 2FA on all accounts and email. I plan to change my important passwords to a more
difficult one and unique to each account soon. Since I am retired and have kids, I spend a lot of time at
home. If I travel for an extended time, I will hide the dedicated device and delete saved passwords.
Currently I have the passwords saved on the device as well as my browser edge. I know that is not the
best option. I am looking for a better option to do this. Since I am home a lot, I tend to log in to most of
my accounts at least once a day. I also prefer to not have my passwords saved in cloud.
So my questions are, is there an easy and safe way for me to save passwords given my setup? Can I do
anything to reduce the security compromise in case my laptop is stolen? Does my current plan look ok?
Thank You for your advice and help.
elvisimprsntr
Posts: 133
Joined: Wed Jan 08, 2020 7:24 pm

Re: Cybersecurity and passwords

Post by elvisimprsntr »

Cpadave wrote: Sun Jan 26, 2020 9:05 amI plan to change my important passwords to a more
difficult one and unique to each account soon
This should be priority #1. Do not use simple or reuse passwords!
and delete saved passwords
Do not allow browser to cache passwords!

Plenty of password managers which will automatically generate, store, autofill complex passwords.

https://en.wikipedia.org/wiki/List_of_password_managers

https://www.youtube.com/watch?v=w68BBPDAWr8
Last edited by elvisimprsntr on Sun Jan 26, 2020 9:50 am, edited 4 times in total.
ScubaHogg
Posts: 681
Joined: Sun Nov 06, 2011 3:02 pm

Re: Cybersecurity and passwords

Post by ScubaHogg »

I’ve used 1password for years and have been very happy. You can store passwords locally or in he cloud. Even if the security wasn’t any better than nothing (which it obviously is), the ease of signing into websites alone makes it worthwhile.
“Unexpected Returns dominate the Expected Returns” - Ken French
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Cybersecurity and passwords

Post by ARoseByAnyOtherName »

You say "currently I have the passwords saved on the device". I assume that means that they are saved in a Word doc or something similarly insecure?

The #1 thing you need to do is use a password manager as others here have suggested. I recommend 1Password, as do others. Whatever you do, don't use LastPass, it has a poor security track record. You can choose to use 1Password locally on your laptop only if that's important to you.

Once you have a password manager you need to immediately change all your passwords for all accounts to unique, totally random strings of characters that are as long as the website allows. This is the single most bang for the buck you can get with online security.

Then, make sure that your laptop has a strong password that is required when you turn it on or wake from sleep.

Going further, I previously posted a set of currently recommended online security best practices in another thread here:
viewtopic.php?p=4702423#p4702423

It's also worth noting that not using WiFi at home doesn't practically do anything for you security-wise. If the base station is under your control, and it's creating a secure wifi network with a strong password, then go ahead and use it especially if it's inconvenient to connect directly to the cable modem.
onourway
Posts: 2613
Joined: Thu Dec 08, 2016 3:39 pm

Re: Cybersecurity and passwords

Post by onourway »

I use PWSafe which is free and open source. It can be totally offline if you wish, or online by simply placing the encrypted file in a cloud location. Someone would have to break the Twofish algorithm to do anything with that file which seems unlikely at this time.

I think your biggest threats after choosing a password manager is a) you should have some kind of hardware firewall in between your modem and computer (I don't think wifi properly secured is a major issue here) and b) you are using Windows software which is notoriously difficult to keep secure over the long run. I think an iPad would be the most secure option available to most regular users.
Topic Author
Cpadave
Posts: 214
Joined: Wed Nov 22, 2017 11:53 am

Re: Cybersecurity and passwords

Post by Cpadave »

Thank You for the advice. I see preferred method is a password manager. Is it not possible for an employee of a password manager company to somehow get access to your password? Could they not install malware or virus if the employee objective is to do harm? Are password managers 100% secure? Is there a local option where the passwords can be saved securely with some kind of windows existing encryption if there is any?

Also, if I delete the saved passwords on devices and empty trash folder, would that delete the file permanently?

Thanks again.
SimonJester
Posts: 2164
Joined: Tue Aug 16, 2011 12:39 pm

Re: Cybersecurity and passwords

Post by SimonJester »

Cpadave wrote: Sun Jan 26, 2020 10:05 am Thank You for the advice. I see preferred method is a password manager. Is it not possible for an employee of a password manager company to somehow get access to your password? Could they not install malware or virus if the employee objective is to do harm? Are password managers 100% secure? Is there a local option where the passwords can be saved securely with some kind of windows existing encryption if there is any?

Also, if I delete the saved passwords on devices and empty trash folder, would that delete the file permanently?

Thanks again.
Nothing is 100%, however use a password manager that does NOT store your password file in the cloud. You can also setup your password manager with 2 factor authentication so just having your password would not be enough to access the data.
Cpadave wrote: Sun Jan 26, 2020 10:05 am Also, if I delete the saved passwords on devices and empty trash folder, would that delete the file permanently?
In theory no, your data can be recovered if you simply delete it. To really get rid of it you need to use a program that over writes the space where the data resided on your hard drive. Deleting the file does not remove the data, only the file pointer. However encrypt your hard drive and this becomes a mute issue...


I think you are going a bit overboard with your security measures. Yes these are all good, but the likelihood of someone stealing your dedicated device and not running off to the pawn shop with it is slim. Again encrypt the hard drive on the dedicated device, then if its stolen they will not have access to any of the data.

At the end of the day if someone gets into your accounts and fraudulently steals your money, your financial institution will cover you, as long as you are meeting their requirements. So I would start there and read the terms of service for each financial institution.
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." - Benjamin Franklin
Topic Author
Cpadave
Posts: 214
Joined: Wed Nov 22, 2017 11:53 am

Re: Cybersecurity and passwords

Post by Cpadave »

onourway wrote: Sun Jan 26, 2020 10:01 am I use PWSafe which is free and open source. It can be totally offline if you wish, or online by simply placing the encrypted file in a cloud location. Someone would have to break the Twofish algorithm to do anything with that file which seems unlikely at this time.

I think your biggest threats after choosing a password manager is a) you should have some kind of hardware firewall in between your modem and computer (I don't think wifi properly secured is a major issue here) and b) you are using Windows software which is notoriously difficult to keep secure over the long run. I think an iPad would be the most secure option available to most regular users.
Thanks for the reply. I do you window firewall. Is that not sufficient? If I only use dedicated window device, would there still be a risk since I only go to bank and brokerage accounts on it. No web surfing or email on it.
User avatar
AAA
Posts: 1364
Joined: Sat Jan 12, 2008 8:56 am

Re: Cybersecurity and passwords

Post by AAA »

Did you mean Microsoft 2010 Word and Excel? Is Microsoft continuing to do security updates for this version? If not, I would delete them.

I also have a distrust of password managers, whether justified or not. One option might be to store your passwords in a file on an encrypted USB flash drive (with multiple copies, preferably with one at a remote location such as a bank safety deposit box or with a friend or relative).
Nowizard
Posts: 2971
Joined: Tue Oct 23, 2007 5:33 pm

Re: Cybersecurity and passwords

Post by Nowizard »

We often used the same password for sites where we didn't care if someone read our responses or looked at any information included. That had an adverse result with this site once where, when using an extremely simple password, someone hacked it and posted inappropriately on the site. I received a banned notice until responding to the administrator and now have a complicated password. Our passwords probably reach three pages when compiled now.

Tim
onourway
Posts: 2613
Joined: Thu Dec 08, 2016 3:39 pm

Re: Cybersecurity and passwords

Post by onourway »

Cpadave wrote: Sun Jan 26, 2020 10:20 am
onourway wrote: Sun Jan 26, 2020 10:01 am I use PWSafe which is free and open source. It can be totally offline if you wish, or online by simply placing the encrypted file in a cloud location. Someone would have to break the Twofish algorithm to do anything with that file which seems unlikely at this time.

I think your biggest threats after choosing a password manager is a) you should have some kind of hardware firewall in between your modem and computer (I don't think wifi properly secured is a major issue here) and b) you are using Windows software which is notoriously difficult to keep secure over the long run. I think an iPad would be the most secure option available to most regular users.
Thanks for the reply. I do you window firewall. Is that not sufficient? If I only use dedicated window device, would there still be a risk since I only go to bank and brokerage accounts on it. No web surfing or email on it.
I do not trust the Windows firewall 100% mostly because many programs need permission to modify the firewall settings and even as a former network guy, I find the Windows firewall difficult to manage.

You say you are accessing your banking sites, so you are not 100% offline - and I think it may be difficult to avoid email use as well over the long term as a lot of account management is done through emailed links these days.

Anyhow, I think you are going overboard unless you have some very specific reason to believe you are being targeted. Most banks and brokerages provide protection against this type of stuff.
Helo80
Posts: 1740
Joined: Sat Apr 29, 2017 8:47 pm

Re: Cybersecurity and passwords

Post by Helo80 »

Cpadave wrote: Sun Jan 26, 2020 9:05 am So I have been trying to enhance my internet security recently and have taken the following steps;
Using a dedicated device (laptop) connected directly to cable modem (no Wi-Fi).

Does the cable modem have a built-in router? Or, did you disable the wi-fi?

The reason I ask is that it's a good idea to have a border device like a router with a built-in switch. In 2020, all of said routers will basically have wifi until you get into the more pro-sumer range.

The reason being is that your basic cable modem will do no packet filtering and you'll be relying solely on Windows 10 to keep people out. Windows 10 is a solid system, but it would not surprise me if your ports are scanned a dozen times an hour of every day of every year.
lazydavid
Posts: 3275
Joined: Wed Apr 06, 2016 1:37 pm

Re: Cybersecurity and passwords

Post by lazydavid »

SimonJester wrote: Sun Jan 26, 2020 10:20 am Nothing is 100%, however use a password manager that does NOT store your password file in the cloud.
This is unnecessarily paranoid. Either modern cryptography works, or it doesn't. If it doesn't, we're completely screwed, regardless of how we store our passwords. If it does, then having the encrypted password fall into the wrong hands does not impact our security posture in any way.

Here's my encrypted password for bogleheads, knock yourself out:

U2FsdGVkX1/geNwpHE5RT7PU62cGhut/D//P6n9r5AJ79BAWOGz2517MoSfaFszAMiZatLX4+fI1YJBAc9d40iAAoR3AxLjVhGb32xlWASpb1bj85L3wzYanorSqKf4uSkMsbfH8IYV+e/xei/cBZdSCd2H/epnDhYV+DnjkoLnDGNSAlsIIegx3MVdvRKKGR/wK6VoAPxbUEMj7dzuW3gViiwNvxonfbcWDifrwOliIt6bhRLLczE9yoBDRsQ3pcCNfcsHzAqOB7mtaaBBmhYuoT94r5E9ZrmQ+UGNtRTQSUbk4sd2Afbd9FT4L+I9ddtP8QCQGlVHOuaiD3dPyS1SOEDSkt97L7hEjt4q451/JBY76fGoxMR5buv4KrYSc9N+PRcAF1QmOqTznPuhnInkW4ie9bJ/fhcIhmUskXzw/dvICtWXxASk0nEz6jSMB2XScDvNlDKLZq5tGbZYe9EoN1pEedmm3CyIA1+uSvcy5856Aksr77H2krfrQHoIDRBNFSg6PD33lBZYFQuSCTdhuev8ZDqcI4doAh3HpnO1xkHZrKkaiCvmwh1iNEiVnAtdvpVTcGJsBu+Q7MxCgnd5RPoe/qYJkQa+cmN40dYz81cw5UO7I55PsDRSeUjL/uGN9vBaUZSKhqi/BerjemuI8w7aUOk/WiJ/QtcjdpPKUzENC/A8S9VV5jlSh2HEo8nA9gG8GeW0nhyRL6Guw+3S1c7mj/tMM7VM9rMfb6pUe/QXv82gJjP7OjV64NFLRIC9udC06OXW+ZcgBH2hPn3OtHdXFpzX0xkxXLrBF5l/R22J2HKjLu7MJnaT+hVxG0+o6gn2C7jEOMArbv7OD2yZthMoDvL0eZyysAiNBXpKRdPu3hIBNTxSfq5kwmXMV

Yes, that is actually my bogleheads password, as stored by a password manager. Without my master password, the algorithm used and number of iterations configured in my password manager, the above is absolutely useless to an attacker.
MidwestMike
Posts: 97
Joined: Fri Jun 30, 2017 10:12 pm

Re: Cybersecurity and passwords

Post by MidwestMike »

Use nonsensical answers for any security questions.

Mother’s maiden name?

Miami23horse
SimonJester
Posts: 2164
Joined: Tue Aug 16, 2011 12:39 pm

Re: Cybersecurity and passwords

Post by SimonJester »

lazydavid wrote: Sun Jan 26, 2020 10:53 am
SimonJester wrote: Sun Jan 26, 2020 10:20 am Nothing is 100%, however use a password manager that does NOT store your password file in the cloud.
This is unnecessarily paranoid. Either modern cryptography works, or it doesn't. If it doesn't, we're completely screwed, regardless of how we store our passwords. If it does, then having the encrypted password fall into the wrong hands does not impact our security posture in any way.
I semi agree but the suggestion was made based on the OPs level of security paranoia.

I guess at the end of the day, each person has to accept a level of security paranoia that allows them to sleep well at night. Sort of like selecting your asset allocation, no one size sits all.
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." - Benjamin Franklin
squirm
Posts: 2861
Joined: Sat Mar 19, 2011 11:53 am

Re: Cybersecurity and passwords

Post by squirm »

lazydavid wrote: Sun Jan 26, 2020 10:53 am
SimonJester wrote: Sun Jan 26, 2020 10:20 am Nothing is 100%, however use a password manager that does NOT store your password file in the cloud.
This is unnecessarily paranoid. Either modern cryptography works, or it doesn't. If it doesn't, we're completely screwed, regardless of how we store our passwords. If it does, then having the encrypted password fall into the wrong hands does not impact our security posture in any way.

Here's my encrypted password for bogleheads, knock yourself out:

U2FsdGVkX1/geNwpHE5RT7PU62cGhut/D//P6n9r5AJ79BAWOGz2517MoSfaFszAMiZatLX4+fI1YJBAc9d40iAAoR3AxLjVhGb32xlWASpb1bj85L3wzYanorSqKf4uSkMsbfH8IYV+e/xei/cBZdSCd2H/epnDhYV+DnjkoLnDGNSAlsIIegx3MVdvRKKGR/wK6VoAPxbUEMj7dzuW3gViiwNvxonfbcWDifrwOliIt6bhRLLczE9yoBDRsQ3pcCNfcsHzAqOB7mtaaBBmhYuoT94r5E9ZrmQ+UGNtRTQSUbk4sd2Afbd9FT4L+I9ddtP8QCQGlVHOuaiD3dPyS1SOEDSkt97L7hEjt4q451/JBY76fGoxMR5buv4KrYSc9N+PRcAF1QmOqTznPuhnInkW4ie9bJ/fhcIhmUskXzw/dvICtWXxASk0nEz6jSMB2XScDvNlDKLZq5tGbZYe9EoN1pEedmm3CyIA1+uSvcy5856Aksr77H2krfrQHoIDRBNFSg6PD33lBZYFQuSCTdhuev8ZDqcI4doAh3HpnO1xkHZrKkaiCvmwh1iNEiVnAtdvpVTcGJsBu+Q7MxCgnd5RPoe/qYJkQa+cmN40dYz81cw5UO7I55PsDRSeUjL/uGN9vBaUZSKhqi/BerjemuI8w7aUOk/WiJ/QtcjdpPKUzENC/A8S9VV5jlSh2HEo8nA9gG8GeW0nhyRL6Guw+3S1c7mj/tMM7VM9rMfb6pUe/QXv82gJjP7OjV64NFLRIC9udC06OXW+ZcgBH2hPn3OtHdXFpzX0xkxXLrBF5l/R22J2HKjLu7MJnaT+hVxG0+o6gn2C7jEOMArbv7OD2yZthMoDvL0eZyysAiNBXpKRdPu3hIBNTxSfq5kwmXMV

Yes, that is actually my bogleheads password, as stored by a password manager. Without my master password, the algorithm used and number of iterations configured in my password manager, the above is absolutely useless to an attacker.
Not only that, the passwords are usually salted too.
Agree, lots of paranoia here.
Topic Author
Cpadave
Posts: 214
Joined: Wed Nov 22, 2017 11:53 am

Re: Cybersecurity and passwords

Post by Cpadave »

SimonJester wrote: Sun Jan 26, 2020 10:20 am
Cpadave wrote: Sun Jan 26, 2020 10:05 am Thank You for the advice. I see preferred method is a password manager. Is it not possible for an employee of a password manager company to somehow get access to your password? Could they not install malware or virus if the employee objective is to do harm? Are password managers 100% secure? Is there a local option where the passwords can be saved securely with some kind of windows existing encryption if there is any?

Also, if I delete the saved passwords on devices and empty trash folder, would that delete the file permanently?

Thanks again.
Nothing is 100%, however use a password manager that does NOT store your password file in the cloud. You can also setup your password manager with 2 factor authentication so just having your password would not be enough to access the data.
Cpadave wrote: Sun Jan 26, 2020 10:05 am Also, if I delete the saved passwords on devices and empty trash folder, would that delete the file permanently?
In theory no, your data can be recovered if you simply delete it. To really get rid of it you need to use a program that over writes the space where the data resided on your hard drive. Deleting the file does not remove the data, only the file pointer. However encrypt your hard drive and this becomes a mute issue...


I think you are going a bit overboard with your security measures. Yes these are all good, but the likelihood of someone stealing your dedicated device and not running off to the pawn shop with it is slim. Again encrypt the hard drive on the dedicated device, then if its stolen they will not have access to any of the data.

At the end of the day if someone gets into your accounts and fraudulently steals your money, your financial institution will cover you, as long as you are meeting their requirements. So I would start there and read the terms of service for each financial institution.
Thank you for the reply.I will look online to see how I can encrypt the hard drive.
User avatar
Watty
Posts: 20442
Joined: Wed Oct 10, 2007 3:55 pm

Re: Cybersecurity and passwords

Post by Watty »

I am also concerned about a hacker getting control of a password manager so I do not use them since I don't think they really help that much and even if it is a remote risk, they add another point of failure.

I am not an expert or anything but what I do instead is that I bought an encrypted usb drive that I keep a list of some of my passwords on.

The way that it works when I plug the encrypted usb drive in my computer I have to enter a password to access it. I keep the USB drive in a hidden place near my computer.

In a document on the USB drive the I consider the passwords and account names to these levels of importance.

1) Throwaway - like some news websites that are free but require you to sign in. I just record those.

2) Important but not critical - like my Bogleheads sign in.
I write down clues to what the password is, but not the actual password.

I also do this for the website and user ID since you also need these for a password to be useful.

3) For critical passwords, like for email and financial accounts, I do not write these down even on the USB drive. There are only a few of those and I can manage to remember those. I don't mean this to be snarky but if I get to the point where I cannot handle five passwords, that I pick on my own, then I should be looking for someone to manage my finances for me.

If I do forget one then I can just go through the password reset procedure which typically involves answering some security questions and them sending a text message to your cell phone.

If you have not done it already all your financial accounts should have two factor authentication turned on. This is where every time you sign on they send you a text message with a code you have to enter to confirm it is you. This is not perfect but it is still a pretty big barrier to someone getting into your financial account.

As long as your password is not based on something that can be guessed, like a pets or kids name, then I see little advantage to having long lines of gibberish as your password. All systems will disable your account after a handful of incorrect passwords are tried.
Cpadave wrote: Sun Jan 26, 2020 10:05 am Also, if I delete the saved passwords on devices and empty trash folder, would that delete the file permanently?
No, at least with Windows when you delete a file it is just marked as deleted and removed from the internal list of files. It is still out on the computer in empty disk space until something happens to use that same space again by random chance. There are utilities that will look through your empty disk space to see what can be recovered.

There are also utilities that will overwrite that empty disk space so that things can't be recovered from it. If you are going to sell or give away an old computer you would want to run one of those utilities.
SpaethCo
Posts: 229
Joined: Thu Jan 14, 2016 12:58 am

Re: Cybersecurity and passwords

Post by SpaethCo »

A password manager accomplishes 2 things: complex site-unique passwords, and site validation with autofill. The average person will type their password into a clever phishing site with an official looking domain, a password manager won't.

2FA is primarily useful if you have weak passwords. It is primarily used to combat credential stuffing (ie, taking a password from breached site A and using it to log into site B). Unless you are using U2F security tokens, pretty much all common 2FA solutions are fully phishable. SMS, Google Authenticator, Authy, etc all "feel" secure, but only offer a benefit if you reuse passwords or have a weak easily derived password.

Your biggest exposure in any online system is the password reset process. Why bother with a heavily fortified front door, and potentially dealing with 2FA or other barriers, when you can just use the minimally protected back door to an account? Usually this involves password reset links that are sent to your email address. Your email account therefore becomes your most important account to secure. If you are using ISP email, you're in the most vulnerable posture security-wise. Try and call up your cable or telco ISP and say you forgot your password to your email, see how difficult it is to reset the password to get into your account. Once an attacker has control of your email account, everything else falls quickly.
SimonJester
Posts: 2164
Joined: Tue Aug 16, 2011 12:39 pm

Re: Cybersecurity and passwords

Post by SimonJester »

Watty wrote: Sun Jan 26, 2020 11:30 am I am also concerned about a hacker getting control of a password manager so I do not use them since I don't think they really help that much and even if it is a remote risk, they add another point of failure.

I am not an expert or anything but what I do instead is that I bought an encrypted usb drive that I keep a list of some of my passwords on.

The way that it works when I plug the encrypted usb drive in my computer I have to enter a password to access it. I keep the USB drive in a hidden place near my computer.

The benefits of a password manager is that they also encrypt the data at rest while live on your system. Your USB drive while encrypted is unencrypted while you are accessing your password file and thus at risk for any virus / trojan / malware on your PC.

Password managers also encrypt and or deal with the memory space the passwords are occupying during the copy / paste routine.
"They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety." - Benjamin Franklin
ThankYouJack
Posts: 3454
Joined: Wed Oct 08, 2014 7:27 pm

Re: Cybersecurity and passwords

Post by ThankYouJack »

There's a simple solution to using a password manager but to prevent a hacker from getting your passwords even if they get access to your password manager. Anyone care to guess?
ThankYouJack
Posts: 3454
Joined: Wed Oct 08, 2014 7:27 pm

Re: Cybersecurity and passwords

Post by ThankYouJack »

squirm wrote: Sun Jan 26, 2020 11:24 am
lazydavid wrote: Sun Jan 26, 2020 10:53 am
SimonJester wrote: Sun Jan 26, 2020 10:20 am Nothing is 100%, however use a password manager that does NOT store your password file in the cloud.
This is unnecessarily paranoid. Either modern cryptography works, or it doesn't. If it doesn't, we're completely screwed, regardless of how we store our passwords. If it does, then having the encrypted password fall into the wrong hands does not impact our security posture in any way.

Here's my encrypted password for bogleheads, knock yourself out:

U2FsdGVkX1/geNwpHE5RT7PU62cGhut/D//P6n9r5AJ79BAWOGz2517MoSfaFszAMiZatLX4+fI1YJBAc9d40iAAoR3AxLjVhGb32xlWASpb1bj85L3wzYanorSqKf4uSkMsbfH8IYV+e/xei/cBZdSCd2H/epnDhYV+DnjkoLnDGNSAlsIIegx3MVdvRKKGR/wK6VoAPxbUEMj7dzuW3gViiwNvxonfbcWDifrwOliIt6bhRLLczE9yoBDRsQ3pcCNfcsHzAqOB7mtaaBBmhYuoT94r5E9ZrmQ+UGNtRTQSUbk4sd2Afbd9FT4L+I9ddtP8QCQGlVHOuaiD3dPyS1SOEDSkt97L7hEjt4q451/JBY76fGoxMR5buv4KrYSc9N+PRcAF1QmOqTznPuhnInkW4ie9bJ/fhcIhmUskXzw/dvICtWXxASk0nEz6jSMB2XScDvNlDKLZq5tGbZYe9EoN1pEedmm3CyIA1+uSvcy5856Aksr77H2krfrQHoIDRBNFSg6PD33lBZYFQuSCTdhuev8ZDqcI4doAh3HpnO1xkHZrKkaiCvmwh1iNEiVnAtdvpVTcGJsBu+Q7MxCgnd5RPoe/qYJkQa+cmN40dYz81cw5UO7I55PsDRSeUjL/uGN9vBaUZSKhqi/BerjemuI8w7aUOk/WiJ/QtcjdpPKUzENC/A8S9VV5jlSh2HEo8nA9gG8GeW0nhyRL6Guw+3S1c7mj/tMM7VM9rMfb6pUe/QXv82gJjP7OjV64NFLRIC9udC06OXW+ZcgBH2hPn3OtHdXFpzX0xkxXLrBF5l/R22J2HKjLu7MJnaT+hVxG0+o6gn2C7jEOMArbv7OD2yZthMoDvL0eZyysAiNBXpKRdPu3hIBNTxSfq5kwmXMV

Yes, that is actually my bogleheads password, as stored by a password manager. Without my master password, the algorithm used and number of iterations configured in my password manager, the above is absolutely useless to an attacker.
Not only that, the passwords are usually salted too.
Agree, lots of paranoia here.
But would you post the same string with your retirement account password, especially if it's up to a 7 figures?

I don't think we need to be paranoid, but I think things like 2FA, unique long passwords, being more secure than our "neighbors" are helpful and don't come at a cost.
Helo80
Posts: 1740
Joined: Sat Apr 29, 2017 8:47 pm

Re: Cybersecurity and passwords

Post by Helo80 »

ThankYouJack wrote: Sun Jan 26, 2020 3:54 pm There's a simple solution to using a password manager but to prevent a hacker from getting your passwords even if they get access to your password manager. Anyone care to guess?
you can have a word or phrase at the end of the password that LastPass or whatever password manager you're using stores.
User avatar
Higman
Posts: 227
Joined: Wed Aug 20, 2008 7:51 pm

Re: Cybersecurity and passwords

Post by Higman »

Microsoft will no longer support Office 2010 as of this coming October. You will need to upgrade to a new version since 2010 version will no longer get security updates but will continue to function.
quantAndHold
Posts: 4934
Joined: Thu Sep 17, 2015 10:39 pm

Re: Cybersecurity and passwords

Post by quantAndHold »

Some paranoia and misinformation in this thread.

Security has a lot of trade offs between security and ease of use. The only really, truly secure computer system is the one you don’t have, and the only truly secure data is the data that doesn’t exist. But that wouldn’t be practical. The only computer that’s truly secure from network issues is the one that isn’t connected to the network at all. Also not practical.

So, from that perspective...

Phone vs computer. A phone is probably more secure than a laptop. It does less and was designed from the ground up with security in mind, and has a smaller attack surface than a laptop. Getting into specifics, iPhone is arguably more secure than Android. Of course, if you install enough crap on anything you can make it insecure (and many Android phones already come with a lot of crap installed).

But a phone is impractical to do a lot of financial stuff on.

What kind of laptop? I would avoid Windows for two reasons. First, since it is the most popular operating system, it’s the one that the most bad guys will try to attack. Second, a lot of windows computers come with a lot of crap installed. I use a Mac for my financial life, but I might argue for someone using either a Chromebook or a Raspberry Pi for a dedicated financial computer. Cheap, and less likely to be targeted by bad guys. Encrypt the hard drive.

Whatever you choose, the number one thing is to keep if physically secure. If someone has physical access, you have to assume it’s game over. Don’t leave it on your desk when the cleaning lady comes. Don’t leave it next to an open window where it can be grabbed. Lock it up. If you have a safe, put it in the safe. Also, back it up regularly, and store the backups somewhere secure offsite. If you’re using thumb drives, keep them secure.

WiFi vs wired. Honestly, this one is a tossup. Properly configured WiFi and hardwired Ethernet are, for practical purposes, probably about equally difficult to attack. Which doesn’t mean that either one is totally secure. The difference is marginal, and given the utility that WiFi provides, I would just make sure it’s secured properly and go on with my life. Note that I’m not talking about hotel or coffee shop WiFi. I’m talking about properly configured home WiFi.

Password manager. You should have separate, strong passwords for every important site. In practical terms, this means that you will need a place to store them. This can be a sheet of paper, if you have a secure place to store the paper. I would prefer offline password storage to online, but online password storage is easier to use, and again, security vs utility. An argument could be made for keeping most passwords in online storage, and your bank and brokerage passwords separately offline. Don’t use passwords you can remember. If you can remember it, the bad guys can crack it.

2 factor authentication. 2FA is not 100% secure. But...the level of effort required to both break the second factor and your password at the same time makes it orders of magnitude more difficult for a bad guy to access your account than if you don’t use 2FA. You can assume that if it’s a successful 2FA attack, you we’re personally targeted. That doesn’t happen often.

Most people will have a reasonable amount of security and still be able to use their system if they...

1. Use a separate browser for financial stuff. Don’t ever use that browser for anything else. Set up bookmarks, and only use it for that.
2. Have a separate email account for financial stuff.
3. Different strong passwords for every account.
4. 2 factor authentication everywhere.
5. Properly configured home WiFi
6. Keep the computer, the passwords, and any 2FA devices (phone) secure.
Yes, I’m really that pedantic.
Helo80
Posts: 1740
Joined: Sat Apr 29, 2017 8:47 pm

Re: Cybersecurity and passwords

Post by Helo80 »

ThankYouJack wrote: Sun Jan 26, 2020 4:11 pm I don't think we need to be paranoid, but I think things like 2FA, unique long passwords, being more secure than our "neighbors" are helpful and don't come at a cost.


pretty much. For script kiddies, they'll go after the lowest hanging fruit. For APTs, they're more likely interested in laundering bitcoin wallets as opposed to institutions regulated by the SEC and federal law.
ThankYouJack
Posts: 3454
Joined: Wed Oct 08, 2014 7:27 pm

Re: Cybersecurity and passwords

Post by ThankYouJack »

Helo80 wrote: Sun Jan 26, 2020 4:16 pm
ThankYouJack wrote: Sun Jan 26, 2020 3:54 pm There's a simple solution to using a password manager but to prevent a hacker from getting your passwords even if they get access to your password manager. Anyone care to guess?
you can have a word or phrase at the end of the password that LastPass or whatever password manager you're using stores.
Yep :beer Or even just something like removing the last character of the stored password.

OP may want to consider it as an extra measure if it helps provide comfort.
SpaethCo
Posts: 229
Joined: Thu Jan 14, 2016 12:58 am

Re: Cybersecurity and passwords

Post by SpaethCo »

quantAndHold wrote: Sun Jan 26, 2020 4:23 pmBut...the level of effort required to both break the second factor and your password at the same time makes it orders of magnitude more difficult for a bad guy to access your account than if you don’t use 2FA. You can assume that if it’s a successful 2FA attack, you we’re personally targeted. That doesn’t happen often.
It's becoming the most prevalent phishing method out there today.

https://fortune.com/2019/06/04/phishing ... ation-2fa/

https://securitytoday.com/articles/2019 ... -rise.aspx

It's trivial to setup, there are kits available on github that you can get operational in a few minutes. See, for example: https://github.com/ustayready/CredSniper

SMS / TOTP / Push notification 2FA are all trying to combat the idea that the 1st factor (the password) is already compromised because of password re-use or other weak password issues. If you land on a phishing site and are typing in credentials by hand, you're going to enter your 2FA verification code as part of the same flow and award your attacker with a long-lived session cookie.

This is where password managers have the advantage: strict URL matching for autofilling credentials, which all but eliminates phishing. (If your password manager isn't filling in your password, you're probably not on the site you think you are.) That combined with site-unique passwords which also removes credential stuffing attacks, and you're covered against 99% of your attack surface.

The only 2FA worth bothering with is U2F, because it's 2-way validation. The authentication from the security token is signed to the URL making the request, so even if you land on phishingsite.com, you'll only sign a validation response to phishingsite.com which cannot be replayed for access to goodsite.com. A good overview is available here: https://fastmail.blog/2016/07/23/how-u2 ... keys-work/
quantAndHold
Posts: 4934
Joined: Thu Sep 17, 2015 10:39 pm

Re: Cybersecurity and passwords

Post by quantAndHold »

SpaethCo wrote: Sun Jan 26, 2020 4:41 pm
quantAndHold wrote: Sun Jan 26, 2020 4:23 pmBut...the level of effort required to both break the second factor and your password at the same time makes it orders of magnitude more difficult for a bad guy to access your account than if you don’t use 2FA. You can assume that if it’s a successful 2FA attack, you we’re personally targeted. That doesn’t happen often.
It's becoming the most prevalent phishing method out there today.

https://fortune.com/2019/06/04/phishing ... ation-2fa/

https://securitytoday.com/articles/2019 ... -rise.aspx

It's trivial to setup, there are kits available on github that you can get operational in a few minutes. See, for example: https://github.com/ustayready/CredSniper

SMS / TOTP / Push notification 2FA are all trying to combat the idea that the 1st factor (the password) is already compromised because of password re-use or other weak password issues. If you land on a phishing site and are typing in credentials by hand, you're going to enter your 2FA verification code as part of the same flow and award your attacker with a long-lived session cookie.

This is where password managers have the advantage: strict URL matching for autofilling credentials, which all but eliminates phishing. (If your password manager isn't filling in your password, you're probably not on the site you think you are.) That combined with site-unique passwords which also removes credential stuffing attacks, and you're covered against 99% of your attack surface.

The only 2FA worth bothering with is U2F, because it's 2-way validation. The authentication from the security token is signed to the URL making the request, so even if you land on phishingsite.com, you'll only sign a validation response to phishingsite.com which cannot be replayed for access to goodsite.com. A good overview is available here: https://fastmail.blog/2016/07/23/how-u2 ... keys-work/
You had me until the last paragraph. “The only 2FA worth bothering with” is not a useful statement, if the website doesn’t offer U2F, and it encourages people to adopt an insecure configuration. Even if SMS based 2FA is just another bicycle lock, having 2 types of bicycle locks is significantly better than one, especially when the first bicycle lock is a password. A better way to say it would be to prefer 2FA that requires a security key like a yubikey to using phone text messages, if the site has a choice. If the site doesn’t offer that, use whatever they have.

Source...I did one of the 2FA implementations for a FAANG. And yes, one of the options was U2F, so I’m familiar with the technology.
Yes, I’m really that pedantic.
SpaethCo
Posts: 229
Joined: Thu Jan 14, 2016 12:58 am

Re: Cybersecurity and passwords

Post by SpaethCo »

quantAndHold wrote: Sun Jan 26, 2020 5:07 pmEven if SMS based 2FA is just another bicycle lock, having 2 types of bicycle locks is significantly better than one, especially when the first bicycle lock is a password.
The primary attack vector that SMS / TOTP guards against is credential stuffing. If you're using a password manager with site-unique high entropy passwords, you've already covered that attack vector.

If you want to use SMS / TOTP 2FA on top of a password manager, knock yourself out. It simply slows down the authentication flow and doesn't provide any meaningful additional protection. The worst thing I see in my day job is it gives people a false sense of security - I can't tell you how many times we run successful phishing campaigns and we get comments like "I thought the site was genuine because I got a notification from our official Authy app!"
quantAndHold wrote: Sun Jan 26, 2020 5:07 pmSource...I did one of the 2FA implementations for a FAANG. And yes, one of the options was U2F, so I’m familiar with the technology.
I craft red team exercises for use by our security ops teams at a megacorp. That we can't even agree on the attack vectors is troubling -- how can the average person make sense of this?
MarkBarb
Posts: 485
Joined: Mon Aug 03, 2009 11:59 am

Re: Cybersecurity and passwords

Post by MarkBarb »

Keepass - It's a password manager that is open source and strictly local. I recommend it if you don't want to use a cloud based service. I also recommend that you back it up. I would suggest backing it up to the cloud, but I suspect that you won't like that approach. As an alternative, back it up to a couple of thumb drives and store at least one off site.

Another defense is to have a unique e-mail account used only for your financially sensitive stuff. Access that account only on your "safe" computers. One of the most common ways for people to hack accounts is to first hack your e-mail and then issue password resets on your account. If your sensitive accounts aren't on that e-mail it won't work.

Use crazy user IDs. Do that for your sensitive email (something like asdfjh235ay7345@gmail.com) and for your financial accounts. Make those IDs unique. Again, if someone is trying to do a password reset and they can't guess your account name or e-mail address, it will be much harder for them.

Consider using a Google Voice account for your 2-factor SMS authentication. SMS is a weak 2nd factor, but many people consider Google Voice to be stronger than your cell phone as an SMS device. I would recommend relying on a set of Yubikeys instead, but it seems like almost nobody supports them. Vanguard does, but only in a virtually useless way.

Finally, don't draw attention to yourself. With even moderate security, you'll be unlikely to be hacked. There are so many easy targets that hackers will hit those people instead of you. On the other hand, if you show that you are a rich target or you make people angry, you might be targeted by a focused attack. It's like home security. As long as you have some basic security in place, a burglar is likely to pass up your house and go on to a neighbor. On the other hand, if you posted on Facebook about your new $500,000 jewelry purchase, someone is more like to spend the time figuring out how to get past your security.
User avatar
AAA
Posts: 1364
Joined: Sat Jan 12, 2008 8:56 am

Re: Cybersecurity and passwords

Post by AAA »

SimonJester wrote: Sun Jan 26, 2020 10:20 am In theory no, your data can be recovered if you simply delete it. To really get rid of it you need to use a program that over writes the space where the data resided on your hard drive. Deleting the file does not remove the data, only the file pointer. However encrypt your hard drive and this becomes a mute issue...
I had used such a program to overwrite files on my previous laptop but my new one has an SSD and I thought I had read that such a program was no longer necessary. Is that true?
warner25
Posts: 506
Joined: Wed Oct 29, 2014 4:38 pm

Re: Cybersecurity and passwords

Post by warner25 »

quantAndHold wrote: Sun Jan 26, 2020 4:23 pm...Note that I’m not talking about hotel or coffee shop WiFi...
Your post is one of the most concise but complete approaches to this topic that I've read; nice. I'm curious, though, why you still have explicit concerns about public wifi or even poorly configured home wifi (I mean enough of a concern to mention it in your top 6 list). If you've taken the steps described to assure the security of your device/OS/browser, and you have a TLS connection with the banking/webmail/etc. server (because it's 2020, so of course TLS is in use), what's the risk?
Cpadave wrote: Sun Jan 26, 2020 9:05 am...Thank You for your advice and help.
Here's my take, for what it's worth, as someone with a recent graduate degree and a few industry certifications in this area: I currently manage my finances using a Windows 10 laptop and an Android 9 phone. These systems are my "daily drivers," not dedicated to managing finances. I allow automatic updates to both systems and their applications. I keep only a few applications installed that I use regularly. I don't run any 3rd party security software, just the firewall and anti-malware built into the OS. Firefox is my browser. Both systems have full-disk encryption and a PIN for logon. I use only my own devices, not ones provided and managed by my employer. At home, I connect to a Google Nest wifi access point secured with WPA2, but I'll use public wifi outside my home too. My passwords and security question answers are unique, long, randomly generated, and secured with KeePass. I use 2FA (Google Voice number) with my email and financial accounts. I store my KeePass database and financial records locally with backups in Google Drive. I worry about availability too, so I printed one-time recovery codes for my Google account, and I keep those outside my home, and I memorized my KeePass master password. So I think I could quickly restore access to all my financial accounts and records if my devices got stolen or my house burned down.
AAA wrote: Sun Jan 26, 2020 7:50 pmI had used such a program to overwrite files on my previous laptop but my new one has an SSD and I thought I had read that such a program was no longer necessary. Is that true?
With an SSD, to my knowledge, it's no longer possible to securely overwrite old data. At work we have a policy requiring physical destruction of used SSDs rather than reuse in new systems
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Cybersecurity and passwords

Post by ARoseByAnyOtherName »

Watty wrote: Sun Jan 26, 2020 11:30 am I am also concerned about a hacker getting control of a password manager so I do not use them since I don't think they really help that much and even if it is a remote risk, they add another point of failure.

I am not an expert or anything but what I do instead is that I bought an encrypted usb drive that I keep a list of some of my passwords on.

The way that it works when I plug the encrypted usb drive in my computer I have to enter a password to access it. I keep the USB drive in a hidden place near my computer.

In a document on the USB drive the I consider the passwords and account names to these levels of importance.

1) Throwaway - like some news websites that are free but require you to sign in. I just record those.

2) Important but not critical - like my Bogleheads sign in.
I write down clues to what the password is, but not the actual password.

I also do this for the website and user ID since you also need these for a password to be useful.

3) For critical passwords, like for email and financial accounts, I do not write these down even on the USB drive. There are only a few of those and I can manage to remember those. I don't mean this to be snarky but if I get to the point where I cannot handle five passwords, that I pick on my own, then I should be looking for someone to manage my finances for me.
If you can remember the passwords they aren't sufficiently random.

Also your system is way too complicated. Complexity is the enemy of security.
Watty wrote: Sun Jan 26, 2020 11:30 am If I do forget one then I can just go through the password reset procedure which typically involves answering some security questions and them sending a text message to your cell phone.
Which leaves you vulnerable to a SIM swap attack.

I hope you don't answer security questions truthfully!
Watty wrote: Sun Jan 26, 2020 11:30 am As long as your password is not based on something that can be guessed, like a pets or kids name, then I see little advantage to having long lines of gibberish as your password.
If the password database is breached and your password isn't sufficiently random your password could be guessed via a dictionary attack, especially if the password wasn't handled properly (insufficient hashing algorithm/lack of salt) - which is something you have no control over.
Watty wrote: Sun Jan 26, 2020 11:30 am There are also utilities that will overwrite that empty disk space so that things can't be recovered from it. If you are going to sell or give away an old computer you would want to run one of those utilities.
If your file stored on an SSD? When you use that utility to overwrite that empty disk space on an SSD are you sure that it really overwrites every single cell with zeros? How do you know for sure, because the person that wrote the utility software told you so? Does the person that wrote that utility software control the SSD firmware inside the drive, and control how writes are optimized and mapped to physical storage?

Your system basically reinvents a weaker, less-effective and less-useful password manager. If it works for you then sure, whatever, but absolutely nobody else should follow this advice.

Using a reputable password manager would give you way more protection against ill effects from website breaches. A reputable password manager encrypts data on your local computer or mobile device before sending it to any server, so it really doesn't even matter if the password manager server gets hacked. That assumes you use a strong master password - which is only ONE thing to remember! Not the three-step voodoo above.
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Cybersecurity and passwords

Post by ARoseByAnyOtherName »

quantAndHold wrote: Sun Jan 26, 2020 4:23 pm 1. Use a separate browser for financial stuff. Don’t ever use that browser for anything else. Set up bookmarks, and only use it for that.
What specific attack does this guard against?
quantAndHold wrote: Sun Jan 26, 2020 4:23 pm 2. Have a separate email account for financial stuff.
Yes, and ideally this separate email account is a Gmail account enrolled in the Google Advanced Protection Program, which requires the use of a hardware key to log in to the account.
quantAndHold wrote: Sun Jan 26, 2020 4:23 pm 3. Different strong passwords for every account.
This is much better phrased as "Unique passwords for every account that are each random gibberish of letters, numbers, and symbols, each stored in a reputable password manager."
quantAndHold wrote: Sun Jan 26, 2020 4:23 pm 4. 2 factor authentication everywhere.
And ideally when SMS 2FA is required the phone number used is a Google Voice number, tied to a Google account that is enrolled in the Google Advanced Protection Program mentioned above.
quantAndHold wrote: Sun Jan 26, 2020 4:23 pm 5. Properly configured home WiFi
What does "properly configured" mean?
quantAndHold wrote: Sun Jan 26, 2020 4:23 pm 6. Keep the computer, the passwords, and any 2FA devices (phone) secure.
This is so generic that it's useless advice. What do you actually recommend, other than encrypt the hard drive (which is good advice) and keep the laptop in a safe (which is ridiculous)?
Dakotah
Posts: 118
Joined: Sun Jun 13, 2010 9:28 pm

Re: Cybersecurity and passwords

Post by Dakotah »

I'll echo what some others have mentioned: you shouldn't connect your computer directly to your cable modem. The firewall and Network Address Translation (NAT) abilities that are standard in essentially all consumer routers serves as an indispensable front-line defense for your computer. Will the Windows firewall be sufficient? Possibly...but connecting the computer directly to the cable modem subjects it directly to the scanning and probing that constantly occurs on the internet. The firewall router, by default, automatically drops such scanning/probing before it reaches any internal devices. If your windows firewall isn't set up specifically to operate at the outer boundary, it may actually receive and respond to those probes with information that can help a potential attacker select/craft an exploit that can bypass your windows firewall.

Just to be clear...connecting by ethernet directly to your router is perfectly fine, but not directly to the cable modem.
elvisimprsntr
Posts: 133
Joined: Wed Jan 08, 2020 7:24 pm

Re: Cybersecurity and passwords

Post by elvisimprsntr »

Cpadave wrote: Sun Jan 26, 2020 10:05 am Thank You for the advice. I see preferred method is a password manager. Is it not possible for an employee of a password manager company to somehow get access to your password? Could they not install malware or virus if the employee objective is to do harm? Are password managers 100% secure? Is there a local option where the passwords can be saved securely with some kind of windows existing encryption if there is any?

Also, if I delete the saved passwords on devices and empty trash folder, would that delete the file permanently?

Thanks again.
Watch Dr. Mike Pond (University of Nottingham) explain how PW managers work.

https://www.youtube.com/watch?v=w68BBPDAWr8
Mordoch
Posts: 427
Joined: Sat Mar 10, 2007 11:27 am

Re: Cybersecurity and passwords

Post by Mordoch »

ARoseByAnyOtherName wrote: Sun Jan 26, 2020 8:38 pm If the password database is breached and your password isn't sufficiently random your password could be guessed via a dictionary attack, especially if the password wasn't handled properly (insufficient hashing algorithm/lack of salt) - which is something you have no control over.
Another issue is if a hacker obtains one of your passwords, such as due to a website not actually hashing them at all, this may simplify guessing your other passwords for your financial websites and the like if they are not sufficiently random.

It also should be spelled out that the kind of passwords that can be cracked with a website using poor hashing (and which is successfully hacked) are much worse than just identifying passwords using a regular word and a number or two as this article explains.
https://arstechnica.com/information-tec ... sswords/3/

It should be noted the rather easily cracked passwords included "Philippians4:6-7", "qeadzcwrsfxv1331", and "momof3g8kids" so what is sufficiently random is not necessarily obvious to the average person. It should be further noted that this article was written in 2013, and improved technology since then has made what is viable in worse case scenarios involving websites with lousy password hashing even worse today.

There are strong reasons to use a password manager (or at least use a truly effective random method of generating passwords for important sites if sticking to paper of the like.)
Topic Author
Cpadave
Posts: 214
Joined: Wed Nov 22, 2017 11:53 am

Re: Cybersecurity and passwords

Post by Cpadave »

ThankYouJack wrote: Sun Jan 26, 2020 4:30 pm
Helo80 wrote: Sun Jan 26, 2020 4:16 pm
ThankYouJack wrote: Sun Jan 26, 2020 3:54 pm There's a simple solution to using a password manager but to prevent a hacker from getting your passwords even if they get access to your password manager. Anyone care to guess?
you can have a word or phrase at the end of the password that LastPass or whatever password manager you're using stores.
Yep :beer Or even just something like removing the last character of the stored password.

OP may want to consider it as an extra measure if it helps provide comfort.
Thanks. I was thinking that would be a good option.
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Cybersecurity and passwords

Post by ARoseByAnyOtherName »

Mordoch wrote: Sun Jan 26, 2020 9:18 pm
ARoseByAnyOtherName wrote: Sun Jan 26, 2020 8:38 pm If the password database is breached and your password isn't sufficiently random your password could be guessed via a dictionary attack, especially if the password wasn't handled properly (insufficient hashing algorithm/lack of salt) - which is something you have no control over.
Another issue is if a hacker obtains one of your passwords, such as due to a website not actually hashing them at all, this may simplify guessing your other passwords for your financial websites and the like if they are not sufficiently random.
And not only that, but even if an attacker manages to only compromise one of your accounts by guessing or otherwise compromising passwords, they may be able to use that to take over other accounts. The nightmare scenario here is getting access to your mobile phone account.
Mordoch wrote: Sun Jan 26, 2020 9:18 pm It also should be spelled out that the kind of passwords that can be cracked with a website using poor hashing (and which is successfully hacked) are much worse than just identifying passwords using a regular word and a number or two as this article explains.
https://arstechnica.com/information-tec ... sswords/3/

It should be noted the rather easily cracked passwords included "Philippians4:6-7", "qeadzcwrsfxv1331", and "momof3g8kids" so what is sufficiently random is not necessarily obvious to the average person. It should be further noted that this article was written in 2013, and improved technology since then has made what is viable in worse case scenarios involving websites with lousy password hashing even worse today.

There are strong reasons to use a password manager (or at least use a truly effective random method of generating passwords for important sites if sticking to paper of the like.)
Completely spot on!
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Cybersecurity and passwords

Post by ARoseByAnyOtherName »

Cpadave wrote: Sun Jan 26, 2020 9:38 pm
ThankYouJack wrote: Sun Jan 26, 2020 4:30 pm
Helo80 wrote: Sun Jan 26, 2020 4:16 pm
ThankYouJack wrote: Sun Jan 26, 2020 3:54 pm There's a simple solution to using a password manager but to prevent a hacker from getting your passwords even if they get access to your password manager. Anyone care to guess?
you can have a word or phrase at the end of the password that LastPass or whatever password manager you're using stores.
Yep :beer Or even just something like removing the last character of the stored password.

OP may want to consider it as an extra measure if it helps provide comfort.
Thanks. I was thinking that would be a good option.
It’s not necessary, but if it’s what it takes for you to be comfortable using a password manager then please do it, there is no harm in doing so. Using a reputable password manager is the best thing you can do security wise.
squirm
Posts: 2861
Joined: Sat Mar 19, 2011 11:53 am

Re: Cybersecurity and passwords

Post by squirm »

ThankYouJack wrote: Sun Jan 26, 2020 4:11 pm
squirm wrote: Sun Jan 26, 2020 11:24 am
lazydavid wrote: Sun Jan 26, 2020 10:53 am
SimonJester wrote: Sun Jan 26, 2020 10:20 am Nothing is 100%, however use a password manager that does NOT store your password file in the cloud.
This is unnecessarily paranoid. Either modern cryptography works, or it doesn't. If it doesn't, we're completely screwed, regardless of how we store our passwords. If it does, then having the encrypted password fall into the wrong hands does not impact our security posture in any way.

Here's my encrypted password for bogleheads, knock yourself out:

U2FsdGVkX1/geNwpHE5RT7PU62cGhut/D//P6n9r5AJ79BAWOGz2517MoSfaFszAMiZatLX4+fI1YJBAc9d40iAAoR3AxLjVhGb32xlWASpb1bj85L3wzYanorSqKf4uSkMsbfH8IYV+e/xei/cBZdSCd2H/epnDhYV+DnjkoLnDGNSAlsIIegx3MVdvRKKGR/wK6VoAPxbUEMj7dzuW3gViiwNvxonfbcWDifrwOliIt6bhRLLczE9yoBDRsQ3pcCNfcsHzAqOB7mtaaBBmhYuoT94r5E9ZrmQ+UGNtRTQSUbk4sd2Afbd9FT4L+I9ddtP8QCQGlVHOuaiD3dPyS1SOEDSkt97L7hEjt4q451/JBY76fGoxMR5buv4KrYSc9N+PRcAF1QmOqTznPuhnInkW4ie9bJ/fhcIhmUskXzw/dvICtWXxASk0nEz6jSMB2XScDvNlDKLZq5tGbZYe9EoN1pEedmm3CyIA1+uSvcy5856Aksr77H2krfrQHoIDRBNFSg6PD33lBZYFQuSCTdhuev8ZDqcI4doAh3HpnO1xkHZrKkaiCvmwh1iNEiVnAtdvpVTcGJsBu+Q7MxCgnd5RPoe/qYJkQa+cmN40dYz81cw5UO7I55PsDRSeUjL/uGN9vBaUZSKhqi/BerjemuI8w7aUOk/WiJ/QtcjdpPKUzENC/A8S9VV5jlSh2HEo8nA9gG8GeW0nhyRL6Guw+3S1c7mj/tMM7VM9rMfb6pUe/QXv82gJjP7OjV64NFLRIC9udC06OXW+ZcgBH2hPn3OtHdXFpzX0xkxXLrBF5l/R22J2HKjLu7MJnaT+hVxG0+o6gn2C7jEOMArbv7OD2yZthMoDvL0eZyysAiNBXpKRdPu3hIBNTxSfq5kwmXMV

Yes, that is actually my bogleheads password, as stored by a password manager. Without my master password, the algorithm used and number of iterations configured in my password manager, the above is absolutely useless to an attacker.
Not only that, the passwords are usually salted too.
Agree, lots of paranoia here.
But would you post the same string with your retirement account password, especially if it's up to a 7 figures?

I don't think we need to be paranoid, but I think things like 2FA, unique long passwords, being more secure than our "neighbors" are helpful and don't come at a cost.
Absolutely, I do the same, 2fa, long passwords, etc. I consider that pretty basic and reasonable security. But I don't go out of my way using dedicated machine, dedicated line, etc.
brad.clarkston
Posts: 950
Joined: Fri Jan 03, 2014 8:31 pm
Location: Kansas City, MO

Re: Cybersecurity and passwords

Post by brad.clarkston »

Nowizard wrote: Sun Jan 26, 2020 10:29 am We often used the same password for sites where we didn't care if someone read our responses or looked at any information included. That had an adverse result with this site once where, when using an extremely simple password, someone hacked it and posted inappropriately on the site. I received a banned notice until responding to the administrator and now have a complicated password. Our passwords probably reach three pages when compiled now.

Tim
The problem with using weak passwords on sites is that the bad guys generally do not care about a single site or a weak password they are going for the database of e-mail address's. Once they have that breaking into poorly maintained yahoo/outlook/gmail e-mail accounts (bad passwords, no 2ft, etc) gets you bank/cc/loan usernames or better.
brad.clarkston
Posts: 950
Joined: Fri Jan 03, 2014 8:31 pm
Location: Kansas City, MO

Re: Cybersecurity and passwords

Post by brad.clarkston »

onourway wrote: Sun Jan 26, 2020 10:34 am
Cpadave wrote: Sun Jan 26, 2020 10:20 am
onourway wrote: Sun Jan 26, 2020 10:01 am I use PWSafe which is free and open source. It can be totally offline if you wish, or online by simply placing the encrypted file in a cloud location. Someone would have to break the Twofish algorithm to do anything with that file which seems unlikely at this time.
I do not trust the Windows firewall 100% mostly because many programs need permission to modify the firewall settings and even as a former network guy, I find the Windows firewall difficult to manage.

You say you are accessing your banking sites, so you are not 100% offline - and I think it may be difficult to avoid email use as well over the long term as a lot of account management is done through emailed links these days.
E-mail isn't that difficult anymore buy a protonmail.com subscription ($52 a year) as it's encrypted. I exchanged keys with my banker and his assistant and a few other sites and it's all good. Yes not all banks/lenders use encryption yet but 2FT works pretty well for sites and at least your side of the e-mail chain is solid you just have to practice healthy e-mail discipline.

As a current Network/Security Eng for a US telco - there is never enough paranoia or "going overboard".
warner25
Posts: 506
Joined: Wed Oct 29, 2014 4:38 pm

Re: Cybersecurity and passwords

Post by warner25 »

ARoseByAnyOtherName wrote: Sun Jan 26, 2020 8:49 pm
quantAndHold wrote: Sun Jan 26, 2020 4:23 pm 1. Use a separate browser for financial stuff. Don’t ever use that browser for anything else. Set up bookmarks, and only use it for that.
What specific attack does this guard against?
I don't actually do this, but I took the suggestion to be a defense against maybe cross site request forgery, session cookie stealing, or just the possibility that one's regular browser has been compromised. It seems like something that would be a step shy of setting aside a whole different machine for managing finances. I definitely don't think it's of #1 importance.

I think my top 6 list for safeguarding financial accounts would be...

1. Don't access your accounts from a machine you don't own and maintain
2. Keep your own machine's OS and browser updated
3. Turn on 2FA
4. Use a password manager to create and safely store unique, random 20+ character passwords for each account
5. Set up security question answers like passwords
6. Have disaster recovery plan including proper backups of account information and credentials
brad.clarkston
Posts: 950
Joined: Fri Jan 03, 2014 8:31 pm
Location: Kansas City, MO

Re: Cybersecurity and passwords

Post by brad.clarkston »

ARoseByAnyOtherName wrote: Sun Jan 26, 2020 8:49 pm
quantAndHold wrote: Sun Jan 26, 2020 4:23 pm 1. Use a separate browser for financial stuff. Don’t ever use that browser for anything else. Set up bookmarks, and only use it for that.
What specific attack does this guard against?
It doesn't I have no idea where that advice comes from. What you need to do is learn how to setup Firefox correctly:

1.) Setup uBlock Origin+filter lists/Canvas Blocker/HTTPS Everywhere/Privacy Badger/Bitwarden
2.) Setup Firefox to delete all cookies & site data on tab *and* browser close.
3.) Always user private browsing.
4.) Never let any browser store a password or master password.
5.) Learn a little about browser fingerprinting but don't go to far down that rabbit whole.
6.) Most importantly stop going to risky websites (good online hygiene).
quantAndHold wrote: Sun Jan 26, 2020 4:23 pm 2. Have a separate email account for financial stuff.
Yes, and ideally this separate email account is a Gmail account enrolled in the Google Advanced Protection Program, which requires the use of a hardware key to log in to the account.
Better yet have an separate encrypted e-mail account. I'm not a fan of the Gmail GAPP system as it's google but any step is better than no step.

quantAndHold wrote: Sun Jan 26, 2020 4:23 pm 5. Properly configured home WiFi
What does "properly configured" mean?
A proper firewall device in front of a mesh wifi system would be the better solution. Preferably not low end Netgear/TP-Link type. At least something at the Ubiquiti or Cisco Meraki level.
quantAndHold wrote: Sun Jan 26, 2020 4:23 pm 6. Keep the computer, the passwords, and any 2FA devices (phone) secure.
This is so generic that it's useless advice. What do you actually recommend, other than encrypt the hard drive (which is good advice) and keep the laptop in a safe (which is ridiculous)?
I would regard that as having a good yubikey setup to login to the computer. If the system in fully encrypted and you have a yubikey (with a backup in a lockbox) that's just about as good as you can get without going totally nuts.
Northern Flicker
Posts: 6344
Joined: Fri Apr 10, 2015 12:29 am

Re: Cybersecurity and passwords

Post by Northern Flicker »

Thank You for the advice. I see preferred method is a password manager. Is it not possible for an employee of a password manager company to somehow get access to your password? Could they not install malware or virus if the employee objective is to do harm? Are password managers 100% secure? Is there a local option where the passwords can be saved securely with some kind of windows existing encryption if there is any?
I stored an encrypted password safe on a thumb drive and 2nd copy on a 2nd thumb drive. The backup copy is worth having but it creates the burden of making sure both copies are up-to-date after changes. Just maintain a rigid established process for doing that.

I use Keepass with a very long master passphrase. I also set it up to encrypt the file repeatedly millions of times, with the number chosen to so that decrypting that many times takes about 5 seconds. This means that any exhaustive search for a password will require 5 seconds per trial in a comparable machine, and it is 5 seconds of actual CPU time, not just a 5-second pause.

The primary attack you have to worry about would be typing in your master passphrase and opening the password safe on a machine that has been compromised.
Last edited by Northern Flicker on Tue Jan 28, 2020 5:11 am, edited 1 time in total.
Risk is not a guarantor of return.
lotusflower
Posts: 289
Joined: Thu Oct 24, 2013 12:32 am

Re: Cybersecurity and passwords

Post by lotusflower »

ARoseByAnyOtherName wrote: Sun Jan 26, 2020 8:49 pm What specific attack does this guard against?
This is key. Even though it's wise to consider all possible forms of attack, it's probably best to focus your energy on the most common ones. For example it's much more likely that your password will be phished by a fake (but real-looking) web site than that an attacker would get close enough to your house to compromise your wifi and somehow sniff your password from the web traffic (with proper https and certificates, not even sure that is possible). So I would focus on the web browser security, understanding how to spot phishing, making sure you use a modern browser with good security, and using 2FA where appropriate.

It would be interesting to get opinions from some of the experts here on the current most common risk vectors. My guesses would be
1) phishing: you type your password into a rogue web site impersonating a real one
2) ransomware: you run a program, or open an attachment with some kind of executable helper code, that encrypts your data and makes you pay to decrypt it back to a usable state
3) Your computing device is stolen, lost, burned, or dropped and you don't have a backup of your passwords/files
4) Your computing device is stolen, and you don't require a password to wake from sleep, and your allow your browser to cache passwords.
5) SIM swap attacks: your phone identity is stolen with unwitting assistance from your carrier, and used to reset your passwords and gain control of financial accounts.
6) Rainbow tables: your password has been breached at some point in the past and is available on various darkweb lists of compromised passwords.

I'm not even sure how many of those things commonly happen and would be interested in other BH opinions about them. For example I bet #5 is only used on people suspected to have more that US$1M in cryptocurrency.
A lot of people talk about #6, but it's not clear that it's been used to steal a lot of money, maybe just for hacking your social media accounts.

I would guess that the following attacks are relatively rare and are not worth bothering about:
Someone steals your laptop and spends hours combing through it for clues about your bank accounts.
Someone parks near your dwelling and hacks your wifi and snoops on your network.
You get phished and install malware that logs your keystrokes and sends them to a bad person.
Someone guesses your security questions and uses them to gain access to your accounts by phoning a customer service rep.

All those things in the latter list require a fair amount of effort when it is much easier to just get you to watch a funny or sexy video with a harmful payload or helper app that can do automated damage in the background. In general I would say that anything that cannot be automated is unlikely to affect you unless you are a high-value target (celebrity or 1%er), or unless your stolen laptop is absurdly unprotected.

I'm not saying that those aren't possible, just that they are not very easy and are not worth as much of your attention. Security takes time and effort and it is important to allocate that wisely.
Nowizard
Posts: 2971
Joined: Tue Oct 23, 2007 5:33 pm

Re: Cybersecurity and passwords

Post by Nowizard »

brad/Clarkson. True about what you said, but those are sites where we would use strong passwords. Does that change anything? I acknowledge not being the most knowledgeable computer person.

Tim
ARoseByAnyOtherName
Posts: 1000
Joined: Wed Apr 26, 2017 12:03 am

Re: Cybersecurity and passwords

Post by ARoseByAnyOtherName »

brad.clarkston wrote: Mon Jan 27, 2020 2:06 am
ARoseByAnyOtherName wrote: Sun Jan 26, 2020 8:49 pm
quantAndHold wrote: Sun Jan 26, 2020 4:23 pm 1. Use a separate browser for financial stuff. Don’t ever use that browser for anything else. Set up bookmarks, and only use it for that.
What specific attack does this guard against?
It doesn't I have no idea where that advice comes from. What you need to do is learn how to setup Firefox correctly:

1.) Setup uBlock Origin+filter lists/Canvas Blocker/HTTPS Everywhere/Privacy Badger/Bitwarden
Why do you think all these extensions are needed? Be specific.

Are you confusing privacy with security?

brad.clarkston wrote: Mon Jan 27, 2020 2:06 am 2.) Setup Firefox to delete all cookies & site data on tab *and* browser close.
3.) Always user private browsing.
What specific attack does this protect against?

Are you confusing privacy with security?
brad.clarkston wrote: Mon Jan 27, 2020 2:06 am 4.) Never let any browser store a password or master password.
Why?
brad.clarkston wrote: Mon Jan 27, 2020 2:06 am 5.) Learn a little about browser fingerprinting but don't go to far down that rabbit whole.
Browser fingerprinting has nothing to do with security. You are confusing privacy with security. We are discussing security here, not privacy.
brad.clarkston wrote: Mon Jan 27, 2020 2:06 am
quantAndHold wrote: Sun Jan 26, 2020 4:23 pm 2. Have a separate email account for financial stuff.
Yes, and ideally this separate email account is a Gmail account enrolled in the Google Advanced Protection Program, which requires the use of a hardware key to log in to the account.
Better yet have an separate encrypted e-mail account. I'm not a fan of the Gmail GAPP system as it's google but any step is better than no step.
You don't understand the role of the Gmail account, set up as recommended.

The point is to have your sensitive financial accounts tied to an email account that's well protected against account takeover, password attacks and phishing though the requirement to use hardware keys to log in.

Why do you think Protonmail is needed?
brad.clarkston wrote: Mon Jan 27, 2020 2:06 am
quantAndHold wrote: Sun Jan 26, 2020 4:23 pm 5. Properly configured home WiFi
What does "properly configured" mean?
A proper firewall device in front of a mesh wifi system would be the better solution. Preferably not low end Netgear/TP-Link type. At least something at the Ubiquiti or Cisco Meraki level.
This is wrong. You don't need enterprise-level gear to get reasonable LAN protection. Any reputable consumer router should be fine. Don't give people bad advice.
brad.clarkston wrote: Mon Jan 27, 2020 2:06 am
quantAndHold wrote: Sun Jan 26, 2020 4:23 pm 6. Keep the computer, the passwords, and any 2FA devices (phone) secure.
This is so generic that it's useless advice. What do you actually recommend, other than encrypt the hard drive (which is good advice) and keep the laptop in a safe (which is ridiculous)?
I would regard that as having a good yubikey setup to login to the computer. If the system in fully encrypted and you have a yubikey (with a backup in a lockbox) that's just about as good as you can get without going totally nuts.
This is overkill. Just encrypt the drives using your computer's built-in disk encryption feature and choose a strong login password.
Post Reply