SoftwareGeek's Guide to Computer Security

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Topic Author
softwaregeek
Posts: 942
Joined: Wed May 08, 2019 8:59 pm

SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

There are a lot of computer security threads on here, and I’ve seen a lot of bad information. I've spent 9 years in security software, and 3 in crypto. I've worked for some of the most reputable software companies in the industry. I have the following observations:

You NEED a Password Manager.

1. Everyone who is in the computer security industry uses a password manager. Many have their favorites. 1Password, LastPass, and Keepass are all ones that I have seen used by professionals. (I consider BitWarden acceptable as well)

2. Virtually everyone OUTSIDE of the security industry thinks their notebook with scrawled passwords is better. A few years ago, a family friend fell down the stairs and was in hospice unconscious. His wife and kids spent several days looking for the book with his passwords. Now they have it, but it's incomplete and they can't read some of the passwords "Is that a S or a 5?". He subsequently died. In the following months, the kids realized that the memory problems in his wife were not in fact symptoms of excessive drinking after her husband’s death, but early symptoms of alzheimers. Use a password manager.

Please note, if your password is less than 12 characters, I'm just going to crack it with my desktop computer and a 'rainbow table' I download off the pirate bay. Probably 30 minutes, it's just a snack. It doesn't matter how good you think your password is, or where you store it, I'm going to own it. Then I'm going to 'stuff' your password across 1000 sites to see where you've reused it, using an automated script. Total elapsed time, 2 minutes of work, 45 minutes of processor time.

PassWord managers protect you in more ways than just keeping safe passwords

Alternatively, I could use a phishing site. With a link to wellsfargobank.com or chase.banklogin.com or banckofamerica. I'd tell you your account is overdrawn or perhaps have you authorized $1,992.34 at Lowe's. Then you click and enter your password. A password manager won't be fooled, but people will be. Password managers aren’t just to remember passowords – they are antiphishing tools as well. And let me tell you, the phishes can be VERY good these days.

Ex employer had a product that sent phishing email and monitored who clicked. Our #1 most effective phish was from "HR" for a $10 starbucks gift card. You would be shocked at how many people entered their credentials.

You need a 2FA system as well as a password manager.

This is the one with the numbers that change every minute or so. You can get one FREE from lots of places. I recommend Authy or Microsoft Authenticator, both are free. Authy makes money selling software vendors 2FA systems and Microsoft just gives it away since they're too big to care. Many password managers also offer 2FA systems. However, I do not recommend using 2FA systems from your password manager provider since I want to keep the two totally separate. I don't want problems at my Password Manager vender spilling into my 2FA vendor. Many financial institutions (e.g. Schwab) will send you a free hardware token based on a proprietary tweaked version of the standard. Typically branded as Symantec. These are inconvenient but OK.

You need to lock down your email with 2FA. Because email is typically the holy grail of hacking.

That's because once I can access your email, I have access to all those juicy account password reset emails from places with bad security. First I'm going to change the password on your email to lock you out. Then I'm going to do password resets on all the accounts I find in there. Then I'm going to find all the personal info in there...oh, you have something with your paystub, taxes etc? I can open up a credit card in your name, thereby wrecking your credit score, or order stuff from Amazon sent to a third party. Next I can probably get your phone number out of your email. With all the personal data in there and access to the email account for password reset, I can reroute your phone number to a new sim (SimSwap). Now I can use my new phone with your phone number to bypass bank SMS validation and drain the financial accounts. I would add, in my opinion, the most critical passwords to lockdown with 2FA are 1. Email. 2. Facebook. 3, Google (even if you don’t use Gmail) and 4. Twitter. This is because you frequently use these logins to get into other sites (via OAuth).

The industry standard is called TOTP. Obvious sites (other than the above) you should lockdown with TOTP include Turbotax, Login.gov, ID.Me (used by the IRS) and Carta. You can and should also enable this on your password manager, but some vendors disable this on the free version. Again, don't forget Google, Twitter, LinkedIn and Facebook - these credentials are often used to login to other sites as well.

Symantec VIP is a slightly different version, using the Symantec VIP app, users include ETrade, Schwab, and Fidelity.

Yubikey (aka FIDO) are used by Bank of America (but not Merrill Edge) and Vanguard. Also, Login.gov for the federal government.

If you can remember your password, you are using your password manager wrong.

Lots of people use password managers to store variations on the same password. WeakPassword1, WeakPassword2, etc. I want you to consider the concept of a rainbow table. Basically, a rainbow table is a giant file with millions or billions of precracked passwords. Now, if you're dealing with Microsoft or Google or Amazon, they probably take steps to protect against this (for the technical types out there, this is "Salting the Hash") but basically the vast majority of sites don't bother. So you can pretty much assume that if you are not using one of the giant providers, your password will be cracked in about 30 seconds if it is 10 digits or less. Use the automatic generator in your password manager to make a long complicated password and store it.

Online storage from large vendors is safe and cheap.

You can buy a literal terabyte of storage for all of your family members for $100 a year from major vendors Any of the major cloud vendors work, Apple, Google, Microsoft, Dropbox, Box.com are all fine. I use Office 365 since they provide a variety of services I like, not only storage, for the entire family, for about $70 a year. (I also buy small amounts of extra storage from Apple and Google for various backups). Back up everything! And no, a USB drive is not the same thing. Example: My data is corrupted. No problem, we get the USB drive and plug it in. Oops, it turned out the computer was corrupting the data and now the backup is toast too. Couldn’t happen? It happened to professionals, with customer production data, at a multi-billion dollar enterprise software company I worked for in 2012.

For the ultra paranoid, use Yubikey. This is how the big boys do it. Basically, a cryptographically signed hardware key. Beyond the scope of this discussion. But you can use it with certain accounts, or just lock down your password manager with it.

Recommended vendors (I am not affiliated with any of these):
Password Manager: 1Password (I use and my top choice), Bitwarden, LastPass. KeepassXC is too technical for most, in my opinion. Apple Keychain is OK for apple ecosystem users who don’t, for example, need a 15 digit Netflix password entered into a hotel TV. Update: Removed lastpass due to breach and the subsequent handling.

2FA Manager (TOTP): Authy (I use and my top choice), Microsoft Authenticator. Google Authenticator is probably the most popular but I have moved away from it and all of these are compatible. (Apple iCloud can also apparently do this but I have not tried. Many financial institutions (EG Schwab) will mail a proprietary hardware token in credit card or keychain form factors that is a tweaked version of this.

Antivirus: Most of these are very good now, it’s almost a commodity. These change in effectiveness over time, but for Windows users, at this time there is little need to go beyond the free Microsoft Defender (av-test.org). Good brands over time in no particular order have been AVG, McAfee, Norton, Trend Micro, and F-Secure. I do not recommend Kaspersky despite their high performance, I will only note that they have been banned from US government computers since 2017.

DNS Service: An additional layer of security for your home. OpenDNS is about $20 and blocks malware at the network level for your whole house. I consider this a big hole for most home systems. Update: I was made aware that they may have removed certain functionality from this service at the consumer level, so I'm not recommending it anymore.

Other Random Tips:
1. Register for an account at the IRS and at Social Security and set them up. Otherwise, someone else might do it for you, that isn't you. Also, Login.gov.
2. Hotel, airport lounge and cybercafe computers are a security nightmare. I would consider using a phone app to check in to a flight rather than touch one.
3. TOTP is better than SMS (text message) verification. But SMS verification is 100x better than nothing.
4. NEVER click on a link to a financial institution in an email. Always boot up a browser and go direct or open the app. Between directly going to the website or the app, it doesn't really matter. Password manager should hold the passwords in either case, although fingerprint/face biometric is acceptable as well.


Total Costs per year -
Cheapest Acceptable. Bitwarden Premium $10, Authy or Microsoft Authenticator, Windows Defender - $10 a year total for an individual, $40 for a family.
As I configure: 1Password Family $60, Authy, McAfee Antivirus $25, O365 Family $70 for backup and email, OpenDNS $20. Total $175 a year.

Update: Mon Dec 19, 2022 11:52 am
ThankyouJack writes "I'm surprised no mention of keeping software up to date. Seems like that is extremely important as well." Yeah, that didn't occur to me, but if you are not getting regular operating system updates you are probably going to have problems. Your windows XP machine might turn on and connect, but it's time to upgrade. Given the longer support times for desktop OS, I suspect this is probably a bigger problem with phones than computers. You could use your phone without security updates, but you shouldn't.
Last edited by softwaregeek on Fri Dec 23, 2022 10:18 am, edited 6 times in total.
chinchin
Posts: 303
Joined: Tue Nov 14, 2017 7:02 pm

Re: SoftwareGeek's Guide to Computer Security

Post by chinchin »

Thanks.

Is blocking malware via DNS better than via VPN?
Last edited by chinchin on Mon Dec 19, 2022 12:57 pm, edited 1 time in total.
not financial advice
stan1
Posts: 11835
Joined: Mon Oct 08, 2007 4:35 pm

Re: SoftwareGeek's Guide to Computer Security

Post by stan1 »

softwaregeek wrote: Mon Dec 19, 2022 12:21 pm DNS Service: An additional layer of security for your home. OpenDNS is about $20 and blocks malware at the network level for your whole house. I consider this a big hole for most home systems.
Agree on just about everything in your post, shouldn't be a controversial post but there will be differences of opinions.
I'd also add keeping all OS and application software up to the current vendor released version by enabling auto-patching.

Is this the OpenDNS prosumer license? Isn't it $20/user/year?
https://www.opendns.com/home-internet-security/
ThankYouJack
Posts: 4928
Joined: Wed Oct 08, 2014 7:27 pm

Re: SoftwareGeek's Guide to Computer Security

Post by ThankYouJack »

I'm surprised no mention of keeping software up to date. Seems like that is extremely important as well.
Topic Author
softwaregeek
Posts: 942
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

chinchin wrote: Mon Dec 19, 2022 12:36 pm Thanks.

Is blocking malware via DNS better than via VPN? For example, ProtonVPN offers malware blocking.
I am not familiar with malware blocking VPN but IMO many of the consumer grade ones are sketchy, even the big ones. https://www.theregister.com/2020/07/17/ ... _database/

And frankly, even some of the big corporate grade VPN vendors have been sketchy.

OpenDNS is a Cisco product and the consumer version is almost identical to what big companies buy.

But it also depends on how you set it up. You can VPN your entire house, but most do not. OpenDNS does your whole house, which includes all the 'stuff' like that old wireless printer that hasn't had a security update in 5 years. It's basically got a computer in it with wifi and it's on your network already.

In the corporate environment, big copying machines are the best attack vector ever! They rarely get security updates, they store thousands of pages of documents specially selected to be the ones worth copying, and often get great access to the network. Some even have integrated external phone lines for the fax machine you so that you can bypass the corporate network entirely!
Topic Author
softwaregeek
Posts: 942
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

ThankYouJack wrote: Mon Dec 19, 2022 12:52 pm I'm surprised no mention of keeping software up to date. Seems like that is extremely important as well.
Most software updates automatically these days so it didn't occur to me that some people might be on old stuff like Windows XP. Yeah, make sure you are getting regular security updates!
stan1
Posts: 11835
Joined: Mon Oct 08, 2007 4:35 pm

Re: SoftwareGeek's Guide to Computer Security

Post by stan1 »

softwaregeek wrote: Mon Dec 19, 2022 1:03 pm
ThankYouJack wrote: Mon Dec 19, 2022 12:52 pm I'm surprised no mention of keeping software up to date. Seems like that is extremely important as well.
Most software updates automatically these days so it didn't occur to me that some people might be on old stuff like Windows XP. Yeah, make sure you are getting regular security updates!
LOL, you must have missed the Win XP SP3 folks who chimed in on the Win 10 thread earlier this week. There are still people who view software through a "buy it for life" lens.
Topic Author
softwaregeek
Posts: 942
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

stan1 wrote: Mon Dec 19, 2022 12:44 pm
softwaregeek wrote: Mon Dec 19, 2022 12:21 pm DNS Service: An additional layer of security for your home. OpenDNS is about $20 and blocks malware at the network level for your whole house. I consider this a big hole for most home systems.
Agree on just about everything in your post, shouldn't be a controversial post but there will be differences of opinions.
I'd also add keeping all OS and application software up to the current vendor released version by enabling auto-patching.

Is this the OpenDNS prosumer license? Isn't it $20/user/year?
https://www.opendns.com/home-internet-security/
Same vendor, but different license. I use the HomeVIP license. Also $20 a year, but for home IP, not per user.
Topic Author
softwaregeek
Posts: 942
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

I would add, the easiest (if not cheapest) way to get decent home computer security is for everything in your personal IT stack be from Apple top to bottom and to use all their built in stuff. Most of it is quite good, but only if you stay entirely within their walled garden.
onourway
Posts: 3544
Joined: Thu Dec 08, 2016 2:39 pm

Re: SoftwareGeek's Guide to Computer Security

Post by onourway »

softwaregeek wrote: Mon Dec 19, 2022 1:12 pm
stan1 wrote: Mon Dec 19, 2022 12:44 pm
softwaregeek wrote: Mon Dec 19, 2022 12:21 pm DNS Service: An additional layer of security for your home. OpenDNS is about $20 and blocks malware at the network level for your whole house. I consider this a big hole for most home systems.
Agree on just about everything in your post, shouldn't be a controversial post but there will be differences of opinions.
I'd also add keeping all OS and application software up to the current vendor released version by enabling auto-patching.

Is this the OpenDNS prosumer license? Isn't it $20/user/year?
https://www.opendns.com/home-internet-security/
Same vendor, but different license. I use the HomeVIP license. Also $20 a year, but for home IP, not per user.
"Built in protection for malicious phishing & malware domains" is specifically excluded from the HomeVIP license in their benefit matrix? https://www.opendns.com/home-internet-security/
jpohio
Posts: 147
Joined: Sun Apr 09, 2017 9:48 am

Re: SoftwareGeek's Guide to Computer Security

Post by jpohio »

Thank you for posting. Very useful information.
brad.clarkston
Posts: 1549
Joined: Fri Jan 03, 2014 7:31 pm
Location: Kansas City, MO

Re: SoftwareGeek's Guide to Computer Security

Post by brad.clarkston »

softwaregeek wrote: Mon Dec 19, 2022 1:01 pm
chinchin wrote: Mon Dec 19, 2022 12:36 pm Thanks.

Is blocking malware via DNS better than via VPN? For example, ProtonVPN offers malware blocking.
I am not familiar with malware blocking VPN but IMO many of the consumer grade ones are sketchy, even the big ones. https://www.theregister.com/2020/07/17/ ... _database/

And frankly, even some of the big corporate grade VPN vendors have been sketchy.

OpenDNS is a Cisco product and the consumer version is almost identical to what big companies buy.

But it also depends on how you set it up. You can VPN your entire house, but most do not. OpenDNS does your whole house, which includes all the 'stuff' like that old wireless printer that hasn't had a security update in 5 years. It's basically got a computer in it with wifi and it's on your network already.

In the corporate environment, big copying machines are the best attack vector ever! They rarely get security updates, they store thousands of pages of documents specially selected to be the ones worth copying, and often get great access to the network. Some even have integrated external phone lines for the fax machine you so that you can bypass the corporate network entirely!

The password manager/2FA stuff was fine, textbook off of any decent security/privacy site and better than allot of advice posted on the internet but then ..

1.) You really linked a Register story and it's from two years ago ?

2.) All 7 of those VPN services are small *Chinese* based companies and in reality it's the same umbrella. Show me where that has happened to a real VPN service like Nord/Proton/Privado/Epress.

3.) Here's where it went pear shaped --
"OpenDNS is a Cisco product and the consumer version is almost identical to what big companies buy."
-- no it is not end of story. If your talking about ASA's and the newer FTD's they have layer 4/7 policy and nat capabilities that no home consumer product will every have. If your talking about the little Meraki cloud products, those are not enterprise solutions. At best they work well in large edge environments for hospitals and colleges but are not core network devices.

I've personally moved away from Cisco for anything but switch/route. A decent zero-trust micro-segmentation system is far more flexible east-to-west (you write policy directly to vpn accounts and servers) with far better security.
-- Only a Sith deals in absolutes --
Topic Author
softwaregeek
Posts: 942
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

brad.clarkston wrote: Mon Dec 19, 2022 1:42 pm
softwaregeek wrote: Mon Dec 19, 2022 1:01 pm
chinchin wrote: Mon Dec 19, 2022 12:36 pm Thanks.

Is blocking malware via DNS better than via VPN? For example, ProtonVPN offers malware blocking.
I am not familiar with malware blocking VPN but IMO many of the consumer grade ones are sketchy, even the big ones. https://www.theregister.com/2020/07/17/ ... _database/

And frankly, even some of the big corporate grade VPN vendors have been sketchy.

OpenDNS is a Cisco product and the consumer version is almost identical to what big companies buy.


The password manager/2FA stuff was fine, textbook off of any decent security/privacy site and better than allot of advice posted on the internet but then ..

1.) You really linked a Register story and it's from two years ago ?

2.) All 7 of those VPN services are small *Chinese* based companies and in reality it's the same umbrella. Show me where that has happened to a real VPN service like Nord/Proton/Privado/Epress.

3.) Here's where it went pear shaped --
"OpenDNS is a Cisco product and the consumer version is almost identical to what big companies buy."
-- no it is not end of story. If your talking about ASA's and the newer FTD's they have layer 4/7 policy and nat capabilities that no home consumer product will every have. If your talking about the little Meraki cloud products, those are not enterprise solutions. At best they work well in large edge environments for hospitals and colleges but are not core network devices.

I've personally moved away from Cisco for anything but switch/route. A decent zero-trust micro-segmentation system is far more flexible east-to-west (you write policy directly to vpn accounts and servers) with far better security.
I defer to you since these are not my expertise, but VPN problems, both consumer and corporate grade, have not been limited or isolated. And with OpenDNS,I should have been more explicit in that they are using the same threat database. I am trying to stick to the noncontroversial here.
Topic Author
softwaregeek
Posts: 942
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

onourway wrote: Mon Dec 19, 2022 1:37 pm
softwaregeek wrote: Mon Dec 19, 2022 1:12 pm
stan1 wrote: Mon Dec 19, 2022 12:44 pm
softwaregeek wrote: Mon Dec 19, 2022 12:21 pm DNS Service: An additional layer of security for your home. OpenDNS is about $20 and blocks malware at the network level for your whole house. I consider this a big hole for most home systems.
Agree on just about everything in your post, shouldn't be a controversial post but there will be differences of opinions.
I'd also add keeping all OS and application software up to the current vendor released version by enabling auto-patching.

Is this the OpenDNS prosumer license? Isn't it $20/user/year?
https://www.opendns.com/home-internet-security/
Same vendor, but different license. I use the HomeVIP license. Also $20 a year, but for home IP, not per user.
"Built in protection for malicious phishing & malware domains" is specifically excluded from the HomeVIP license in their benefit matrix? https://www.opendns.com/home-internet-security/
Never saw this matrix and it does make me wonder, but I do have checkboxes to turn each of these on in my control panel. Also, the detail documentation seems to indicate I have it. https://support.opendns.com/hc/en-us/ar ... d-Security
Topic Author
softwaregeek
Posts: 942
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

softwaregeek wrote: Mon Dec 19, 2022 2:04 pm
onourway wrote: Mon Dec 19, 2022 1:37 pm
softwaregeek wrote: Mon Dec 19, 2022 1:12 pm
stan1 wrote: Mon Dec 19, 2022 12:44 pm
softwaregeek wrote: Mon Dec 19, 2022 12:21 pm DNS Service: An additional layer of security for your home. OpenDNS is about $20 and blocks malware at the network level for your whole house. I consider this a big hole for most home systems.
Agree on just about everything in your post, shouldn't be a controversial post but there will be differences of opinions.
I'd also add keeping all OS and application software up to the current vendor released version by enabling auto-patching.

Is this the OpenDNS prosumer license? Isn't it $20/user/year?
https://www.opendns.com/home-internet-security/
Same vendor, but different license. I use the HomeVIP license. Also $20 a year, but for home IP, not per user.
"Built in protection for malicious phishing & malware domains" is specifically excluded from the HomeVIP license in their benefit matrix? https://www.opendns.com/home-internet-security/
Never saw this matrix and it does make me wonder, but I do have checkboxes to turn each of these on in my control panel. Also, the detail documentation seems to indicate I have it. https://support.opendns.com/hc/en-us/ar ... d-Security
I found an old version of the matrix which shows different. I may be grandfathered in. Apparently, they have reduced the functionality of this product to the consumer market. I will remove that from the recommendation.
User avatar
daytona084
Posts: 904
Joined: Mon Feb 01, 2010 9:47 pm

Re: SoftwareGeek's Guide to Computer Security

Post by daytona084 »

softwaregeek wrote: Mon Dec 19, 2022 12:21 pm

Please note, if your password is less than 12 characters, I'm just going to crack it with my desktop computer and a 'rainbow table' I download off the pirate bay. Probably 30 minutes, it's just a snack. It doesn't matter how good you think your password is, or where you store it, I'm going to own it. Then I'm going to 'stuff' your password across 1000 sites to see where you've reused it, using an automated script. Total elapsed time, 2 minutes of work, 45 minutes of processor time.

Please explain how this is possible when most sites will lock out after a few attempts with a wrong password. (Not that I don't believe it, but just wondering)

I know it's possible to use brute force if you have the /etc/passwd file but that would be a rare exception. And you would still need the username.
jebmke
Posts: 19529
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: SoftwareGeek's Guide to Computer Security

Post by jebmke »

daytona084 wrote: Tue Dec 20, 2022 10:54 am
softwaregeek wrote: Mon Dec 19, 2022 12:21 pm

Please note, if your password is less than 12 characters, I'm just going to crack it with my desktop computer and a 'rainbow table' I download off the pirate bay. Probably 30 minutes, it's just a snack. It doesn't matter how good you think your password is, or where you store it, I'm going to own it. Then I'm going to 'stuff' your password across 1000 sites to see where you've reused it, using an automated script. Total elapsed time, 2 minutes of work, 45 minutes of processor time.

Please explain how this is possible when most sites will lock out after a few attempts with a wrong password. (Not that I don't believe it, but just wondering)

I know it's possible to use brute force if you have the /etc/passwd file but that would be a rare exception. And you would still need the username.
Plus, you will get a 2FA notice somewhere, correct? If not using 2FA then that is a different, significant gap.
When you discover that you are riding a dead horse, the best strategy is to dismount.
bwalling
Posts: 491
Joined: Thu Nov 25, 2010 12:04 pm

Re: SoftwareGeek's Guide to Computer Security

Post by bwalling »

softwaregeek wrote: Mon Dec 19, 2022 12:21 pm PassWord managers protect you in more ways than just keeping safe passwords

Alternatively, I could use a phishing site. With a link to wellsfargobank.com or chase.banklogin.com or banckofamerica. I'd tell you your account is overdrawn or perhaps have you authorized $1,992.34 at Lowe's. Then you click and enter your password. A password manager won't be fooled, but people will be. Password managers aren’t just to remember passowords – they are antiphishing tools as well. And let me tell you, the phishes can be VERY good these days.

Ex employer had a product that sent phishing email and monitored who clicked. Our #1 most effective phish was from "HR" for a $10 starbucks gift card. You would be shocked at how many people entered their credentials.
To add to that:

If you find yourself frustrated that your password manager isn't offering up the password for the website, be very aware of why before just searching your vault, pasting in your password, and muttering about how the password manager is buggy or stupid or whatever.

There's a good chance it didn't offer up the password because you're not on the correct website. That can easily mean you're on a spoofed website. It could also mean that it's a website like Verizon that seems to make a game of domain name roulette (Verizon.com, VerizonWireless.com, vzwireless.com, etc). But, be very careful when your password manager doesn't offer up the website.

One thing you can also do, is search your vault for that website, and then launch the website from there - your password manager will take you to the correct domain name (or at least the one you stored the password under originally). Do this, rather than clicking on any links in emails.
Topic Author
softwaregeek
Posts: 942
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

jebmke wrote: Tue Dec 20, 2022 10:56 am
daytona084 wrote: Tue Dec 20, 2022 10:54 am
softwaregeek wrote: Mon Dec 19, 2022 12:21 pm

Please note, if your password is less than 12 characters, I'm just going to crack it with my desktop computer and a 'rainbow table' I download off the pirate bay. Probably 30 minutes, it's just a snack. It doesn't matter how good you think your password is, or where you store it, I'm going to own it. Then I'm going to 'stuff' your password across 1000 sites to see where you've reused it, using an automated script. Total elapsed time, 2 minutes of work, 45 minutes of processor time.

Please explain how this is possible when most sites will lock out after a few attempts with a wrong password. (Not that I don't believe it, but just wondering)

I know it's possible to use brute force if you have the /etc/passwd file but that would be a rare exception. And you would still need the username.
Plus, you will get a 2FA notice somewhere, correct? If not using 2FA then that is a different, significant gap.
1. You have an account on bogleheads.org.
2. Hypothetically, the forum gets hacked and the hashed password database gets posted to the dark web.
3. I download the rainbow table and crack the password, if it isn't salted. I find that your bogleheads.org password is "Password1". I also have your email
4. Now I try your email and Password1 across different websites to see if you've reused them. I'm not trying multiple passwords, I'm trying one password against multiple sites to see what hits.
5. This isn't an attack that works against people with 2FA. But people with 2FA probably aren't reusing passwords anyways. And lots of sites don't even use 2FA. And there are literally top 20 banks in this country that don't use 2FA! https://2fa.directory/us/#banking
6. The actual state of security, across smaller companies, is hideously shocking. A non-trivial percent of companies are storing their credentials in plaintext in something like Mysql or a flat file. For those you can just skip numbers 1-3 and go right to the password stuffing. You want to believe that software is written by grizzled silicon valley veterans but in truth lots of it is written by lowest cost outside contractors in Eastern Europe or China.
JD2775
Posts: 1266
Joined: Thu Jul 09, 2015 10:47 pm

Re: SoftwareGeek's Guide to Computer Security

Post by JD2775 »

softwaregeek wrote: Tue Dec 20, 2022 12:13 pm
jebmke wrote: Tue Dec 20, 2022 10:56 am
daytona084 wrote: Tue Dec 20, 2022 10:54 am
softwaregeek wrote: Mon Dec 19, 2022 12:21 pm

Please note, if your password is less than 12 characters, I'm just going to crack it with my desktop computer and a 'rainbow table' I download off the pirate bay. Probably 30 minutes, it's just a snack. It doesn't matter how good you think your password is, or where you store it, I'm going to own it. Then I'm going to 'stuff' your password across 1000 sites to see where you've reused it, using an automated script. Total elapsed time, 2 minutes of work, 45 minutes of processor time.

Please explain how this is possible when most sites will lock out after a few attempts with a wrong password. (Not that I don't believe it, but just wondering)

I know it's possible to use brute force if you have the /etc/passwd file but that would be a rare exception. And you would still need the username.
Plus, you will get a 2FA notice somewhere, correct? If not using 2FA then that is a different, significant gap.
1. You have an account on bogleheads.org.
2. Hypothetically, the forum gets hacked and the hashed password database gets posted to the dark web.
3. I download the rainbow table and crack the password, if it isn't salted. I find that your bogleheads.org password is "Password1". I also have your email
4. Now I try your email and Password1 across different websites to see if you've reused them. I'm not trying multiple passwords, I'm trying one password against multiple sites to see what hits.
5. This isn't an attack that works against people with 2FA. But people with 2FA probably aren't reusing passwords anyways. And lots of sites don't even use 2FA. And there are literally top 20 banks in this country that don't use 2FA! https://2fa.directory/us/#banking
6. The actual state of security, across smaller companies, is hideously shocking. A non-trivial percent of companies are storing their credentials in plaintext in something like Mysql or a flat file. For those you can just skip numbers 1-3 and go right to the password stuffing. You want to believe that software is written by grizzled silicon valley veterans but in truth lots of it is written by lowest cost outside contractors in Eastern Europe or China.
Regarding #4 in bold....

So is it safe to assume it is worse to use the same password on multiple sites, as opposed to using a weak password? For example, if I use "Password1" on Bogleheads (but nowhere else) and "Pw77gasjdfgj~@*t8" on Vanguard, Merrill Lynch and Wells Fargo, the latter is less secure? If Bogleheads gets hacked, in reality it only affects the information I have on this site? (assuming my email password is different).
User avatar
daytona084
Posts: 904
Joined: Mon Feb 01, 2010 9:47 pm

Re: SoftwareGeek's Guide to Computer Security

Post by daytona084 »

softwaregeek wrote: Tue Dec 20, 2022 12:13 pm

1. You have an account on bogleheads.org.
2. Hypothetically, the forum gets hacked and the hashed password database gets posted to the dark web.
3. I download the rainbow table and crack the password, if it isn't salted. I find that your bogleheads.org password is "Password1". I also have your email
4. Now I try your email and Password1 across different websites to see if you've reused them. I'm not trying multiple passwords, I'm trying one password against multiple sites to see what hits.
5. This isn't an attack that works against people with 2FA. But people with 2FA probably aren't reusing passwords anyways. And lots of sites don't even use 2FA. And there are literally top 20 banks in this country that don't use 2FA! https://2fa.directory/us/#banking
6. The actual state of security, across smaller companies, is hideously shocking. A non-trivial percent of companies are storing their credentials in plaintext in something like Mysql or a flat file. For those you can just skip numbers 1-3 and go right to the password stuffing. You want to believe that software is written by grizzled silicon valley veterans but in truth lots of it is written by lowest cost outside contractors in Eastern Europe or China.
No, I don't use my boglehead password anywhere else. Just hypothetically, say I have accounts at a few financial sites (not saying which ones), with 2FA, different usernames and passwords (not used anywhere else), but the passwords are less than 12 characters. How would I be at risk? (without a major data breach at the financial instituion itself)
chinchin
Posts: 303
Joined: Tue Nov 14, 2017 7:02 pm

Re: SoftwareGeek's Guide to Computer Security

Post by chinchin »

daytona084 wrote: Tue Dec 20, 2022 12:54 pm
softwaregeek wrote: Tue Dec 20, 2022 12:13 pm

1. You have an account on bogleheads.org.
2. Hypothetically, the forum gets hacked and the hashed password database gets posted to the dark web.
3. I download the rainbow table and crack the password, if it isn't salted. I find that your bogleheads.org password is "Password1". I also have your email
4. Now I try your email and Password1 across different websites to see if you've reused them. I'm not trying multiple passwords, I'm trying one password against multiple sites to see what hits.
5. This isn't an attack that works against people with 2FA. But people with 2FA probably aren't reusing passwords anyways. And lots of sites don't even use 2FA. And there are literally top 20 banks in this country that don't use 2FA! https://2fa.directory/us/#banking
6. The actual state of security, across smaller companies, is hideously shocking. A non-trivial percent of companies are storing their credentials in plaintext in something like Mysql or a flat file. For those you can just skip numbers 1-3 and go right to the password stuffing. You want to believe that software is written by grizzled silicon valley veterans but in truth lots of it is written by lowest cost outside contractors in Eastern Europe or China.
No, I don't use my boglehead password anywhere else. Just hypothetically, say I have accounts at a few financial sites (not saying which ones), with 2FA, different usernames and passwords (not used anywhere else), but the passwords are less than 12 characters. How would I be at risk? (without a major data breach at the financial instituion itself)
Phishing
not financial advice
trallium
Posts: 99
Joined: Wed Dec 29, 2021 6:53 pm

Re: SoftwareGeek's Guide to Computer Security

Post by trallium »

softwaregeek wrote: Tue Dec 20, 2022 12:13 pm ...
1. You have an account on bogleheads.org.
2. Hypothetically, the forum gets hacked and the hashed password database gets posted to the dark web.
3. I download the rainbow table and crack the password, if it isn't salted. I find that your bogleheads.org password is "Password1". I also have your email
...
I agree with all this advice, but as far as I can tell phpbb has always salted the hash, or at least was by 2007 when this instance was started. I had thought rainbow tables and salting the hash have been well known since the 1980s / system 7 unix password shadow file format. Janky websites I was tossing together in the mid 90s salted the hash with at least the username, but some cursory googling around suggests it was not well know in the php community till the mid aughts. And I guess microsoft didn't get the memo for awhile?

system 7 password shadow format goes $type$salt$hash (and this seems to be what phpbb uses), so if the password database leaked and your password is Password1 it would still seem to be trivial to crack -- so sort of a distinction without a difference to your scenario.
Topic Author
softwaregeek
Posts: 942
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

daytona084 wrote: Tue Dec 20, 2022 12:54 pm
softwaregeek wrote: Tue Dec 20, 2022 12:13 pm

1. You have an account on bogleheads.org.
2. Hypothetically, the forum gets hacked and the hashed password database gets posted to the dark web.
3. I download the rainbow table and crack the password, if it isn't salted. I find that your bogleheads.org password is "Password1". I also have your email
4. Now I try your email and Password1 across different websites to see if you've reused them. I'm not trying multiple passwords, I'm trying one password against multiple sites to see what hits.
5. This isn't an attack that works against people with 2FA. But people with 2FA probably aren't reusing passwords anyways. And lots of sites don't even use 2FA. And there are literally top 20 banks in this country that don't use 2FA! https://2fa.directory/us/#banking
6. The actual state of security, across smaller companies, is hideously shocking. A non-trivial percent of companies are storing their credentials in plaintext in something like Mysql or a flat file. For those you can just skip numbers 1-3 and go right to the password stuffing. You want to believe that software is written by grizzled silicon valley veterans but in truth lots of it is written by lowest cost outside contractors in Eastern Europe or China.
No, I don't use my boglehead password anywhere else. Just hypothetically, say I have accounts at a few financial sites (not saying which ones), with 2FA, different usernames and passwords (not used anywhere else), but the passwords are less than 12 characters. How would I be at risk? (without a major data breach at the financial instituion itself)
You would not be at risk in this situation. And it is fairly rare for the breach to happen at major financial institutions. But I have been in, (per https://haveibeenpwned.com sixteen separate breaches (plus one paste of unknown origin). Tpyically, you get the password in a hashed format that someone stole, and then you decrypt it with a rainbow table. (Unless you used Evite and they didn't bother to encrypt the password :annoyed )

Let's use Evite as the example.
Evite: In April 2019, the social planning website for managing online invitations Evite identified a data breach of their systems. Upon investigation, they found unauthorised access to a database archive dating back to 2013. The exposed data included a total of 101 million unique email addresses, most belonging to recipients of invitations. Members of the service also had names, phone numbers, physical addresses, dates of birth, genders and passwords stored in plain text exposed. The data was provided to HIBP by a source who requested it be attributed to "JimScott.Sec@protonmail.com".

Compromised data: Dates of birth, Email addresses, Genders, Names, Passwords, Phone numbers, Physical addresses

I don't even need to decrypt the password. Now I see if you used your evite password for your email, or Amazon, or even your bank.

Or perhaps you used LinkedIn.

LinkedIn: In May 2016, LinkedIn had 164 million email addresses and passwords exposed. Originally hacked in 2012, the data remained out of sight until being offered for sale on a dark market site 4 years later. The passwords in the breach were stored as SHA1 hashes without salt, the vast majority of which were quickly cracked in the days following the release of the data.

Compromised data: Email addresses, Passwords
Or MyFitnessPal.
MyFitnessPal: In February 2018, the diet and exercise service MyFitnessPal suffered a data breach. The incident exposed 144 million unique email addresses alongside usernames, IP addresses and passwords stored as SHA-1 and bcrypt hashes (the former for earlier accounts, the latter for newer accounts). In 2019, the data appeared listed for sale on a dark web marketplace (along with several other large breaches) and subsequently began circulating more broadly. The data was provided to HIBP by a source who requested it to be attributed to "BenjaminBlue@exploit.im".

Compromised data: Email addresses, IP addresses, Passwords, Usernames
Or one of 23,000 smaller websites.
Cit0day (unverified): In November 2020, a collection of more than 23,000 allegedly breached websites known as Cit0day were made available for download on several hacking forums. The data consisted of 226M unique email address alongside password pairs, often represented as both password hashes and the cracked, plain text versions. Independent verification of the data established it contains many legitimate, previously undisclosed breaches. The data was provided to HIBP by dehashed.com.

Compromised data: Email addresses, Passwords
Collection #1 (unverified): In January 2019, a large collection of credential stuffing lists (combinations of email addresses and passwords used to hijack accounts on other services) was discovered being distributed on a popular hacking forum. The data contained almost 2.7 billion records including 773 million unique email addresses alongside passwords those addresses had used on other breached services. Full details on the incident and how to search the breached passwords are provided in the blog post The 773 Million Record "Collection #1" Data Breach.

Compromised data: Email addresses, Passwords
Topic Author
softwaregeek
Posts: 942
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

trallium wrote: Tue Dec 20, 2022 1:36 pm
softwaregeek wrote: Tue Dec 20, 2022 12:13 pm ...
1. You have an account on bogleheads.org.
2. Hypothetically, the forum gets hacked and the hashed password database gets posted to the dark web.
3. I download the rainbow table and crack the password, if it isn't salted. I find that your bogleheads.org password is "Password1". I also have your email
...
I agree with all this advice, but as far as I can tell phpbb has always salted the hash, or at least was by 2007 when this instance was started. I had thought rainbow tables and salting the hash have been well known since the 1980s / system 7 unix password shadow file format. Janky websites I was tossing together in the mid 90s salted the hash with at least the username, but some cursory googling around suggests it was not well know in the php community till the mid aughts. And I guess microsoft didn't get the memo for awhile?

system 7 password shadow format goes $type$salt$hash (and this seems to be what phpbb uses), so if the password database leaked and your password is Password1 it would still seem to be trivial to crack -- so sort of a distinction without a difference to your scenario.
I don't know what this site actually uses, but I was using it as an example of a smaller site being used for a credential stuffing attack. But my basic point is that you have to assume *some* individual sites get breached. But you have to protect yourself by reducing the "blast radius" when they do.
stan1
Posts: 11835
Joined: Mon Oct 08, 2007 4:35 pm

Re: SoftwareGeek's Guide to Computer Security

Post by stan1 »

JD2775 wrote: Tue Dec 20, 2022 12:35 pm
softwaregeek wrote: Tue Dec 20, 2022 12:13 pm 4. Now I try your email and Password1 across different websites to see if you've reused them. I'm not trying multiple passwords, I'm trying one password against multiple sites to see what hits.
Regarding #4 in bold....

So is it safe to assume it is worse to use the same password on multiple sites, as opposed to using a weak password? For example, if I use "Password1" on Bogleheads (but nowhere else) and "Pw77gasjdfgj~@*t8" on Vanguard, Merrill Lynch and Wells Fargo, the latter is less secure? If Bogleheads gets hacked, in reality it only affects the information I have on this site? (assuming my email password is different).
I wouldn't recommend doing either. But yeah if I had to pick the lesser of two evils, with what is known today, the worst of the two would be using the same password on multiple sites, especially using the same password at a "low value" site like Bogleheads or another website forum site where the consequence of a password breach is minimal with a small to non-existent professional cybersecurity staff and at a "high value" site like Gmail or Vanguard. It's easy to take a username (email)/password pair and try it out site after site. Not 100 variations, just one. Try Password2 a few months later if Password1 didn't work. I'd add airlines and hotels to the list of high value sites, because points have value and they have a lot of personal information and likely don't have security at the level of a brokerage or big tech like Microsoft or Google.

Using the password manager avoids worrying about this. It's just as easy to use F8*Vid_45[gjsH$df as Password1 on bogleheads.org.
jebmke
Posts: 19529
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: SoftwareGeek's Guide to Computer Security

Post by jebmke »

softwaregeek wrote: Tue Dec 20, 2022 12:13 pm
jebmke wrote: Tue Dec 20, 2022 10:56 am
daytona084 wrote: Tue Dec 20, 2022 10:54 am
softwaregeek wrote: Mon Dec 19, 2022 12:21 pm

Please note, if your password is less than 12 characters, I'm just going to crack it with my desktop computer and a 'rainbow table' I download off the pirate bay. Probably 30 minutes, it's just a snack. It doesn't matter how good you think your password is, or where you store it, I'm going to own it. Then I'm going to 'stuff' your password across 1000 sites to see where you've reused it, using an automated script. Total elapsed time, 2 minutes of work, 45 minutes of processor time.

Please explain how this is possible when most sites will lock out after a few attempts with a wrong password. (Not that I don't believe it, but just wondering)

I know it's possible to use brute force if you have the /etc/passwd file but that would be a rare exception. And you would still need the username.
Plus, you will get a 2FA notice somewhere, correct? If not using 2FA then that is a different, significant gap.
1. You have an account on bogleheads.org.
2. Hypothetically, the forum gets hacked and the hashed password database gets posted to the dark web.
3. I download the rainbow table and crack the password, if it isn't salted. I find that your bogleheads.org password is "Password1". I also have your email password not used elsewhere and email address not primary and not financial.
4. Now I try your email and Password1 across different websites to see if you've reused them. I'm not trying multiple passwords, I'm trying one password against multiple sites to see what hits.
5. This isn't an attack that works against people with 2FA. But people with 2FA probably aren't reusing passwords anyways. And lots of sites don't even use 2FA. And there are literally top 20 banks in this country that don't use 2FA! I have little sympathy for people not using 2FA in this day and age. They have been cautioned for decades. If they don't use 2FA they sure aren't using a PW manager.
Ihttps://2fa.directory/us/#banking
6. The actual state of security, across smaller companies, is hideously shocking. A non-trivial percent of companies are storing their credentials in plaintext in something like Mysql or a flat file. For those you can just skip numbers 1-3 and go right to the password stuffing. You want to believe that software is written by grizzled silicon valley veterans but in truth lots of it is written by lowest cost outside contractors in Eastern Europe or China.
Technology in the US isn't particularly strong period. Remember - we still use little pieces of paper to transfer money around. Credit cards are not protected even with PINS. 100 mph is consider a fast train. But .... our cheeseburgers and aircraft carriers are world class.
When you discover that you are riding a dead horse, the best strategy is to dismount.
gavinsiu
Posts: 1718
Joined: Sun Nov 14, 2021 11:42 am

Re: SoftwareGeek's Guide to Computer Security

Post by gavinsiu »

Great list. Don't forget the security question that many sites make you filled out that are essentially turn into back doors. Your mother's maiden name is a terrible security device. What I do is fill the security question with long non-sense string that I save into the password manager.
stan1
Posts: 11835
Joined: Mon Oct 08, 2007 4:35 pm

Re: SoftwareGeek's Guide to Computer Security

Post by stan1 »

gavinsiu wrote: Tue Dec 20, 2022 1:59 pm Great list. Don't forget the security question that many sites make you filled out that are essentially turn into back doors. Your mother's maiden name is a terrible security device. What I do is fill the security question with long non-sense string that I save into the password manager.
This is one where I simplify. I use a chain of English words like "spicy dachshund brew" for mother's maiden name and I do save it to the password manager. No one is going to guess that, it's unique, and I can read it back to a customer service rep at the businesses who use the same phrase for both website and human validation rather than trying to read DF*CVfD)5*fgasrfKJ8df)fk_ back to them (my eyes aren't that good).
gavinsiu
Posts: 1718
Joined: Sun Nov 14, 2021 11:42 am

Re: SoftwareGeek's Guide to Computer Security

Post by gavinsiu »

stan1 wrote: Tue Dec 20, 2022 2:05 pm
This is one where I simplify. I use a chain of English words like "spicy dachshund brew" for mother's maiden name and I do save it to the password manager. No one is going to guess that, it's unique, and I can read it back to a customer service rep at the businesses who use the same phrase for both website and human validation rather than trying to read DF*CVfD)5*fgasrfKJ8df)fk_ back to them (my eyes aren't that good).
Yes, I used to use a string, but the security question are handled by human, so #@$@dj2k3k2 doesn't work. I end up using a series of words not related to the question.

My worry is that sites might not store those security question encrypted, so a hack might expose your account even if they can't get at the password.
User avatar
telemark
Posts: 3244
Joined: Sat Aug 11, 2012 6:35 am

Re: SoftwareGeek's Guide to Computer Security

Post by telemark »

I'm currently using Quad9 for DNS, based on a recommendation from Avoid the Hack. There may be better choices.
Last edited by telemark on Tue Dec 20, 2022 2:27 pm, edited 1 time in total.
Topic Author
softwaregeek
Posts: 942
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

JD2775 wrote: Tue Dec 20, 2022 12:35 pm
softwaregeek wrote: Tue Dec 20, 2022 12:13 pm
jebmke wrote: Tue Dec 20, 2022 10:56 am
daytona084 wrote: Tue Dec 20, 2022 10:54 am
softwaregeek wrote: Mon Dec 19, 2022 12:21 pm

Please note, if your password is less than 12 characters, I'm just going to crack it with my desktop computer and a 'rainbow table' I download off the pirate bay. Probably 30 minutes, it's just a snack. It doesn't matter how good you think your password is, or where you store it, I'm going to own it. Then I'm going to 'stuff' your password across 1000 sites to see where you've reused it, using an automated script. Total elapsed time, 2 minutes of work, 45 minutes of processor time.

Please explain how this is possible when most sites will lock out after a few attempts with a wrong password. (Not that I don't believe it, but just wondering)

I know it's possible to use brute force if you have the /etc/passwd file but that would be a rare exception. And you would still need the username.
Plus, you will get a 2FA notice somewhere, correct? If not using 2FA then that is a different, significant gap.
1. You have an account on bogleheads.org.
2. Hypothetically, the forum gets hacked and the hashed password database gets posted to the dark web.
3. I download the rainbow table and crack the password, if it isn't salted. I find that your bogleheads.org password is "Password1". I also have your email
4. Now I try your email and Password1 across different websites to see if you've reused them. I'm not trying multiple passwords, I'm trying one password against multiple sites to see what hits.
5. This isn't an attack that works against people with 2FA. But people with 2FA probably aren't reusing passwords anyways. And lots of sites don't even use 2FA. And there are literally top 20 banks in this country that don't use 2FA! https://2fa.directory/us/#banking
6. The actual state of security, across smaller companies, is hideously shocking. A non-trivial percent of companies are storing their credentials in plaintext in something like Mysql or a flat file. For those you can just skip numbers 1-3 and go right to the password stuffing. You want to believe that software is written by grizzled silicon valley veterans but in truth lots of it is written by lowest cost outside contractors in Eastern Europe or China.
Regarding #4 in bold....

So is it safe to assume it is worse to use the same password on multiple sites, as opposed to using a weak password? For example, if I use "Password1" on Bogleheads (but nowhere else) and "Pw77gasjdfgj~@*t8" on Vanguard, Merrill Lynch and Wells Fargo, the latter is less secure? If Bogleheads gets hacked, in reality it only affects the information I have on this site? (assuming my email password is different).
Technology gets cheaper every day and the fact that I can't find a longer rainbow table than a certain size doesn't mean someone with more resources can't find and one. But a longer password is free, so why not?
homebuyer6426
Posts: 1439
Joined: Tue Feb 07, 2017 8:08 am

Re: SoftwareGeek's Guide to Computer Security

Post by homebuyer6426 »

I'd rather use complex unique passwords that I can still remember than trust a single-point-of-failure with the keys to everything. Don't write them down obviously, but post-it-notes are not how most people get compromised.

I agree 2-factor authentication is a good idea for the important accounts.

Relatively simple passwords are fine for the unimportant accounts, that no one has a reason to gain access to anyway. Like an online forum or a free video game. Not anything storing credit card/personal information, etc. Just use common sense for that.

I'd add don't make accounts for things that you can get away with not having accounts for. Like an OS. Or a web browser. They want you to have accounts there in order to collect and centralize your information.

The example about one password holder dying and the other getting Alzheimers and then their kids not being able to access some accounts is a tale of password success, in my opinion. You're not supposed to just be able to easily transfer all your passwords to someone else when in a compromised state of consciousness, that is a security risk. If you want to transfer ownership of some items to your kids, plan for that while you are healthy.
65% Total Stock Market | 30% Consumer Staples | 5% Short Term Reserves
gavinsiu
Posts: 1718
Joined: Sun Nov 14, 2021 11:42 am

Re: SoftwareGeek's Guide to Computer Security

Post by gavinsiu »

homebuyer6426 wrote: Tue Dec 20, 2022 2:43 pm I'd rather use complex unique passwords that I can still remember than trust a single-point-of-failure with the keys to everything. Don't write them down obviously, but post-it-notes are not how most people get compromised.

I agree 2-factor authentication is a good idea for the important accounts.

Relatively simple passwords are fine for the unimportant accounts, that no one has a reason to gain access to anyway. Like an online forum or a free video game. Not anything storing credit card/personal information, etc. Just use common sense for that.

I'd add don't make accounts for things that you can get away with not having accounts for. Like an OS. Or a web browser. They want you to have accounts there in order to collect and centralize your information.

The example about one password holder dying and the other getting Alzheimers and then their kids not being able to access some accounts is a tale of password success, in my opinion. You're not supposed to just be able to easily transfer all your passwords to someone else when in a compromised state of consciousness, that is a security risk. If you want to transfer ownership of some items to your kids, plan for that while you are healthy.
In my opinion, the single point of failure is often the brain. It's way to easy to forget a password if you don't use it everyday. Writing them down does work, but I find that pasword update means I have to cross out the entry and you have to be religiously good at updating the password or it goes out of date.

I have so many account these days that it's impossible for me to keep track of. My utilties have a website, my bank has a website. My kid's school have a website. A electronically centralized db where I can actually make backups is ideal for me.

You cannot prep for emegency. My late sister died suddenly, We spent weeks combing through her house to figure out where her bank and bills and stuff were. Paid version of Password manager often have a mechanism where a person can be designated to get the content after your death.
jayjayc
Posts: 440
Joined: Tue Jun 25, 2013 11:38 pm

Re: SoftwareGeek's Guide to Computer Security

Post by jayjayc »

If you don't use a password manager, I recommend generating words from Diceware here: https://diceware.rempe.us/#eff

Click on the "10 words" green button and pick a few words for your password or answer to security questions. I've convinced many family members to start using password managers but I don't even try with my 70+ yr old relatives. I use diceware and write them down for them.
bwalling
Posts: 491
Joined: Thu Nov 25, 2010 12:04 pm

Re: SoftwareGeek's Guide to Computer Security

Post by bwalling »

homebuyer6426 wrote: Tue Dec 20, 2022 2:43 pm I'd rather use complex unique passwords that I can still remember than trust a single-point-of-failure with the keys to everything. Don't write them down obviously, but post-it-notes are not how most people get compromised.
I have well over 200 passwords. If you're able to remember complex unique passwords at that volume, you're a savant. Or, your passwords aren't actually very good or unique.
gavinsiu
Posts: 1718
Joined: Sun Nov 14, 2021 11:42 am

Re: SoftwareGeek's Guide to Computer Security

Post by gavinsiu »

jayjayc wrote: Tue Dec 20, 2022 4:32 pm If you don't use a password manager, I recommend generating words from Diceware here: https://diceware.rempe.us/#eff

Click on the "10 words" green button and pick a few words for your password or answer to security questions. I've convinced many family members to start using password managers but I don't even try with my 70+ yr old relatives. I use diceware and write them down for them.
I tried this with my mom, but she sucks at typing, so she kept messing up and calling me. I would tell her to type faster which increases the success rate, but she often failed unless the password is only a few characters. I eventually use password manager that she trigger through her fingerprint.
roamingzebra
Posts: 590
Joined: Thu Apr 22, 2021 3:29 pm

Re: SoftwareGeek's Guide to Computer Security

Post by roamingzebra »

softwaregeek and others,

Did you happen to see this thread? (not mine)

viewtopic.php?t=386701

Here is the introduction (I bolded the compromised items)
A fraudster social engineered Fidelity’s call center and successfully convinced the representative to reset my account password. To enable this, the fraudster had my user ID (my last name) and home phone number. The phone number wasn’t hard for the fraudster to come by, likely as part of a previous data breach into any one of a million companies who’ve been hacked over the past few decades. In his call to Fidelity, the fraudster spoofed my home (land line) phone number, likely using a service called Twilio. This made it look to the call center like it was the account owner calling. I was (and am still) enrolled in Fidelity’s MyVoice verification system. I’m not sure whether that system failed or wasn’t used by the contact center in this instance.

After the password reset by the call center, the fraudster then had full online access to my accounts. He immediately linked a new PayPal account to my Fidelity accounts so he had a destination to which he could transfer money. The fraudster began multiple transfers of “five-digit” amounts, including to his PayPal account. As these happened, I received routine emails from Fidelity about the new PayPal account linking and transfers. I saw those emails a few hours after the breach occurred, and immediately called Fidelity to put a stop to it. Fortunately, Fidelity’s internal system had already automatically flagged the fraudster’s activity as suspicious and froze all of my accounts. I'm guessing this was in part based on IP addresses used. Perhaps the pattern of linking a new PayPal or bank account and then initiating an immediate transfer is also a something for which they consider suspicious.
This particular incident seemed incomplete in its description. I'd be interested in people's comments for this type of scenario in the context of the current thread.

And I wonder if it was dumb luck for the fraudster at Fidelity, or did he/she actually try pulling this at other financial institutions? I mean would it play out as follows?...when the CSR had no record of them, the fraudster would just say "Ooops, sorry! I meant to call my other brokerage!"...and hurry up and hang up. That would be one bold fraudster.

Or would the fraudster realistically have had to have known their victim and known that they had an account at Fidelity?
Topic Author
softwaregeek
Posts: 942
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

roamingzebra wrote: Tue Dec 20, 2022 7:00 pm softwaregeek and others,

Did you happen to see this thread? (not mine)

viewtopic.php?t=386701

Here is the introduction (I bolded the compromised items)
A fraudster social engineered Fidelity’s call center and successfully convinced the representative to reset my account password. To enable this, the fraudster had my user ID (my last name) and home phone number. The phone number wasn’t hard for the fraudster to come by, likely as part of a previous data breach into any one of a million companies who’ve been hacked over the past few decades. In his call to Fidelity, the fraudster spoofed my home (land line) phone number, likely using a service called Twilio. This made it look to the call center like it was the account owner calling. I was (and am still) enrolled in Fidelity’s MyVoice verification system. I’m not sure whether that system failed or wasn’t used by the contact center in this instance.

After the password reset by the call center, the fraudster then had full online access to my accounts. He immediately linked a new PayPal account to my Fidelity accounts so he had a destination to which he could transfer money. The fraudster began multiple transfers of “five-digit” amounts, including to his PayPal account. As these happened, I received routine emails from Fidelity about the new PayPal account linking and transfers. I saw those emails a few hours after the breach occurred, and immediately called Fidelity to put a stop to it. Fortunately, Fidelity’s internal system had already automatically flagged the fraudster’s activity as suspicious and froze all of my accounts. I'm guessing this was in part based on IP addresses used. Perhaps the pattern of linking a new PayPal or bank account and then initiating an immediate transfer is also a something for which they consider suspicious.
This particular incident seemed incomplete in its description. I'd be interested in people's comments for this type of scenario in the context of the current thread.

And I wonder if it was dumb luck for the fraudster at Fidelity, or did he/she actually try pulling this at other financial institutions? I mean would it play out as follows?...when the CSR had no record of them, the fraudster would just say "Ooops, sorry! I meant to call my other brokerage!"...and hurry up and hang up. That would be one bold fraudster.

Or would the fraudster realistically have had to have known their victim and known that they had an account at Fidelity?
Social engineering attacks are old school and it's hard to know how they got the info. It could be someone got into his email and suctioned out all the data. Or it could be that someone got the data from his employer's HR department. I know of one case where someone at a fairly large company got a phone call from someone claiming to be the CFO, asking them to email the w2 forms for the entire company out to some random email address. And it happened. https://krebsonsecurity.com/2016/03/sea ... oyee-w-2s/

Here's an example of how it is done.
https://www.youtube.com/watch?v=xumbDSoJ0Mg
Ladeedaw
Posts: 102
Joined: Thu Aug 09, 2018 1:16 pm

Re: SoftwareGeek's Guide to Computer Security

Post by Ladeedaw »

Thanks for this thread. Online security has been on my to do list, and this is prodding me to get on it. Question: many of my coworkers use Keeper Password manager. I can't remember the reasons why. Is it comparable to the recommendations here? Would you recommend it?
Topic Author
softwaregeek
Posts: 942
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

Ladeedaw wrote: Tue Dec 20, 2022 8:11 pm Thanks for this thread. Online security has been on my to do list, and this is prodding me to get on it. Question: many of my coworkers use Keeper Password manager. I can't remember the reasons why. Is it comparable to the recommendations here? Would you recommend it?
Not a fan.
https://www.securityweek.com/keeper-sue ... tical-flaw

Update: This incident was seven years ago. I do hold grudges but I have no personal experience with the vendor and they have been favorably reviewed by many.

I personally use 1Password because, along with LastPass, it is the easiest to use, and I was able to teach my elderly mother to use it.

I used Lastpass before that, but felt that the user interface (as opposed to the security) was getting buggier at the core feature of recording and filling passwords.

I liked Keepass personally and thought it was very feature filled, but I'm tech support for the extended family and I didn't feel like fielding calls when something didn't work right. Plus, I have no desire to host anything personally.

I played around with BitWarden before selecting 1Password. It's a little cheaper, it's comparable in features but I didn't like the UI as much and this is software I touch a *lot*.

Dashlane also gets a lot of favorable press so I played around with that too. It used to have an automatic password changer that got a lot of press but that got removed from the product. Once that went away, the big differentiator was gone. And the price for the family plan was substantial, although roughly the same when you include $30 a year I pay for a top-tier VPN right now and that I could get rid of. The design is probably a bit more aesthetic but ultimately between cost, features and the fact that lots of guys I know and respect in the industry use 1Password, I went with 1Password.
Last edited by softwaregeek on Tue Dec 20, 2022 10:01 pm, edited 1 time in total.
Mudpuppy
Posts: 7127
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: SoftwareGeek's Guide to Computer Security

Post by Mudpuppy »

I've been saying for what seems like decades that one should use a password manager and have unique passwords for every site. In fact, my thread here on Bogleheads about not reusing passwords is now officially more than a decade old (posted in June 2012). I won't link to it since it's so old (we don't need to revive a zombie thread), but people can find it in my post history if interested.

And a recent Krebs on Security article underlines the importance of not reusing passwords. While the article focuses on the consequence to hackers who were caught, note that early on in the article it says they "hacked" Ring cameras by trying the same email account and password they'd previously compromised on the Ring account, and then swatted the accounts where that worked. Article link: https://krebsonsecurity.com/2022/12/hac ... g-victims/
Mudpuppy
Posts: 7127
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: SoftwareGeek's Guide to Computer Security

Post by Mudpuppy »

roamingzebra wrote: Tue Dec 20, 2022 7:00 pm And I wonder if it was dumb luck for the fraudster at Fidelity, or did he/she actually try pulling this at other financial institutions? I mean would it play out as follows?...when the CSR had no record of them, the fraudster would just say "Ooops, sorry! I meant to call my other brokerage!"...and hurry up and hang up. That would be one bold fraudster.

Or would the fraudster realistically have had to have known their victim and known that they had an account at Fidelity?
There is plenty of information on the black market to find out someone's phone number, credit report, and other information. That's all part of the information gathering stage of a social engineering attack. And this person was talking about multiple 5-figure transactions, so we can assume their portfolio was high enough to warrant a targeted attack (although I haven't read the entire linked thread).

I've actually had to change my Fidelity username because someone kept trying to change the password and repeatedly locked my account. Now, since they were unsuccessful at changing the password, I'd chalked this up to someone who used the same username elsewhere and forgot they weren't using it at Fidelity, but I still changed my username to something a little more unique. I only wish I could have changed my work's username when I had the same issue (someone who kept forgetting they were initialLastName2 and kept trying to log on as initialLastName and locking me out).

Now the scary thing is that there's also enough information on the black market to get your full Social Security number and other identifying information, so having a unique username at financial firms is probably, in and of itself, insufficient to protect the accounts against a good social engineering attack on the customer service representatives. They could claim some recent injury that affects their ability to remember the username too, but be able to provide other "identifying" information.
Mudpuppy
Posts: 7127
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: SoftwareGeek's Guide to Computer Security

Post by Mudpuppy »

gavinsiu wrote: Tue Dec 20, 2022 6:53 pm
jayjayc wrote: Tue Dec 20, 2022 4:32 pm If you don't use a password manager, I recommend generating words from Diceware here: https://diceware.rempe.us/#eff

Click on the "10 words" green button and pick a few words for your password or answer to security questions. I've convinced many family members to start using password managers but I don't even try with my 70+ yr old relatives. I use diceware and write them down for them.
I tried this with my mom, but she sucks at typing, so she kept messing up and calling me. I would tell her to type faster which increases the success rate, but she often failed unless the password is only a few characters. I eventually use password manager that she trigger through her fingerprint.
FYI, it could have been a fine motor control issue with your mother messing up typing the passwords. When I injured my neck, I had some temporary nerve damage that affected my hands and I had an extremely hard time properly typing my passwords. For example, my brain would say "hold the shift key" for a capital letter, but that wasn't getting through to my fingers. Mouse clicks and swipes on the smartphone were likewise frustrating during this time frame.

It's good you found something that works for her, but I just wanted to add this to the thread for those who may be dealing with similar issues. It's not always a cognitive issue. It could be a physical one as well. It's better to find the proper adaptive technology in these cases.
Topic Author
softwaregeek
Posts: 942
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

I didn't include this because it isn't strictly computer security, but Schwab allows you to set a 'verbal password' that you are required to give before interactions on the phone. I don't know if others do this as well.

I'm not sure there is an easy way to protect against "guy called in and BS'd the phone rep into doing something stupid". (aka social engineering). At least not on the customer end.
User avatar
rob
Posts: 4403
Joined: Mon Feb 19, 2007 5:49 pm
Location: Here

Re: SoftwareGeek's Guide to Computer Security

Post by rob »

Great discussion above but I'll add one that adds another layer to the onion.... I never search or type the web-address or follow a link in email or anything else... I bookmark each site, check the certs then ONLY use those bookmarks to go to financial sites. Simple and easy to do and MIGHT save you from been in the wrong site (yeah I know the password mgr can see this but it's just another layer).
| Rob | Its a dangerous business going out your front door. - J.R.R.Tolkien
NewbieBogle007
Posts: 300
Joined: Mon Jun 20, 2016 5:49 pm

Re: SoftwareGeek's Guide to Computer Security

Post by NewbieBogle007 »

Do you recommend using a computer browser as a password manager?
Topic Author
softwaregeek
Posts: 942
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

NewbieBogle007 wrote: Tue Dec 20, 2022 10:12 pm Do you recommend using a computer browser as a password manager?
By computer browser, you probably mean Chrome, Safari or Edge, which means Google, Apple or Microsoft.

Apple Keychain is deeply integrated into the Apple ecosystem. It's not bad if you are a 100% Apple family.

Chrome and Edge are similar in that you can use them across different platforms *within the specific browser* like Chrome on mobile and desktop. But there are certain limitations - specifically, on mobile, they can't fill in apps. And not everything has biometric.

But it does lack a lot of the functionality in dedicated password managers - things like digital legacy, password vault sharing, and the ability to deal with non-password information that needs to be kept safe.

1Password, for example, has dedicated form types for password data, crypto wallets, software license keys etc. I have my family's health insurance card info, passport data, etc. stored in there. I know MY social security number, but I would have to check my tax return to find my wife's.

They also do a better job of finding security weak spots. Edge and Safari will tell you if a password has been compromised. But a good password manager will go beyond that, telling you where you have reused the same passwords, where you have inactive 2FA, where you have weak passwords. (Assuming you are using the paid version - freebies generally don't get this).
gavinsiu
Posts: 1718
Joined: Sun Nov 14, 2021 11:42 am

Re: SoftwareGeek's Guide to Computer Security

Post by gavinsiu »

Mudpuppy wrote: Tue Dec 20, 2022 10:02 pm FYI, it could have been a fine motor control issue with your mother messing up typing the passwords. When I injured my neck, I had some temporary nerve damage that affected my hands and I had an extremely hard time properly typing my passwords. For example, my brain would say "hold the shift key" for a capital letter, but that wasn't getting through to my fingers. Mouse clicks and swipes on the smartphone were likewise frustrating during this time frame.

It's good you found something that works for her, but I just wanted to add this to the thread for those who may be dealing with similar issues. It's not always a cognitive issue. It could be a physical one as well. It's better to find the proper adaptive technology in these cases.
I think it's a physical issue. Her hands are damaged from factory work and the password field is hidden so when she type, she can't see that she type the wrong character. One solution would be to have her type it in notepad and then copy and paste, but she does not understand copy and paste. Also typing slower will work, but she usually calls instead of typing slower. Having autofill keeps me sane.
gavinsiu
Posts: 1718
Joined: Sun Nov 14, 2021 11:42 am

Re: SoftwareGeek's Guide to Computer Security

Post by gavinsiu »

roamingzebra wrote: Tue Dec 20, 2022 7:00 pm softwaregeek and others,

Did you happen to see this thread? (not mine)

viewtopic.php?t=386701

This particular incident seemed incomplete in its description. I'd be interested in people's comments for this type of scenario in the context of the current thread.

And I wonder if it was dumb luck for the fraudster at Fidelity, or did he/she actually try pulling this at other financial institutions? I mean would it play out as follows?...when the CSR had no record of them, the fraudster would just say "Ooops, sorry! I meant to call my other brokerage!"...and hurry up and hang up. That would be one bold fraudster.

Or would the fraudster realistically have had to have known their victim and known that they had an account at Fidelity?
Most people's information can be looked up or guessed. This was most likely targetted attacks. They appear to have a lot of information ahead of time.

Due to improvement in security, a lot of hacks have shifted toward social engineering where they attack the human agent through trickery, so the scenario is plausible.

The voice verification is not an extra security feature the way Fidelity uses it. When you verify by voice, it will allow you to bypass certain checks. If you fail the voice print, all it does is drop you to a human operator. I have suggested that Fidelity increase their security level if someone fails voiceprint.
Post Reply