SoftwareGeek's Guide to Computer Security

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
WestCoastPhan
Posts: 424
Joined: Sun Apr 24, 2022 10:30 pm

Re: SoftwareGeek's Guide to Computer Security

Post by WestCoastPhan »

Thanks SoftwareGeek!

This thread convinced me -- after years of thinking "yeah, I should do that" -- to finally use a password manager. I created a Bitwarden account and spent a few hours creating new, randomly generated passwords for financial accounts.
DebiT
Posts: 995
Joined: Sat Dec 28, 2013 12:45 pm

Re: SoftwareGeek's Guide to Computer Security

Post by DebiT »

This thread also convinced me to use a Password Manager. I’m 65, and figure I won’t get smarter over time, so I went with my techie son’s recommendation for Keeper, since that is what he uses and I can share a folder of my passwords with him, which will make his life easier in the future, when I’m dead or perhaps less functional than now. However, I’m a reader of reviews and feel I learn a lot by doing so.

Seems like this thread ends up recommending 1password. Can anyone tell me how that would work for the purpose of sharing a folder of my passwords? And, am I right in thinking that 1password encrypts URLs where Keeper does not? Finally, did Keeper fix the problem that was referenced in their lawsuit? I care about that more than I care about how wise or not their public relations are.

In my position, would you switch password managers? FWIW, I don’t store my Google account or my banking or investment info in a manager. That’s a bright red line for me.
Age 66, life turned upside down 3/2/19, thanking God for what I've learned from this group. AA 40/60 for now, possibly changing at age 70.
StrongMBS
Posts: 67
Joined: Sat Jan 14, 2017 1:38 pm

Re: SoftwareGeek's Guide to Computer Security

Post by StrongMBS »

DebiT wrote: Tue Jan 03, 2023 11:28 am This thread also convinced me to use a Password Manager. I’m 65, and figure I won’t get smarter over time, so I went with my techie son’s recommendation for Keeper, since that is what he uses and I can share a folder of my passwords with him, which will make his life easier in the future, when I’m dead or perhaps less functional than now. However, I’m a reader of reviews and feel I learn a lot by doing so.

Seems like this thread ends up recommending 1password. Can anyone tell me how that would work for the purpose of sharing a folder of my passwords? And, am I right in thinking that 1password encrypts URLs where Keeper does not? Finally, did Keeper fix the problem that was referenced in their lawsuit? I care about that more than I care about how wise or not their public relations are.

In my position, would you switch password managers? FWIW, I don’t store my Google account or my banking or investment info in a manager. That’s a bright red line for me.
Where do you get the idea that Keeper does not encrypt URLs, that is one of the many LastPass indiscretions but not Keepers.

Here is a quote from this Keeper blog post https://www.keepersecurity.com/blog/202 ... ould-know/
“Keeper encrypts all vault data, including URLs and metadata, locally on the user’s device. Keeper’s cloud does not receive, store or process any plaintext vault information.”

According to the Security Week article sited above https://www.securityweek.com/keeper-sue ... tical-flaw “Keeper Security released a patch within 24 hours of the flaw being reported and there had been no evidence of exploitation in the wild. The vendor highlighted that the security hole only impacted the browser extension and not the Keeper desktop application.”
I am not sure how much faster of a response they could have had.

You will note that later in that article is this “While some members of the cybersecurity industry have taken Keeper Security’s side, saying that many of Goodin’s stories are sensationalized, most have sided with the reporter and believe the lawsuit will cause more damage to the company than the article.”

I happen to be on the side that think “many of Goodin’s stories are sensationalized” and in this case seems to be true since the article including the title was changed in the end. I guess SoftwareGeek for some unexplained reason is on the other side since he is still holding a grudge.

Keeper has many great features for sharing between users and has a great emergency access feature into your whole vault if needed. They are often sited in review as the most secure. Keeper was one of the first to allow FIDO security keys back around 2018 (which is why I use them) providing phishing resistance MDA. They have a unique twist on how they use FIDO security keys. Where usual FIDO U2F has the password as the first factor and the key as the second factor which allows your password to be compromised (FIDO U2F dirty little secret). They have the key as the first factor and your password as the second factor, maintaining security on your all-important master password if you are being phished. Although I seldom if ever access my vault online and if I do it is initiated from my desktop app. Their only downside right now is they are still not asking for your security key PIN if you have it. But then we would hear for all those people who had a PIN on their security key but forgot it like what happen at Vanguard. Life is full of tradeoffs.
HawkeyePierce
Posts: 2352
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: SoftwareGeek's Guide to Computer Security

Post by HawkeyePierce »

DebiT wrote: Tue Jan 03, 2023 11:28 am This thread also convinced me to use a Password Manager. I’m 65, and figure I won’t get smarter over time, so I went with my techie son’s recommendation for Keeper, since that is what he uses and I can share a folder of my passwords with him, which will make his life easier in the future, when I’m dead or perhaps less functional than now. However, I’m a reader of reviews and feel I learn a lot by doing so.

Seems like this thread ends up recommending 1password. Can anyone tell me how that would work for the purpose of sharing a folder of my passwords? And, am I right in thinking that 1password encrypts URLs where Keeper does not? Finally, did Keeper fix the problem that was referenced in their lawsuit? I care about that more than I care about how wise or not their public relations are.

In my position, would you switch password managers? FWIW, I don’t store my Google account or my banking or investment info in a manager. That’s a bright red line for me.
Nobody should trust a company that sues security researchers. I wouldn't touch Keeper with a ten foot pole.
Northern Flicker
Posts: 15366
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

DebiT wrote: This thread also convinced me to use a Password Manager. I’m 65, and figure I won’t get smarter over time, so I went with my techie son’s recommendation for Keeper, since that is what he uses and I can share a folder of my passwords with him, which will make his life easier in the future, when I’m dead or perhaps less functional than now.
Sharing passwords generally is the wrong way to do that. Durable power of attorney while you are alive, and a will that names an executor for your estate are the way to accomplish this. Many brokers and fund companies have their own form for de facto power of attorney privileges.

People named for these roles will get their own account to use with the privileges you choose to grant to them.

Sharing your password may run afoul of financial service provider policies, which could weaken your legal standing if your account is breached.
DebiT
Posts: 995
Joined: Sat Dec 28, 2013 12:45 pm

Re: SoftwareGeek's Guide to Computer Security

Post by DebiT »

Northern Flicker wrote: Tue Jan 03, 2023 10:48 pm
DebiT wrote: This thread also convinced me to use a Password Manager. I’m 65, and figure I won’t get smarter over time, so I went with my techie son’s recommendation for Keeper, since that is what he uses and I can share a folder of my passwords with him, which will make his life easier in the future, when I’m dead or perhaps less functional than now.
Sharing passwords generally is the wrong way to do that. Durable power of attorney while you are alive, and a will that names an executor for your estate are the way to accomplish this. Many brokers and fund companies have their own form for de facto power of attorney privileges.

People named for these roles will get their own account to use with the privileges you choose to grant to them.

Sharing your password may run afoul of financial service provider policies, which could weaken your legal standing if your account is breached.
I'm not sharing banking or investment passwords. Those things are handled by POAs.
Age 66, life turned upside down 3/2/19, thanking God for what I've learned from this group. AA 40/60 for now, possibly changing at age 70.
Northern Flicker
Posts: 15366
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

StrongMBS wrote: Where usual FIDO U2F has the password as the first factor and the key as the second factor which allows your password to be compromised (FIDO U2F dirty little secret). They have the key as the first factor and your password as the second factor, maintaining security on your all-important master password if you are being phished.
Better yet, ditch the password altogether. Challenge-response authentication is a robust protocol that replaces password authentication. Add a yubikey pin and if desired 2FA to that.
User avatar
crinkles2
Posts: 244
Joined: Fri Nov 28, 2014 7:18 pm

Re: SoftwareGeek's Guide to Computer Security

Post by crinkles2 »

DebiT wrote: Tue Jan 03, 2023 11:28 am This thread also convinced me to use a Password Manager. I’m 65, and figure I won’t get smarter over time, so I went with my techie son’s recommendation for Keeper, since that is what he uses and I can share a folder of my passwords with him, which will make his life easier in the future, when I’m dead or perhaps less functional than now. However, I’m a reader of reviews and feel I learn a lot by doing so.

Seems like this thread ends up recommending 1password. Can anyone tell me how that would work for the purpose of sharing a folder of my passwords? And, am I right in thinking that 1password encrypts URLs where Keeper does not? Finally, did Keeper fix the problem that was referenced in their lawsuit? I care about that more than I care about how wise or not their public relations are.

In my position, would you switch password managers? FWIW, I don’t store my Google account or my banking or investment info in a manager. That’s a bright red line for me.
My 78 year old mother uses dashlane, and I think she came to the conclusion she needed one without my input. I think that's great.
Everest1
Posts: 45
Joined: Wed Oct 06, 2021 6:15 am

Re: SoftwareGeek's Guide to Computer Security

Post by Everest1 »

What is your opinion regarding Malawarebytes.
Eero Plus gives a bundle with Malawarebytes and 1Pass and a bunch of other things
Do you think it would be a good deal.

Are the above necessary above any beyond the security suites offered by Spectrum or ATT ?

Thanks.
Everest1
Posts: 45
Joined: Wed Oct 06, 2021 6:15 am

Re: SoftwareGeek's Guide to Computer Security

Post by Everest1 »

What is your opinion regarding Malawarebytes.
Eero Plus gives a bundle with Malawarebytes and 1Pass and a bunch of other things
Do you think it would be a good deal.

Are the above necessary above any beyond the security suites offered by Spectrum or ATT ?

Thanks.
Topic Author
softwaregeek
Posts: 951
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

Everest1 wrote: Wed Jan 04, 2023 6:37 am What is your opinion regarding Malawarebytes.
Eero Plus gives a bundle with Malawarebytes and 1Pass and a bunch of other things
Do you think it would be a good deal.

Are the above necessary above any beyond the security suites offered by Spectrum or ATT ?

Thanks.
All of the brand name antivirus is so good these days that you probably can get whichever is cheapest. There is a german organization that tests every few months. Link is below. I just pick whichever one has a black Friday special on NewEgg or Amazon. This year I am using ESET, last year McAfee, the year before was Norton. Usually something is on sale cheap that week.

https://www.av-test.org/en/antivirus/ho ... ober-2022/
tm3
Posts: 779
Joined: Wed Dec 24, 2014 6:16 pm

Re: SoftwareGeek's Guide to Computer Security

Post by tm3 »

Thanks for starting this thread, and thanks for all that have contributed! A while back, info on this www site prompted me to get a PW manager and I have since sold several family members on the idea. The current thread has been a springboard for investigating what I may need to do to tighten things up even more. I’ve done online research, watched some stuff on YouTube, and feel like I have learned a lot. The security issue seems to be a continuum along which one needs to find an acceptable balance of convenience, and “tough enough.”

I have a few questions:

1) Looks like the first thing I need to do is stop using my ISP email (Spectrum). I already have a Gmail account that is rarely used and that I can shift over to, but since a time investment is going to be required anyway I don’t mind setting up Proton or Tunatota or similar. However, many of the “reviews” I see seem to be thinly veiled advertisements. These services offer encryption, which to me seems overkill for every email one sends plus it is my understanding that once the encrypted email gets to the recipient’s say, Yahoo, server and gets unencrypted then the value of encryption is gone. Am I missing something that makes Proton or Tutonota significantly better than Gmail?

2) Will the NFC of Yubikeys work through protective phone cases such as Otterbox? If not, YK is a no go for me. I asked Yubico and they said they didn’t know. I’m reluctant to use Authy as I feel like I’m already too tied to my phone and would have a problem if the phone is lost, stolen, stops working, etc.

3) How does one strike a secure/remember balance for the PW used to unlock one’s computer? Can’t use a PW manager, and it seems like an easy to remember phrase like whiteduck007 could be easily broken. My laptop could get stolen during a snatch and grab and then cracked into later.

4) Gmail offers an Advanced Protection plan. Is it possible to have AP set for one Gmail account, and keep another non-AP Gmail account for "casual" use?

Thanks!
Sagefemme
Posts: 352
Joined: Mon Mar 12, 2018 9:31 pm

Re: SoftwareGeek's Guide to Computer Security

Post by Sagefemme »

I took the leap and started a free 14 day trial of 1Password. So far I am having mixed results; sometimes I use it to change to a better password without any issues, and sometimes I have run into real problems. For example, when signing into a website where I want to change my password to a 1P generated random password, the "enter new password" and "confirm new password" fields don't match, even when they have both been autofilled by 1P! How can this be? Also it sometimes generates passwords that don't meet the requirements of the website, and then I have to fiddle with it to get an acceptable password. With some websites you don't find out what the password requirements are until after you have attempted to change to an unacceptable password. Another issue I have is that prompts from 1P to "save" come up constantly, after every field you fill in on a website, and if you say "yes" each time prompted you end up with multiple logins for the same website. Confusing for a new user. Also between the browser extension, the desktop app itself, and the mobile phone version, I can't tell what version of 1P to use when.

Despite all this (and I'm hoping maybe the latest version of 1Password is just buggy and it will all get fixed?) I'm going to keep trying, since there seem to be many happy users of this product. I wonder if also 1Password is overwhelmed right now with the large numbers of new users, many of whom are switching to 1P from LastPass.
tm3
Posts: 779
Joined: Wed Dec 24, 2014 6:16 pm

Re: SoftwareGeek's Guide to Computer Security

Post by tm3 »

Sagefemme wrote: Thu Jan 05, 2023 10:45 am I took the leap and started a free 14 day trial of 1Password. So far I am having mixed results; sometimes I use it to change to a better password without any issues, and sometimes I have run into real problems. For example, when signing into a website where I want to change my password to a 1P generated random password, the "enter new password" and "confirm new password" fields don't match, even when they have both been autofilled by 1P! How can this be? Also it sometimes generates passwords that don't meet the requirements of the website, and then I have to fiddle with it to get an acceptable password. With some websites you don't find out what the password requirements are until after you have attempted to change to an unacceptable password. Another issue I have is that prompts from 1P to "save" come up constantly, after every field you fill in on a website, and if you say "yes" each time prompted you end up with multiple logins for the same website. Confusing for a new user. Also between the browser extension, the desktop app itself, and the mobile phone version, I can't tell what version of 1P to use when.

Despite all this (and I'm hoping maybe the latest version of 1Password is just buggy and it will all get fixed?) I'm going to keep trying, since there seem to be many happy users of this product. I wonder if also 1Password is overwhelmed right now with the large numbers of new users, many of whom are switching to 1P from LastPass.
I used 1Password and Bitwarden for a couple of weeks to see which I preferred. I didn't have the problems that you mention, but I liked the Bitwarden interface better and I can't see how 1P is worth an additional $50/year.
Copper John
Posts: 251
Joined: Tue Jan 11, 2011 11:31 am

Re: SoftwareGeek's Guide to Computer Security

Post by Copper John »

Sagefemme your issue with the website not accepting your confirmation password is likely not a 1Password issue. I ran into the same problem recently when trying to change my brokerage password.

I copy and pasted the new password into the initial field and it was accepted. I would then try to paste it into the confirmation field and it would not work. No error message, but the submit button would just be greyed out. I finally just typed the new password in the confirmation field after pasting it in the initial field and it worked. The website obviously required me to type in the confirmation field, but did not clearly state this requirement.
twh
Posts: 1775
Joined: Sat Feb 08, 2020 2:15 pm

Re: SoftwareGeek's Guide to Computer Security

Post by twh »

Protect access to your email with FIDO security keys.
Don't reuse any passwords.
Don't write down or store any brokerage passwords -- memorize only.
Don't use real answers for "security questions".
Use Quicken or equivalent to stay up-to-date on daily transactions.
Utilize one of the free credit monitoring offers you get due to this breach or that breach.
User avatar
ThereAreNoGurus
Posts: 970
Joined: Fri Jan 24, 2014 10:41 pm

Re: SoftwareGeek's Guide to Computer Security

Post by ThereAreNoGurus »

Copper John wrote: Thu Jan 05, 2023 11:11 am
I copy and pasted the new password into the initial field and it was accepted. I would then try to paste it into the confirmation field and it would not work. No error message, but the submit button would just be greyed out. I finally just typed the new password in the confirmation field after pasting it in the initial field and it worked. The website obviously required me to type in the confirmation field, but did not clearly state this requirement.
When that happens to me, rather than typing the entire password, I copy/paste it, go to the end of the password confirmation field, press the space bar which then activates the submit button, and then hit the backspace key so the blank character is not transmitted. That's always worked for me.
Trade the news and you will lose.
Copper John
Posts: 251
Joined: Tue Jan 11, 2011 11:31 am

Re: SoftwareGeek's Guide to Computer Security

Post by Copper John »

ThereAreNoGurus wrote: Thu Jan 05, 2023 11:31 am
Copper John wrote: Thu Jan 05, 2023 11:11 am
I copy and pasted the new password into the initial field and it was accepted. I would then try to paste it into the confirmation field and it would not work. No error message, but the submit button would just be greyed out. I finally just typed the new password in the confirmation field after pasting it in the initial field and it worked. The website obviously required me to type in the confirmation field, but did not clearly state this requirement.
When that happens to me, rather than typing the entire password, I copy/paste it, go to the end of the password confirmation field, press the space bar which then activates the submit button, and then hit the backspace key so the blank character is not transmitted. That's always worked for me.
That is a good work around to save me from having to type in very long complex passwords. Will give it a try the next time I run into this problem.
Topic Author
softwaregeek
Posts: 951
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

Sagefemme wrote: Thu Jan 05, 2023 10:45 am I took the leap and started a free 14 day trial of 1Password. So far I am having mixed results; sometimes I use it to change to a better password without any issues, and sometimes I have run into real problems. For example, when signing into a website where I want to change my password to a 1P generated random password, the "enter new password" and "confirm new password" fields don't match, even when they have both been autofilled by 1P! How can this be? Also it sometimes generates passwords that don't meet the requirements of the website, and then I have to fiddle with it to get an acceptable password. With some websites you don't find out what the password requirements are until after you have attempted to change to an unacceptable password. Another issue I have is that prompts from 1P to "save" come up constantly, after every field you fill in on a website, and if you say "yes" each time prompted you end up with multiple logins for the same website. Confusing for a new user. Also between the browser extension, the desktop app itself, and the mobile phone version, I can't tell what version of 1P to use when.

Despite all this (and I'm hoping maybe the latest version of 1Password is just buggy and it will all get fixed?) I'm going to keep trying, since there seem to be many happy users of this product. I wonder if also 1Password is overwhelmed right now with the large numbers of new users, many of whom are switching to 1P from LastPass.
You can switch the entry that gets updated by clicking around the title. Shouldn't get multiple items that way. It will also update the website address that way.
Gadget
Posts: 1026
Joined: Fri Mar 17, 2017 1:38 pm

Re: SoftwareGeek's Guide to Computer Security

Post by Gadget »

DebiT wrote: Tue Jan 03, 2023 11:27 pm
Northern Flicker wrote: Tue Jan 03, 2023 10:48 pm
DebiT wrote: This thread also convinced me to use a Password Manager. I’m 65, and figure I won’t get smarter over time, so I went with my techie son’s recommendation for Keeper, since that is what he uses and I can share a folder of my passwords with him, which will make his life easier in the future, when I’m dead or perhaps less functional than now.
Sharing passwords generally is the wrong way to do that. Durable power of attorney while you are alive, and a will that names an executor for your estate are the way to accomplish this. Many brokers and fund companies have their own form for de facto power of attorney privileges.

People named for these roles will get their own account to use with the privileges you choose to grant to them.

Sharing your password may run afoul of financial service provider policies, which could weaken your legal standing if your account is breached.
I'm not sharing banking or investment passwords. Those things are handled by POAs.
In case you want an actual answer instead of just people telling you not to share passwords...

Pretty much the only reason I recommend 1Password over Bitwarden is for the ease of sharing passwords. I found the Bitwarden method clunky to setup and use for my family. For a single person, last I tested, Bitwarden was just as good as 1Password.

In 1Password, you can create different vaults. Let's say you have a Private vault, Shared vault, Wife Vault, and Husband vault (this is what I do). The Private vault has passwords that I don't need to ever share, like my bogleheads password (wife would never care). The Shared vault has passwords that we both use, like the account we use to login and register for our kids sports. The Husband vault has passwords that I generally only use, but I share access with my spouse just in case. Financial passwords go there for me. The spouse vault usually contains all her passwords, just so I can help her if she has trouble logging in to something.

The nice thing about 1Password is that I can change the default display list on a vault by vault basis. So in my case, I only default to my Private, Husband, and Shared vaults. The Wife vault is not displayed by default, but if needed I can display those passwords too. Private vaults are always private and can't be viewed by the other, so really the only spousal training required is to remind them not to save their passwords there unless they really mean for it to be private.

To be fair, Bitwarden was just starting out with shared vaults/folders when I last tried it years ago. Maybe it's better now.
increment
Posts: 1736
Joined: Tue May 15, 2018 2:20 pm

Re: SoftwareGeek's Guide to Computer Security

Post by increment »

tm3 wrote: Thu Jan 05, 2023 10:20 am 2) Will the NFC of Yubikeys work through protective phone cases such as Otterbox?
My Yubikey works when I (briefly) hold it to the iPhone's screen. I use an Otterbox but my model doesn't cover the screen.
Northern Flicker
Posts: 15366
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

softwaregeek wrote: Thu Jan 05, 2023 1:30 am
Everest1 wrote: Wed Jan 04, 2023 6:37 am What is your opinion regarding Malawarebytes.
Eero Plus gives a bundle with Malawarebytes and 1Pass and a bunch of other things
Do you think it would be a good deal.

Are the above necessary above any beyond the security suites offered by Spectrum or ATT ?

Thanks.
All of the brand name antivirus is so good these days that you probably can get whichever is cheapest. There is a german organization that tests every few months. Link is below. I just pick whichever one has a black Friday special on NewEgg or Amazon. This year I am using ESET, last year McAfee, the year before was Norton. Usually something is on sale cheap that week.

https://www.av-test.org/en/antivirus/ho ... ober-2022/
On a Windows box, I think it is best to use Windows Defender. 3rd party AV software runs with elevated privileges. Installing such an app is invasive, and expands the attack surface unnecessarily.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: SoftwareGeek's Guide to Computer Security

Post by Mudpuppy »

tm3 wrote: Thu Jan 05, 2023 10:20 am 1) Looks like the first thing I need to do is stop using my ISP email (Spectrum). I already have a Gmail account that is rarely used and that I can shift over to, but since a time investment is going to be required anyway I don’t mind setting up Proton or Tunatota or similar. However, many of the “reviews” I see seem to be thinly veiled advertisements. These services offer encryption, which to me seems overkill for every email one sends plus it is my understanding that once the encrypted email gets to the recipient’s say, Yahoo, server and gets unencrypted then the value of encryption is gone. Am I missing something that makes Proton or Tutonota significantly better than Gmail?
You can keep Spectrum for everyday use. You don't have to secure all of your email communications, just the critical ones like financial accounts. But you should change the password on the account through the web interface: https://self-care.portals.spectrum.net/login.
tm3 wrote: Thu Jan 05, 2023 10:20 am 2) Will the NFC of Yubikeys work through protective phone cases such as Otterbox? If not, YK is a no go for me. I asked Yubico and they said they didn’t know. I’m reluctant to use Authy as I feel like I’m already too tied to my phone and would have a problem if the phone is lost, stolen, stops working, etc.
In general, NFC should work through any TPU, plastic, rubber, or similar material cases. Metal cases might interfere with NFC, as would cases specifically designed to block tap-to-pay (which is NFC). If you don't use tap-to-pay, then check the specs and reviews for your specific case to see what they say.
tm3 wrote: Thu Jan 05, 2023 10:20 am 3) How does one strike a secure/remember balance for the PW used to unlock one’s computer? Can’t use a PW manager, and it seems like an easy to remember phrase like whiteduck007 could be easily broken. My laptop could get stolen during a snatch and grab and then cracked into later.
Use the same techniques that you use for the password locker master password, such as using a password phrase generated by Diceware or a password phrase created from a series of pronounceable passwords. You might need to write it down to begin with, and that's okay as long as you secure the paper, like putting it a locked cabinet or a home safe. Just don't put it in the laptop or laptop bag. Putting the paper in your wallet might also work, although this method is prone to being taken with the laptop during a mugging; but if your area is low on such crime, you should be fine while you're memorizing the password (then move it to a locked cabinet or safe once you've memorized it). You should be able to memorize it after about a few weeks or so of logging in regularly.
eukonomos
Posts: 253
Joined: Mon Jan 01, 2018 1:26 pm

Re: SoftwareGeek's Guide to Computer Security

Post by eukonomos »

Mudpuppy wrote: Thu Jan 05, 2023 2:42 pm ...
tm3 wrote: Thu Jan 05, 2023 10:20 am 3) How does one strike a secure/remember balance for the PW used to unlock one’s computer? Can’t use a PW manager, and it seems like an easy to remember phrase like whiteduck007 could be easily broken. My laptop could get stolen during a snatch and grab and then cracked into later.
Use the same techniques that you use for the password locker master password, such as using a password phrase generated by Diceware or a password phrase created from a series of pronounceable passwords. You might need to write it down to begin with, and that's okay as long as you secure the paper, like putting it a locked cabinet or a home safe. Just don't put it in the laptop or laptop bag. Putting the paper in your wallet might also work, although this method is prone to being taken with the laptop during a mugging; but if your area is low on such crime, you should be fine while you're memorizing the password (then move it to a locked cabinet or safe once you've memorized it). You should be able to memorize it after about a few weeks or so of logging in regularly.
And that locked cabinet or safe (after you've memorized it) should be accessible to your survivors or those helping in the event of your incapacity.
Topic Author
softwaregeek
Posts: 951
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

Mudpuppy wrote: Thu Jan 05, 2023 2:42 pm
tm3 wrote: Thu Jan 05, 2023 10:20 am 1) Looks like the first thing I need to do is stop using my ISP email (Spectrum). I already have a Gmail account that is rarely used and that I can shift over to, but since a time investment is going to be required anyway I don’t mind setting up Proton or Tunatota or similar. However, many of the “reviews” I see seem to be thinly veiled advertisements. These services offer encryption, which to me seems overkill for every email one sends plus it is my understanding that once the encrypted email gets to the recipient’s say, Yahoo, server and gets unencrypted then the value of encryption is gone. Am I missing something that makes Proton or Tutonota significantly better than Gmail?
You can keep Spectrum for everyday use. You don't have to secure all of your email communications, just the critical ones like financial accounts. But you should change the password on the account through the web interface: https://self-care.portals.spectrum.net/login.
tm3 wrote: Thu Jan 05, 2023 10:20 am 2) Will the NFC of Yubikeys work through protective phone cases such as Otterbox? If not, YK is a no go for me. I asked Yubico and they said they didn’t know. I’m reluctant to use Authy as I feel like I’m already too tied to my phone and would have a problem if the phone is lost, stolen, stops working, etc.
In general, NFC should work through any TPU, plastic, rubber, or similar material cases. Metal cases might interfere with NFC, as would cases specifically designed to block tap-to-pay (which is NFC). If you don't use tap-to-pay, then check the specs and reviews for your specific case to see what they say.
tm3 wrote: Thu Jan 05, 2023 10:20 am 3) How does one strike a secure/remember balance for the PW used to unlock one’s computer? Can’t use a PW manager, and it seems like an easy to remember phrase like whiteduck007 could be easily broken. My laptop could get stolen during a snatch and grab and then cracked into later.
Use the same techniques that you use for the password locker master password, such as using a password phrase generated by Diceware or a password phrase created from a series of pronounceable passwords. You might need to write it down to begin with, and that's okay as long as you secure the paper, like putting it a locked cabinet or a home safe. Just don't put it in the laptop or laptop bag. Putting the paper in your wallet might also work, although this method is prone to being taken with the laptop during a mugging; but if your area is low on such crime, you should be fine while you're memorizing the password (then move it to a locked cabinet or safe once you've memorized it). You should be able to memorize it after about a few weeks or so of logging in regularly.
I'm going to respectfully disagree with the answers to #1 and #3 here.

For #1:

I know a bit about email security. I have seen the foul garbage sold to places like Spectrum and other cable companies. Here is how it is sold: They run the antispam and antiphishing in their own datacenter, and they are promised daily updates. The selling proposition is that the product requires fewer expensive servers to process the bare minimum acceptable antispam capability to the cable company. Yahoo mail also falls into this category, or at least they did five years ago, and I doubt it has improved.

Better: The standard corporate stuff from major specialist security vendors. Consumer products like Apple, Google, and Microsoft (Free tier) fall into this category, as well as basic O365 commercial paid license with Exchange Online Protection. The corporate stuff has more bells and whistles, and some additional business use cases, but generally runs off the same threat database as the consumer products.

Best: The standard tier plus advanced threat protection, as provided by specialist corporate security vendors. Microsoft (with Advanced Threat Protection module add on) matches on features and is almost, but not quite, as good as the specialists in effectiveness. Also, paid O365 (personal and family), which is the only product targeted at the home market which includes these features that I am aware of. In this category, you should expect sandboxed URL and attachment defense. You should be able to tell if you have this because URL's will be rewritten and attachments will probably be delayed by a few minutes longer than other email. This tier also generally includes specialist features and add-ons for various business cases which don't apply to individuals. Large corporations will pay in the range of $15-25 per year extra for this service on top of the price for standard email protection.

In the picture below (Microsoft, but all of them work the same way) you can see the risky stuff getting pulled out of the email stream. Then it gets sent to a sandbox where attachments are opened and links are clicked, in a fake computer environment. From the inside, the software looks like a badly secured, unpatched corporate computer. From the outside, it is one of hundreds of containers running on a giant server which monitors and inspects every container minutely. When a dangerous attachment is clicked, the server watches what it does and reports back, and adds that particular attachment to the blocklist.

Image

For #3:
I disagree that you need to (or should) make it that hard to get into your computer. It is likely that if you are to die or are incapacitated, someone like your executor might need to get into your computer. Plus, most devices can be remotely wiped these days. Even windows!
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: SoftwareGeek's Guide to Computer Security

Post by Mudpuppy »

softwaregeek wrote: Thu Jan 05, 2023 5:03 pm I'm going to respectfully disagree with the answers to #1 and #3 here.
Re #1, note that I said for everyday use. I don't really care if an attacker gets into the email where coupons are delivered, or the daily inspirational quote comes in, or someone is reporting a crash in my old MUD, or so on. Such mundane emails do not need Fort Knox protections, and they don't really get an attacker anywhere further into my digital life. If one is already committed to the idea of having multiple email accounts, one should also decide which online accounts should be associated with protected email accounts and which are so mundane as to be non-critical and can still go to the ISP account.

Re #3, an executor should not be guessing passwords or need access to the deceased computer to gain access to the deceased accounts. They should follow the established procedures to bring the accounts and other digital assets into the estate, to assume authority over the trust if those accounts are trust accounts, and so on. As for pictures or similar personal digital items (instead of online accounts), one should set up a methodology to share them with one's heirs that does not require sharing passwords or using an easy to crack local password. For example, one could set up a shared cloud storage folder or an unencrypted external drive for such purposes.

Edit: Forgot the incapacitated part of #3. I definitely don't want someone digging through my computer just because I'm in the hospital. That's such a violation of privacy. There are other methodologies for providing access to one's financial affairs while incapacitated than letting loved ones riffle through a computer. One should again plan for such possibilities and communicate those plans with one's loved ones.
Last edited by Mudpuppy on Thu Jan 05, 2023 6:15 pm, edited 1 time in total.
Sagefemme
Posts: 352
Joined: Mon Mar 12, 2018 9:31 pm

Re: SoftwareGeek's Guide to Computer Security

Post by Sagefemme »

Copper John wrote: Thu Jan 05, 2023 11:55 am
ThereAreNoGurus wrote: Thu Jan 05, 2023 11:31 am
Copper John wrote: Thu Jan 05, 2023 11:11 am
I copy and pasted the new password into the initial field and it was accepted. I would then try to paste it into the confirmation field and it would not work. No error message, but the submit button would just be greyed out. I finally just typed the new password in the confirmation field after pasting it in the initial field and it worked. The website obviously required me to type in the confirmation field, but did not clearly state this requirement.
When that happens to me, rather than typing the entire password, I copy/paste it, go to the end of the password confirmation field, press the space bar which then activates the submit button, and then hit the backspace key so the blank character is not transmitted. That's always worked for me.
That is a good work around to save me from having to type in very long complex passwords. Will give it a try the next time I run into this problem.
Some of the passwords/websites I've update worked flawlessly, both "new password" and "confirm" fields autofilled by 1P, no copying cutting or pasting. That's what I'm trying to understand--what is going on when it doesn't work as I expect. I think I am slowly getting the hang of it. I'm changing all my critical passwords first. Although I did do Bogleheads pretty early on :happy
jayjayc
Posts: 641
Joined: Tue Jun 25, 2013 11:38 pm

Re: SoftwareGeek's Guide to Computer Security

Post by jayjayc »

softwaregeek wrote: Thu Jan 05, 2023 5:03 pm I know a bit about email security.
Which tier would you place free gmail with Advanced Protection?

https://landing.google.com/advancedprotection/
tm3
Posts: 779
Joined: Wed Dec 24, 2014 6:16 pm

Re: SoftwareGeek's Guide to Computer Security

Post by tm3 »

increment wrote: Thu Jan 05, 2023 1:07 pm
tm3 wrote: Thu Jan 05, 2023 10:20 am 2) Will the NFC of Yubikeys work through protective phone cases such as Otterbox?
My Yubikey works when I (briefly) hold it to the iPhone's screen. I use an Otterbox but my model doesn't cover the screen.
Thanks! I have a screen protector, in addition to the OtterBox, but it should work through that. For some reason I thought that NFC had to go through the back of the phone.

I still have to decide if the extra security is worth it. Last time around I concluded that with Bitwarden, a very strong master access password, and strong passwords stored in BW that hacking odds would be very, very small.
tm3
Posts: 779
Joined: Wed Dec 24, 2014 6:16 pm

Re: SoftwareGeek's Guide to Computer Security

Post by tm3 »

softwaregeek wrote: Thu Jan 05, 2023 5:03 pm
Mudpuppy wrote: Thu Jan 05, 2023 2:42 pm

Better: The standard corporate stuff from major specialist security vendors.

Best: The standard tier plus advanced threat protection, as provided by specialist corporate security vendors.

In the picture below (Microsoft, but all of them work the same way)


Thanks, softwaregeek and mudpuppy!

I'm going to have to think some more about the computer login. If in fact whiteduck007 type PW is as easily hackable as a 3 letter PW, then it seems that something more secure is definitely indicated as getting into the stolen laptop could really hand over the keys to the kingdom. OTOH, the memory challenge and typo challenge of a 4 unrelated word PW is not to be taken lightly. Food for thought.

I'm not familiar with the Microsoft products. Are O365, Microsoft Advanced Protection, and Google Advanced Protection roughly comparable at the consumer level?

As an aside, can someone comment on the advantage of having financial email in a separate, perhaps more secure account? I've gone back and reviewed email communications from financial institutions and don't see anything there that could be used by a hacker, so it seems that unless they can get into Bitwarden they are stymied. What am I missing?
HawkeyePierce
Posts: 2352
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: SoftwareGeek's Guide to Computer Security

Post by HawkeyePierce »

tm3 wrote: Fri Jan 06, 2023 8:06 am
softwaregeek wrote: Thu Jan 05, 2023 5:03 pm
Mudpuppy wrote: Thu Jan 05, 2023 2:42 pm

Better: The standard corporate stuff from major specialist security vendors.

Best: The standard tier plus advanced threat protection, as provided by specialist corporate security vendors.

In the picture below (Microsoft, but all of them work the same way)


Thanks, softwaregeek and mudpuppy!

I'm going to have to think some more about the computer login. If in fact whiteduck007 type PW is as easily hackable as a 3 letter PW, then it seems that something more secure is definitely indicated as getting into the stolen laptop could really hand over the keys to the kingdom. OTOH, the memory challenge and typo challenge of a 4 unrelated word PW is not to be taken lightly. Food for thought.

I'm not familiar with the Microsoft products. Are O365, Microsoft Advanced Protection, and Google Advanced Protection roughly comparable at the consumer level?

As an aside, can someone comment on the advantage of having financial email in a separate, perhaps more secure account? I've gone back and reviewed email communications from financial institutions and don't see anything there that could be used by a hacker, so it seems that unless they can get into Bitwarden they are stymied. What am I missing?
There's really no good reason to keep financial accounts on a separate email account if you're using 2FA on your email. It's a placebo at best.
Topic Author
softwaregeek
Posts: 951
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

Mudpuppy wrote: Thu Jan 05, 2023 2:42 pm
I'm not familiar with the Microsoft products. Are O365, Microsoft Advanced Protection, and Google Advanced Protection roughly comparable at the consumer level?
O365 is OK out of the box but the Advanced threat is an add-on that provides additional protection against dangerous links and attachments. Google Advanced protection is more against account takeovers by locking the account down more. I know for a fact Google does run sandboxes, they bought a company a while back which does that, but I don't know where they are using it in their products. Sandboxing is expensive to run, you aren't going to get it in a free account.
inv123
Posts: 28
Joined: Sat Jun 08, 2013 11:45 am

Re: SoftwareGeek's Guide to Computer Security

Post by inv123 »

In light of the LastPass breach, here is how NYT's lead consumer tech columnist addresses the risk of potential hacking of cloud based password managers:
I take a hybrid approach. I use a password manager that does not store my data in its cloud. Instead, I keep my own copy of my vault on my computer and in a cloud drive that I control myself. You could do this by using a cloud service such as iCloud or Dropbox. Those methods aren’t foolproof, either, but they are less likely than a company’s database to be targeted by hackers.
https://www.nytimes.com/2023/01/05/tec ... fety.html
jebmke
Posts: 25476
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: SoftwareGeek's Guide to Computer Security

Post by jebmke »

inv123 wrote: Fri Jan 06, 2023 2:38 pm In light of the LastPass breach, here is how NYT's lead consumer tech columnist addresses the risk of potential hacking of cloud based password managers:
I take a hybrid approach. I use a password manager that does not store my data in its cloud. Instead, I keep my own copy of my vault on my computer and in a cloud drive that I control myself. You could do this by using a cloud service such as iCloud or Dropbox. Those methods aren’t foolproof, either, but they are less likely than a company’s database to be targeted by hackers.
https://www.nytimes.com/2023/01/05/tec ... fety.html
Keepass makes this easy.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
Northern Flicker
Posts: 15366
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

tm3 wrote: How does one strike a secure/remember balance for the PW used to unlock one’s computer? Can’t use a PW manager, and it seems like an easy to remember phrase like whiteduck007 could be easily broken. My laptop could get stolen during a snatch and grab and then cracked into later.
A few points...

1. It is important that you use a non-admin account when working on the machine. If you run windows, the system will prompt you for an administrator account password if you take an action requiring the privilege. With Linux/Unix, you can su/sudo to root only when doing admin tasks that require it. The benefit is you won't accidentally break something by taking an action as admin (such as accidentally deleting a system file) and if you pick up malware while using the system, it is much less risky if the malware is not running with admin privileges. Do you want random javascript off the web running in your browser with the browser running as admin? An attacker may be able to use a rootkit successfully to escalate privileges, but that still slows them down, giving you a chance to discover the breach and take appropriate action.

2. You can store laptop admin account passwords in your password safe as a recovery option. These are not generally used to login to the machine (unless to do a password reset on a non-admin account), but are used to escalate privileges when you already are logged in.

3. If you are worried about theft of a laptop, the disk needs to be encrypted. Someone can remove the drive and read the contents on another machine.

4. You can store laptop passwords in a password safe on your phone. If you want maximum security in a theft situation, don't use biometrics to unlock the phone. (A fingerprint for example is still fine to unlock the password safe or execute a wallet payment once you unlocked the phone without biometrics).
Last edited by Northern Flicker on Fri Jan 06, 2023 6:43 pm, edited 3 times in total.
User avatar
riverant
Posts: 1073
Joined: Tue May 04, 2021 6:51 am

Re: SoftwareGeek's Guide to Computer Security

Post by riverant »

HawkeyePierce wrote: Fri Jan 06, 2023 11:42 am
tm3 wrote: Fri Jan 06, 2023 8:06 am
softwaregeek wrote: Thu Jan 05, 2023 5:03 pm
Mudpuppy wrote: Thu Jan 05, 2023 2:42 pm

Better: The standard corporate stuff from major specialist security vendors.

Best: The standard tier plus advanced threat protection, as provided by specialist corporate security vendors.

In the picture below (Microsoft, but all of them work the same way)


Thanks, softwaregeek and mudpuppy!

I'm going to have to think some more about the computer login. If in fact whiteduck007 type PW is as easily hackable as a 3 letter PW, then it seems that something more secure is definitely indicated as getting into the stolen laptop could really hand over the keys to the kingdom. OTOH, the memory challenge and typo challenge of a 4 unrelated word PW is not to be taken lightly. Food for thought.

I'm not familiar with the Microsoft products. Are O365, Microsoft Advanced Protection, and Google Advanced Protection roughly comparable at the consumer level?

As an aside, can someone comment on the advantage of having financial email in a separate, perhaps more secure account? I've gone back and reviewed email communications from financial institutions and don't see anything there that could be used by a hacker, so it seems that unless they can get into Bitwarden they are stymied. What am I missing?
There's really no good reason to keep financial accounts on a separate email account if you're using 2FA on your email. It's a placebo at best.
Maybe, but what’s of interest is not the content of e-mails but access to the inbox. That can be used to impersonate identity during password resets and conversations with CSRs. Maybe it’s unnecessary, but it seems like there’s be some benefit to have a little used secure email account for important relationships than an account shared multiple times over with every spam distributor in the world.
Northern Flicker
Posts: 15366
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

The main benefit is in using the segregated email for monitoring alerts etc. for the financial services account so they are not missed in a deluge of email from other sources.
HawkeyePierce
Posts: 2352
Joined: Tue Mar 05, 2019 9:29 pm
Location: Colorado

Re: SoftwareGeek's Guide to Computer Security

Post by HawkeyePierce »

TJat wrote: Fri Jan 06, 2023 5:42 pm
HawkeyePierce wrote: Fri Jan 06, 2023 11:42 am
tm3 wrote: Fri Jan 06, 2023 8:06 am
softwaregeek wrote: Thu Jan 05, 2023 5:03 pm
Mudpuppy wrote: Thu Jan 05, 2023 2:42 pm

Better: The standard corporate stuff from major specialist security vendors.

Best: The standard tier plus advanced threat protection, as provided by specialist corporate security vendors.

In the picture below (Microsoft, but all of them work the same way)


Thanks, softwaregeek and mudpuppy!

I'm going to have to think some more about the computer login. If in fact whiteduck007 type PW is as easily hackable as a 3 letter PW, then it seems that something more secure is definitely indicated as getting into the stolen laptop could really hand over the keys to the kingdom. OTOH, the memory challenge and typo challenge of a 4 unrelated word PW is not to be taken lightly. Food for thought.

I'm not familiar with the Microsoft products. Are O365, Microsoft Advanced Protection, and Google Advanced Protection roughly comparable at the consumer level?

As an aside, can someone comment on the advantage of having financial email in a separate, perhaps more secure account? I've gone back and reviewed email communications from financial institutions and don't see anything there that could be used by a hacker, so it seems that unless they can get into Bitwarden they are stymied. What am I missing?
There's really no good reason to keep financial accounts on a separate email account if you're using 2FA on your email. It's a placebo at best.
Maybe, but what’s of interest is not the content of e-mails but access to the inbox. That can be used to impersonate identity during password resets and conversations with CSRs. Maybe it’s unnecessary, but it seems like there’s be some benefit to have a little used secure email account for important relationships than an account shared multiple times over with every spam distributor in the world.
You can simply secure your email with Yubikeys and be done with it. No need for two accounts.
Volando
Posts: 188
Joined: Tue Feb 23, 2021 6:52 pm

Re: SoftwareGeek's Guide to Computer Security

Post by Volando »

Thanks for this thread! I’ll add myself to the list of folks starting a pw manager from this thread. Opted for Bitwarden and I think it’ll work great. I don’t know why I waited so long to start.

One question I had: if I’m opting to use a pass phrase for a master password, say from a generator, are there any best practices I should keep in mind? For example, # of words to use or length of the pass phrase? I’m seeing mixed info online. On the # of words some say to use at least 6 words, others say 4 is good enough.
Northern Flicker
Posts: 15366
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

HawkeyePierce wrote: Sat Jan 07, 2023 10:01 am You can simply secure your email with Yubikeys and be done with it. No need for two accounts.
If you can do that, yes it will work fine. I have a long used email address in our personal domain that could only be secured with a yubikey if we moved the domain hosting to a different service, which is much more hassle than creating an email account that can be locked down.

But accounts used for 2FA messaging should be segregated from email when possible.

Suppose you secure a google voice account appropriately, and use it for 2FA for some financial accounts. If you use a different email account for email alerts from the financial services, then the google account is not a single point of failure. Also some services (Fidelity would be an example) use email to authenticate password resets. Ideally, that would not be the same google account where you receive google voice SMS if that is used for 2FA on the account for the same reason.

I also have a 401K account where email and SMS always are presented by the provider as 2FA choices at login. In this case, I use the email associated with the google voice account as it is then a single 2FA account in play for both cases (1 single point of failure instead of 2 single points of failure if I segregated them).
Last edited by Northern Flicker on Sat Jan 07, 2023 4:09 pm, edited 1 time in total.
Northern Flicker
Posts: 15366
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

Volando wrote: Sat Jan 07, 2023 11:04 am Thanks for this thread! I’ll add myself to the list of folks starting a pw manager from this thread. Opted for Bitwarden and I think it’ll work great. I don’t know why I waited so long to start.

One question I had: if I’m opting to use a pass phrase for a master password, say from a generator, are there any best practices I should keep in mind? For example, # of words to use or length of the pass phrase? I’m seeing mixed info online. On the # of words some say to use at least 6 words, others say 4 is good enough.
Assuming the words come from a dictionary of the 1000 most common words, if all are lower case and there is a single space between each word, you could end up with a 10^12 = 1T search space for a 4-word phrase, equivalent to about 48 bits, which is too small. Use of capital letters, stray punctuation marks, whether or not there are spaces between words, and other tricks can increase the size of the search space greatly, but also increase the risk of losing the key.

Use an entire sentence with 8 or more words (ideally at least 10) with a standard for spacing, capitalization, and punctuation that you won't forget.
DebiT
Posts: 995
Joined: Sat Dec 28, 2013 12:45 pm

Re: SoftwareGeek's Guide to Computer Security

Post by DebiT »

Northern Flicker wrote: Fri Jan 06, 2023 4:28 pm
tm3 wrote: How does one strike a secure/remember balance for the PW used to unlock one’s computer? Can’t use a PW manager, and it seems like an easy to remember phrase like whiteduck007 could be easily broken. My laptop could get stolen during a snatch and grab and then cracked into later.
A few points...

1. It is important that you use a non-admin account when working on the machine. If you run windows, the system will prompt you for an administrator account password if you take an action requiring the privilege. With Linux/Unix, you can su/sudo to root only when doing admin tasks that require it. The benefit is you won't accidentally break something by taking an action as admin (such as accidentally deleting a system file) and if you pick up malware while using the system, it is much less risky if the malware is not running with admin privileges. Do you want random javascript off the web running in your browser with the browser running as admin? An attacker may be able to use a rootkit successfully to escalate privileges, but that still slows them down, giving you a chance to discover the breach and take appropriate action.

.
If I typically use my regular admin level account, but with Windows UAC(User account control) set to the highest level, what dangers am I still exposed to? Trying to assess if I need to change my ways.
Age 66, life turned upside down 3/2/19, thanking God for what I've learned from this group. AA 40/60 for now, possibly changing at age 70.
gavinsiu
Posts: 4543
Joined: Sun Nov 14, 2021 11:42 am

Re: SoftwareGeek's Guide to Computer Security

Post by gavinsiu »

DebiT wrote: Sat Jan 07, 2023 7:23 pm
If I typically use my regular admin level account, but with Windows UAC(User account control) set to the highest level, what dangers am I still exposed to? Trying to assess if I need to change my ways.
I use a standard user account. Let’s say there is a zero day exploit that allow malware to elevate to admin, it will likely to be blocked by your standard user account.
Northern Flicker
Posts: 15366
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

Best practice is to follow the principle of least privilege and avoid using an account with more privileges than needed for the activities you are performing. I already described the risks of using an account with gratuitous privileges.
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: SoftwareGeek's Guide to Computer Security

Post by Mudpuppy »

Northern Flicker wrote: Sat Jan 07, 2023 8:05 pm Best practice is to follow the principle of least privilege and avoid using an account with more privileges than needed for the activities you are performing. I already described the risks of using an account with gratuitous privileges.
It's nearly half a century since their paper, yet Saltzer and Schroeder's design principles still ring true. Now if only more software engineers would put those principles into programming practice.
Northern Flicker
Posts: 15366
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

We are finally catching up to the late 1970's with respect to authentication as well with challenge-response protocols used in Yubikeys, and I assume what is being used in the emerging password-free standard that some tech companies are promoting.
DebiT
Posts: 995
Joined: Sat Dec 28, 2013 12:45 pm

Re: SoftwareGeek's Guide to Computer Security

Post by DebiT »

gavinsiu wrote: Sat Jan 07, 2023 8:02 pm
DebiT wrote: Sat Jan 07, 2023 7:23 pm
If I typically use my regular admin level account, but with Windows UAC(User account control) set to the highest level, what dangers am I still exposed to? Trying to assess if I need to change my ways.
I use a standard user account. Let’s say there is a zero day exploit that allow malware to elevate to admin, it will likely to be blocked by your standard user account.
Assuming I add a new separate administrator account first, what are the ramifications of then downgrading my current account to standard? Would I experience problems or changes in how my current software runs? Or would it be the same experience as my current high UAC settings, but safer?

I really appreciate the advice here. This is what my late husband would have been able to answer for me, even though he didn’t necessarily set things up that way. On the other hand he’s not around to help me if I a virus gets through Norton, or if I brick my computer myself by getting too fancy with changing settings.
Age 66, life turned upside down 3/2/19, thanking God for what I've learned from this group. AA 40/60 for now, possibly changing at age 70.
Topic Author
softwaregeek
Posts: 951
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

DebiT wrote: Sun Jan 08, 2023 11:53 am
gavinsiu wrote: Sat Jan 07, 2023 8:02 pm
DebiT wrote: Sat Jan 07, 2023 7:23 pm
If I typically use my regular admin level account, but with Windows UAC(User account control) set to the highest level, what dangers am I still exposed to? Trying to assess if I need to change my ways.
I use a standard user account. Let’s say there is a zero day exploit that allow malware to elevate to admin, it will likely to be blocked by your standard user account.
Assuming I add a new separate administrator account first, what are the ramifications of then downgrading my current account to standard? Would I experience problems or changes in how my current software runs? Or would it be the same experience as my current high UAC settings, but safer?

I really appreciate the advice here. This is what my late husband would have been able to answer for me, even though he didn’t necessarily set things up that way. On the other hand he’s not around to help me if I a virus gets through Norton, or if I brick my computer myself by getting too fancy with changing settings.
Should not be an issue except installing new software or doing system recovery type stuff, where you may need to use admin account. Average user will rarely need admin privileges.
StrongMBS
Posts: 67
Joined: Sat Jan 14, 2017 1:38 pm

Re: SoftwareGeek's Guide to Computer Security

Post by StrongMBS »

Northern Flicker wrote: Wed Jan 04, 2023 12:48 am
StrongMBS wrote: Where usual FIDO U2F has the password as the first factor and the key as the second factor which allows your password to be compromised (FIDO U2F dirty little secret). They have the key as the first factor and your password as the second factor, maintaining security on your all-important master password if you are being phished.
Better yet, ditch the password altogether. Challenge-response authentication is a robust protocol that replaces password authentication. Add a yubikey pin and if desired 2FA to that.
Not sure what this means since “password authentication” is a type of “challenge-response authentication”? Maybe you meant to start with a more qualify statement like “PKC-based (Public Key Cryptography) challenge-response authentication” such as used in FIDO2 protocols delivering phishing -resistant authentication.

“Add a yubikey pin and if desired 2FA to that.” Do you not already have 2FA is you have a yubikey with a pin (assume you are using FIDO2 feature in the key)? BTW if you read all my comment, you would see this “Their only downside right now is they are still not asking for your security key PIN if you have it.” This would provide 3FA (i.e., Key/Pin/Password) maybe overkill for some but until companies can rework their mechanism to be passwordless this is one of the fastest ways to provide phishing-resistant MFA authentication that protects the password unlike FIDO U2F.

And yes, providing “passwordless phishing-resistant MFA authentication” is the goal but I know of few places where this is supported outside of the enterprise IDP (Identity Providers) (e.g., Azure AD) even Google’s APP (Advanced Protection Program) is still using passwords as the first factor and the FIDO key as the second factor 5-years later.

I also respectfully request again that we minimize the “yubikey” term use since it is a multi-protocol product so without specifying which protocol being used it is hard to tell what kind of protection the mechanism is providing.
Topic Author
softwaregeek
Posts: 951
Joined: Wed May 08, 2019 8:59 pm

Re: SoftwareGeek's Guide to Computer Security

Post by softwaregeek »

StrongMBS wrote: Sun Jan 08, 2023 12:23 pm
I also respectfully request again that we minimize the “yubikey” term use since it is a multi-protocol product so without specifying which protocol being used it is hard to tell what kind of protection the mechanism is providing.
If you are going for the hardware key, get Yubikey 5. It is the standard and the software is excellent.
Post Reply