SoftwareGeek's Guide to Computer Security

Questions on how we spend our money and our time - consumer goods and services, home and vehicle, leisure and recreational activities
Post Reply
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

softwaregeek wrote: Sun Jan 08, 2023 12:16 pm
DebiT wrote: Sun Jan 08, 2023 11:53 am
gavinsiu wrote: Sat Jan 07, 2023 8:02 pm
DebiT wrote: Sat Jan 07, 2023 7:23 pm
If I typically use my regular admin level account, but with Windows UAC(User account control) set to the highest level, what dangers am I still exposed to? Trying to assess if I need to change my ways.
I use a standard user account. Let’s say there is a zero day exploit that allow malware to elevate to admin, it will likely to be blocked by your standard user account.
Assuming I add a new separate administrator account first, what are the ramifications of then downgrading my current account to standard? Would I experience problems or changes in how my current software runs? Or would it be the same experience as my current high UAC settings, but safer?

I really appreciate the advice here. This is what my late husband would have been able to answer for me, even though he didn’t necessarily set things up that way. On the other hand he’s not around to help me if I a virus gets through Norton, or if I brick my computer myself by getting too fancy with changing settings.
Should not be an issue except installing new software or doing system recovery type stuff, where you may need to use admin account. Average user will rarely need admin privileges.
When you install software or take actions requiring admin rights, Windows will prompt you for an admin password to authorize the action. In most cases, you don't need to login under the admin account. Use of certain administrative tools will require actually logging in with an administrator account, but these are not part of day-to-day usage of the machine.
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

StrongMBS wrote: Sun Jan 08, 2023 12:23 pm
Northern Flicker wrote: Wed Jan 04, 2023 12:48 am
StrongMBS wrote: Where usual FIDO U2F has the password as the first factor and the key as the second factor which allows your password to be compromised (FIDO U2F dirty little secret). They have the key as the first factor and your password as the second factor, maintaining security on your all-important master password if you are being phished.
Better yet, ditch the password altogether. Challenge-response authentication is a robust protocol that replaces password authentication. Add a yubikey pin and if desired 2FA to that.
Not sure what this means since “password authentication” is a type of “challenge-response authentication”?
No it is not. Challenge-response is a standard, technical term in the security community, and refers to a specific protocol based on public key cryptography in which no key or password is transmitted between user and service, and no challenge used in one authentication session is re-used in a later authentication session for that user (unless a new public/private key pair is established for the user). Password authentication does not meet these requirements.
Last edited by Northern Flicker on Sun Jan 08, 2023 7:02 pm, edited 1 time in total.
BoglesBeagle
Posts: 42
Joined: Fri Oct 21, 2022 1:06 pm

Re: SoftwareGeek's Guide to Computer Security

Post by BoglesBeagle »

DebiT wrote: Sat Jan 07, 2023 7:23 pm
If I typically use my regular admin level account, but with Windows UAC(User account control) set to the highest level, what dangers am I still exposed to? Trying to assess if I need to change my ways.
I’m not by any means an expert on this, but I believe the idea of UAC is to provide the same security protections as running from a non-administrator account, without actually needing to create a separate account. I think the only difference you’d see is that with a second account, the UAC prompt would ask you for the password of the admin user, vs just “yes/no” if logged in with an admin account.

https://learn.microsoft.com/en-us/windo ... l-overview
Microsoft wrote:UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way.
https://learn.microsoft.com/en-us/windo ... trol-works
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

BoglesBeagle wrote: Sun Jan 08, 2023 1:43 pm
DebiT wrote: Sat Jan 07, 2023 7:23 pm
If I typically use my regular admin level account, but with Windows UAC(User account control) set to the highest level, what dangers am I still exposed to? Trying to assess if I need to change my ways.
I’m not by any means an expert on this, but I believe the idea of UAC is to provide the same security protections as running from a non-administrator account, without actually needing to create a separate account. I think the only difference you’d see is that with a second account, the UAC prompt would ask you for the password of the admin user, vs just “yes/no” if logged in with an admin account.

https://learn.microsoft.com/en-us/windo ... l-overview
Microsoft wrote:UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way.
https://learn.microsoft.com/en-us/windo ... trol-works
That type of account is fine to use, and preferred to having to logout and back in as an admin user. For Windows today, it is the default behavior of a standard, non-administrator account.
stan1
Posts: 14246
Joined: Mon Oct 08, 2007 4:35 pm

Re: SoftwareGeek's Guide to Computer Security

Post by stan1 »

Northern Flicker wrote: Sun Jan 08, 2023 1:53 pm
BoglesBeagle wrote: Sun Jan 08, 2023 1:43 pm
DebiT wrote: Sat Jan 07, 2023 7:23 pm
If I typically use my regular admin level account, but with Windows UAC(User account control) set to the highest level, what dangers am I still exposed to? Trying to assess if I need to change my ways.
I’m not by any means an expert on this, but I believe the idea of UAC is to provide the same security protections as running from a non-administrator account, without actually needing to create a separate account. I think the only difference you’d see is that with a second account, the UAC prompt would ask you for the password of the admin user, vs just “yes/no” if logged in with an admin account.

https://learn.microsoft.com/en-us/windo ... l-overview
Microsoft wrote:UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way.
https://learn.microsoft.com/en-us/windo ... trol-works
That type of account is fine to use, and preferred to having to logout and back in as an admin user. For Windows today, it is the default behavior of a standard, non-administrator account.
Does this apply to Win 11 Home with M365 Family? I am the primary administrator for the M365 family plan, and also Settings/Accounts shows I am logged onto my Win 11 Home desktop as Admin. Should I change something to take advantage of this, or is UAC for Win Pro and Server environments?
gavinsiu
Posts: 4543
Joined: Sun Nov 14, 2021 11:42 am

Re: SoftwareGeek's Guide to Computer Security

Post by gavinsiu »

DebiT wrote: Sun Jan 08, 2023 11:53 am Assuming I add a new separate administrator account first, what are the ramifications of then downgrading my current account to standard? Would I experience problems or changes in how my current software runs? Or would it be the same experience as my current high UAC settings, but safer?

I really appreciate the advice here. This is what my late husband would have been able to answer for me, even though he didn’t necessarily set things up that way. On the other hand he’s not around to help me if I a virus gets through Norton, or if I brick my computer myself by getting too fancy with changing settings.
Most of the time nothing. What will happen is you will get the same UAC, but you have to type in the admin account password instead of just clicking ok. This has the added benefit of ensuring that you really want to do this. Just make sure you remember the admin account's name and password.

Some badly written software will flip out and not work properly. I find that these are generally really old programs written in the days when everything was admin and some children educational software.
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

stan1 wrote: Sun Jan 08, 2023 2:03 pm
Northern Flicker wrote: Sun Jan 08, 2023 1:53 pm
BoglesBeagle wrote: Sun Jan 08, 2023 1:43 pm
DebiT wrote: Sat Jan 07, 2023 7:23 pm
If I typically use my regular admin level account, but with Windows UAC(User account control) set to the highest level, what dangers am I still exposed to? Trying to assess if I need to change my ways.
I’m not by any means an expert on this, but I believe the idea of UAC is to provide the same security protections as running from a non-administrator account, without actually needing to create a separate account. I think the only difference you’d see is that with a second account, the UAC prompt would ask you for the password of the admin user, vs just “yes/no” if logged in with an admin account.

https://learn.microsoft.com/en-us/windo ... l-overview
Microsoft wrote:UAC allows all users to log on to their computers using a standard user account. Processes launched using a standard user token may perform tasks using access rights granted to a standard user. For instance, Windows Explorer automatically inherits standard user level permissions. Additionally, any apps that are started using Windows Explorer (for example, by double-clicking a shortcut) also run with the standard set of user permissions. Many apps, including those that are included with the operating system itself, are designed to work properly in this way.
https://learn.microsoft.com/en-us/windo ... trol-works
That type of account is fine to use, and preferred to having to logout and back in as an admin user. For Windows today, it is the default behavior of a standard, non-administrator account.
Does this apply to Win 11 Home with M365 Family? I am the primary administrator for the M365 family plan, and also Settings/Accounts shows I am logged onto my Win 11 Home desktop as Admin. Should I change something to take advantage of this, or is UAC for Win Pro and Server environments?
I have not used Win 11. On Win 7 and 10 for instance, when you create an account, the user account graphical tool allows you to configure an account as a standard account and as an administrator account. What we do is DW and I have admin accounts and standard accounts on all machines. We login and use the standard account, and escalate to admin only when required. This is a standard, best practice of system administration.

Some admin tasks, such as killing a process with the task manager, and some control center functions, do require logging in with the admin account, but many just require entering an admin password to escalate privileges for a particular operation, such as changing a Defender setting or installing/removing software.
User avatar
tuningfork
Posts: 885
Joined: Wed Oct 30, 2013 8:30 pm

Re: SoftwareGeek's Guide to Computer Security

Post by tuningfork »

@SoftwareGeek and other security experts: can you recommend other online forums for discussions about computer security issues? Would like to see broader security topics than what is discussed here, and am fine with it going deeply geeky.
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

The Microsoft User Account Control (UAC) concept is how Microsoft implemented the current account behavior. It is not a useful concept to introduce into this discussion unless one wants to understand how the implementation works. From the perspective of securing your accounts, the useful conceptual framework (level of abstraction) is what is presented in the User Account GUI in the Control Panel.

If you go to User Accounts -> "Manage another account" in the control panel, it will prompt you for an admin account password if you are not logged in with an admin account. Once that is executed, you will see the accounts for the machine.

All accounts should be password protected.

There should be a named Administratrator account for each individual you wish to have administrator privileges.

There should be a non-administrator for each user of the machine, including those who have administrator accounts.

Microsoft has made it harder to create local accounts, which are my preference from a privacy perspective, but I'm not aware of a (non-privacy) security issue with using a microsoft.com account (which does not of course preclude the possibility).

Thus, we have 4 accounts for DW and me:

jack
jill
jack_admin
jill_admin

All are password-protected local accounts. The two with admin suffix are password-protected, local, administrator accounts.

That is the level of abstraction presented on the User Accounts screens of the Control Panel, and the best level of abstraction to use for Windows account security engineering.

Be sure to create new admin accounts and save passwords in password safes, with testing of the logins, before downgrading other accounts to non-administrator accounts.
Last edited by Northern Flicker on Mon Jan 09, 2023 8:18 pm, edited 2 times in total.
BoglesBeagle
Posts: 42
Joined: Fri Oct 21, 2022 1:06 pm

Re: SoftwareGeek's Guide to Computer Security

Post by BoglesBeagle »

Northern Flicker wrote: Sun Jan 08, 2023 1:53 pm That type of account is fine to use, and preferred to having to logout and back in as an admin user. For Windows today, it is the default behavior of a standard, non-administrator account.
If I understand correctly, what you get after a default Windows installation, which is a a single local admin account (perhaps better termed “account with the ability to assume local admin rights”, since that still only happens after a confirmation) would be no different than a non-admin account until a UAC prompt to elevate privileges appears and is approved. And then at that point, it would just be difference between a prompt with yes/no (same account) and a prompt for the second account’s password (separate accounts). With that being the case, it’s not obvious to me why two separate accounts (jack and jack_admin) is more secure than just using the jack_admin account, since the jack_admin account and anything running within it still doesn’t have admin rights unless explicitly granted after a UAC prompt. UAC, if working as intended, should protect against background processes, downloaded apps, etc unexpectedly assuming those rights without permission.

I can certainly understand why the two accounts were best practice before UAC but it seems to me like now it provides the same protection the separation of accounts is intended to provide. I may be missing something though as far as additional safeguards provided by the two being separate.
Microsoft wrote: With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system.
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

What the UAC architecture can provide is for a non-administrator account to elevate to administrator by typing in an administrator account password when prompted. This is very convenient but not all admin tasks can be completed that way. Having a single administrator account that is shared by family members with admin privileges, in addition to individual non-admin accounts also will work, but is not the preferred practice.
Last edited by Northern Flicker on Sun Jan 08, 2023 8:40 pm, edited 1 time in total.
international001
Posts: 2748
Joined: Thu Feb 15, 2018 6:31 pm

Re: SoftwareGeek's Guide to Computer Security

Post by international001 »

softwaregeek wrote: Mon Dec 19, 2022 12:21 pm
Total Costs per year -
Cheapest Acceptable. Bitwarden Premium $10, Authy or Microsoft Authenticator, Windows Defender - $10 a year total for an individual, $40 for a family.
As I configure: 1Password Family $60, Authy, McAfee Antivirus $25, O365 Family $70 for backup and email, OpenDNS $20. Total $175 a year.
What's wrong with Bitwarden free version? IT seems there are differences for the 2FA options, but you mentioned not to use a password manager 2FA options
Mudpuppy
Posts: 7409
Joined: Sat Aug 27, 2011 2:26 am
Location: Sunny California

Re: SoftwareGeek's Guide to Computer Security

Post by Mudpuppy »

BoglesBeagle wrote: Sun Jan 08, 2023 6:16 pm
Northern Flicker wrote: Sun Jan 08, 2023 1:53 pm That type of account is fine to use, and preferred to having to logout and back in as an admin user. For Windows today, it is the default behavior of a standard, non-administrator account.
If I understand correctly, what you get after a default Windows installation, which is a a single local admin account (perhaps better termed “account with the ability to assume local admin rights”, since that still only happens after a confirmation) would be no different than a non-admin account until a UAC prompt to elevate privileges appears and is approved. And then at that point, it would just be difference between a prompt with yes/no (same account) and a prompt for the second account’s password (separate accounts). With that being the case, it’s not obvious to me why two separate accounts (jack and jack_admin) is more secure than just using the jack_admin account, since the jack_admin account and anything running within it still doesn’t have admin rights unless explicitly granted after a UAC prompt. UAC, if working as intended, should protect against background processes, downloaded apps, etc unexpectedly assuming those rights without permission.

I can certainly understand why the two accounts were best practice before UAC but it seems to me like now it provides the same protection the separation of accounts is intended to provide. I may be missing something though as far as additional safeguards provided by the two being separate.
Microsoft wrote: With UAC, apps and tasks always run in the security context of a non-administrator account, unless an administrator specifically authorizes administrator-level access to the system.
There have been some pretty substantial attacks in the past against UAC where an attacker could get admin privileges without the Yes/No prompt when using an account that has administrator privileges. Running a local account without admin privileges protected against most of those attacks. Some people with a long memory of historical Windows vulnerabilities, security practices, and programming practices prefer to keep that approach now, rather than trust that Microsoft has everything correct in the current implementation of UAC. It's a minor hoop to jump through to get protection against the fall-out if another major UAC vulnerability is revealed.
BoglesBeagle
Posts: 42
Joined: Fri Oct 21, 2022 1:06 pm

Re: SoftwareGeek's Guide to Computer Security

Post by BoglesBeagle »

Mudpuppy wrote: Sun Jan 08, 2023 7:40 pm
There have been some pretty substantial attacks in the past against UAC where an attacker could get admin privileges without the Yes/No prompt when using an account that has administrator privileges. Running a local account without admin privileges protected against most of those attacks. Some people with a long memory of historical Windows vulnerabilities, security practices, and programming practices prefer to keep that approach now, rather than trust that Microsoft has everything correct in the current implementation of UAC. It's a minor hoop to jump through to get protection against the fall-out if another major UAC vulnerability is revealed.
Thanks for the explanation. I wasn’t aware that there was a history of these types of vulnerabilities. Makes sense.
DebiT
Posts: 995
Joined: Sat Dec 28, 2013 12:45 pm

Re: SoftwareGeek's Guide to Computer Security

Post by DebiT »

Mudpuppy wrote: Sun Jan 08, 2023 7:40 pm
There have been some pretty substantial attacks in the past against UAC where an attacker could get admin privileges without the Yes/No prompt when using an account that has administrator privileges. Running a local account without admin privileges protected against most of those attacks. Some people with a long memory of historical Windows vulnerabilities, security practices, and programming practices prefer to keep that approach now, rather than trust that Microsoft has everything correct in the current implementation of UAC. It's a minor hoop to jump through to get protection against the fall-out if another major UAC vulnerability is revealed.
Thanks to this thread, this is what finally sunk in. Thank you for your patience, @northernflicker. I’m big on risk mitigation these days, and therefore best practices. (I love that phrase, it appeals to my finicky self). So here I am on this one thread , learning about UAC issues and password managers, and thereby changing my ways. I learn so much from the Bogleheads.
Age 66, life turned upside down 3/2/19, thanking God for what I've learned from this group. AA 40/60 for now, possibly changing at age 70.
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

mudpuppy wrote: There have been some pretty substantial attacks in the past against UAC where an attacker could get admin privileges without the Yes/No prompt when using an account that has administrator privileges. Running a local account without admin privileges protected against most of those attacks. Some people with a long memory of historical Windows vulnerabilities, security practices, and programming practices prefer to keep that approach now, rather than trust that Microsoft has everything correct in the current implementation of UAC. It's a minor hoop to jump through to get protection against the fall-out if another major UAC vulnerability is revealed.
Having to simulate a mouse click on yes is a much lower bar for an attacker to overcome than having to simulate typing in a password. Independent of past attack history, the principle of least privilege leads to the use of non-admin accounts and elevating to admin by typing in an admin password when asked, or logging in with the admin account when necessary.
gavinsiu
Posts: 4543
Joined: Sun Nov 14, 2021 11:42 am

Re: SoftwareGeek's Guide to Computer Security

Post by gavinsiu »

When I setup a new windows machine, I typically setup an admin account, which I name something other than admin. The account is always local and the password for each machine is different. The reason the account is local is because I do not see a reason for an online admin account. Over the years, MS has made this more difficult because they keep insisting on setting up an online account. In addition, it's probably better not to have the same password for each machine.

After the admin is setup, I then create a new users that I will actually use. This could be a MS online account that may integrate with Office or other MS services. The admin account I will only use for system related task like software install, drivers update, etc.
roamingzebra
Posts: 1215
Joined: Thu Apr 22, 2021 3:29 pm

Re: SoftwareGeek's Guide to Computer Security

Post by roamingzebra »

gavinsiu wrote: Sun Jan 08, 2023 9:53 pm When I setup a new windows machine, I typically setup an admin account, which I name something other than admin. The account is always local and the password for each machine is different. The reason the account is local is because I do not see a reason for an online admin account. Over the years, MS has made this more difficult because they keep insisting on setting up an online account.
I know I asked this last year, but I didn't end up buying a new PC. Since I may buy one this year and I know methods change, could you outline the latest technique for bypassing creating an online account on a new PC? Thanks
gavinsiu
Posts: 4543
Joined: Sun Nov 14, 2021 11:42 am

Re: SoftwareGeek's Guide to Computer Security

Post by gavinsiu »

I have not upgraded to windows 11 yet. Perhaps someone else can chime in?
StrongMBS
Posts: 67
Joined: Sat Jan 14, 2017 1:38 pm

Re: SoftwareGeek's Guide to Computer Security

Post by StrongMBS »

roamingzebra wrote: Mon Jan 09, 2023 1:40 pm
gavinsiu wrote: Sun Jan 08, 2023 9:53 pm When I setup a new windows machine, I typically setup an admin account, which I name something other than admin. The account is always local and the password for each machine is different. The reason the account is local is because I do not see a reason for an online admin account. Over the years, MS has made this more difficult because they keep insisting on setting up an online account.
I know I asked this last year, but I didn't end up buying a new PC. Since I may buy one this year and I know methods change, could you outline the latest technique for bypassing creating an online account on a new PC? Thanks
Is this to create a local admin account and then an online standard account?

If so, do the process the other way. Use the normal process to create a user online account of type admin then create a local admin account - logout of both make sure you can login to the local admin account and then change the first account to a standard user.
roamingzebra
Posts: 1215
Joined: Thu Apr 22, 2021 3:29 pm

Re: SoftwareGeek's Guide to Computer Security

Post by roamingzebra »

StrongMBS wrote: Mon Jan 09, 2023 7:14 pm
roamingzebra wrote: Mon Jan 09, 2023 1:40 pm
gavinsiu wrote: Sun Jan 08, 2023 9:53 pm When I setup a new windows machine, I typically setup an admin account, which I name something other than admin. The account is always local and the password for each machine is different. The reason the account is local is because I do not see a reason for an online admin account. Over the years, MS has made this more difficult because they keep insisting on setting up an online account.
I know I asked this last year, but I didn't end up buying a new PC. Since I may buy one this year and I know methods change, could you outline the latest technique for bypassing creating an online account on a new PC? Thanks
Is this to create a local admin account and then an online standard account?
The intention is for the PC never to touch the internet.

I'm not well-versed in Windows these days but my current set-up (Win10) has a local sign-in box (which lands me on the desktop) with an option using various techniques to elevate the privledge to Admin. I'm not sure of the appropriate terminology, but everything is local.
Jags4186
Posts: 8198
Joined: Wed Jun 18, 2014 7:12 pm

Re: SoftwareGeek's Guide to Computer Security

Post by Jags4186 »

I've started using Apple "hide my email" anytime I sign up for a new website. This way if the website is compromised no one gets my email. If I start getting spam to one of my spoofed addresses, I just shut the address off.
tm3
Posts: 779
Joined: Wed Dec 24, 2014 6:16 pm

Re: SoftwareGeek's Guide to Computer Security

Post by tm3 »

tuningfork wrote: Sun Jan 08, 2023 4:35 pm @SoftwareGeek and other security experts: can you recommend other online forums for discussions about computer security issues? Would like to see broader security topics than what is discussed here, and am fine with it going deeply geeky.
I'm not one of the experts, but I learned about this site: https://www.bleepingcomputer.com/
StrongMBS
Posts: 67
Joined: Sat Jan 14, 2017 1:38 pm

Re: SoftwareGeek's Guide to Computer Security

Post by StrongMBS »

Northern Flicker wrote: Sun Jan 08, 2023 12:57 pm
StrongMBS wrote: Sun Jan 08, 2023 12:23 pm
Northern Flicker wrote: Wed Jan 04, 2023 12:48 am
StrongMBS wrote: Where usual FIDO U2F has the password as the first factor and the key as the second factor which allows your password to be compromised (FIDO U2F dirty little secret). They have the key as the first factor and your password as the second factor, maintaining security on your all-important master password if you are being phished.
Better yet, ditch the password altogether. Challenge-response authentication is a robust protocol that replaces password authentication. Add a yubikey pin and if desired 2FA to that.
Not sure what this means since “password authentication” is a type of “challenge-response authentication”?
No it is not. Challenge-response is a standard, technical term in the security community, and refers to a specific protocol based on public key cryptography in which no key or password is transmitted between user and service, and no challenge used in one authentication session is re-used in a later authentication session for that user (unless a new public/private key pair is established for the user). Password authentication does not meet these requirements.
Sorry for the delay I thought I had sent this, but I got distracted dealing with some pressing LastPass issues.

Here is the definition from the NIST glossary “An authentication protocol where the verifier sends the claimant a challenge (usually a random value or a nonce) that the claimant combines with a secret (often by hashing the challenge and a shared secret together, or by applying a private key operation to the challenge) to generate a response that is sent to the verifier. The verifier can independently verify the response generated by the Claimant (such as by re-computing the hash of the challenge and the shared secret and comparing to the response, or performing a public key operation on the response) and establish that the Claimant possesses and controls the secret.”

The challenge is the thing that provides the replay protection. There are many ways to generate a response and since a password is a shared secret it can be used and often was. More modern and secure techniques are used today. So, a challenge-response using a password as the shared secret is a type of password authentication.

We can go round and round on this if you like but I have better things to do.
StrongMBS
Posts: 67
Joined: Sat Jan 14, 2017 1:38 pm

Re: SoftwareGeek's Guide to Computer Security

Post by StrongMBS »

softwaregeek wrote: Sun Jan 08, 2023 12:38 pm
StrongMBS wrote: Sun Jan 08, 2023 12:23 pm
I also respectfully request again that we minimize the “yubikey” term use since it is a multi-protocol product so without specifying which protocol being used it is hard to tell what kind of protection the mechanism is providing.
If you are going for the hardware key, get Yubikey 5. It is the standard and the software is excellent.
Why? For users who are looking just for FIDO2 functionality a Yubico's Security Key Series (the blue keys) will suffice at half the cost often allow almost twice the number of keys for the same cost. The only advantage for these users that a YubiKey 5 Series provides is connectivity (e.g., Lightning) and form factor (e.g., Nano). Although for some of us the cost difference might not matter, for others it is important especially if you are buying 4 keys. This is especially true at enterprises rolling out FIDO2 to thousands of employees it adds up quickly. I personally only use Yubico keys and have a wide variety of types but most of them are Security Key Series (the blue ones).
inv123
Posts: 28
Joined: Sat Jun 08, 2013 11:45 am

Re: SoftwareGeek's Guide to Computer Security

Post by inv123 »

Today Washington Post's tech columnist chimes in on this topic. Interested readers may paste the url on archive.ph to read the full article. Here are the 4 key recommendations :
  • Aim for longer password phrases (at least 16 characters)
  • Consider two-step authentication on your important accounts
  • Use a password manager if you can (she uses Dashlane subscription)
  • Password-less future may already be here in the form of "passkeys"
Last week, I deleted the password from my Microsoft account and asked to log in without a password. Now when I tap on Skype on my Android phone or use Outlook email on my computer, I am prompted to confirm a two-digit number I can see in the Microsoft Authenticator app on my phone. (I need to unlock the Authenticator app with my fingerprint.) That’s it.

Microsoft told me that nearly half a million people have removed the password from their accounts and opted to log in without a password.

This password-less system, which the technology industry is calling “passkeys,” is now baked into Android phones, iPhones, personal computers and major web browsers.

I usually roll my eyes when I hear that magical technology will fix a broken existing technology. In this case, yeah, passkeys might be the magic fix.
https://www.washingtonpost.com/technolo ... passwords/
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

StrongMBS wrote: Tue Jan 10, 2023 9:28 am
So, a challenge-response using a password as the shared secret is a type of password authentication.

We can go round and round on this if you like but I have better things to do.
Challenge-response authentication was first proposed by Popek & Kline to be able to authenticate over an open/unsecured network without transmitting a password or secret key over a network as cleartext. (I cited the seminal article upthread if interested).

When the web was developed, there was no appetite for managing the creation and distribution of public-private key pairs for end users, so instead SSL and trusted certificates with public keys for domain sites were used to encrypt sessions so that cleartext passwords would move over the internet in encrypted sessions. Other than encryption of the sessions, this is no different from password authentication on a centralized multiuser computer.

In challenge-response, a unique random challenge is generated by a service, and encrypted with the public key of a user or client. The result is transmitted to the user over a network that does not have to be secured or use an encrypted channel. The user decrypts the challenge with their private key, and sends the original challenge back to the service. The challenges may not repeat for a given public-private key pair because otherwise someone sniffing the connection can capture the challenge in both cleartext and encrypted form for that key pair.
StrongMBS wrote: The challenge is the thing that provides the replay protection.
The unique challenge and uniqueness of each reply are required to avoid replay attacks.

The NIST definition generalizes this so that public key encryption is not part of the definition, but I do not interpret it as attempting to generalize to include password authentication. There would be no reason to have unique challenges that always have the same response. I believe that most people in the security community do not include password authentication in the scope of what they are referring to when using the term challenge-response authentication. There would be no great harm in doing so, but it leaves us needing to agree on a new name for the Popek & Kline and related protocols, which meet requirements that are unmet by password authentication.
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

inv123 wrote: Tue Jan 10, 2023 6:55 pm
Last week, I deleted the password from my Microsoft account and asked to log in without a password. Now when I tap on Skype on my Android phone or use Outlook email on my computer, I am prompted to confirm a two-digit number I can see in the Microsoft Authenticator app on my phone. (I need to unlock the Authenticator app with my fingerprint.) That’s it.
Two digits, really? So if they give you three tries to get it right, an attacker has a 1 in 33.3 chance of a successful guess?

Something seems amiss there.
gavinsiu
Posts: 4543
Joined: Sun Nov 14, 2021 11:42 am

Re: SoftwareGeek's Guide to Computer Security

Post by gavinsiu »

On my mac, the drive is encrypted so that if someone took out the drive and try to read it, it's gibblish. On my PC, if I pull out the drive, I can read it without issue. Most of my PC are pretty old, so encrypting the drive probably result in performance degradation. I do have one new PC, I like to enable hardware encryption on the drive.

What are your experience with hardware encryption on the drive?
MGBMartin
Posts: 1145
Joined: Thu Nov 04, 2021 11:09 am

Re: SoftwareGeek's Guide to Computer Security

Post by MGBMartin »

gavinsiu wrote: Thu Jan 12, 2023 8:38 am On my mac, the drive is encrypted so that if someone took out the drive and try to read it, it's gibblish. On my PC, if I pull out the drive, I can read it without issue. Most of my PC are pretty old, so encrypting the drive probably result in performance degradation. I do have one new PC, I like to enable hardware encryption on the drive.

What are your experience with hardware encryption on the drive?
You don’t have to encrypt the entire drive, just do the sensitive files and folders.
I use Windows BitLocker to encrypt the thumb drive that has my password manager and it’s database; seems to work fine.
Bad spellers of the world untie | Autocorrect is my worst enema
StrongMBS
Posts: 67
Joined: Sat Jan 14, 2017 1:38 pm

Re: SoftwareGeek's Guide to Computer Security

Post by StrongMBS »

Northern Flicker wrote: Thu Jan 12, 2023 12:49 am
inv123 wrote: Tue Jan 10, 2023 6:55 pm
Last week, I deleted the password from my Microsoft account and asked to log in without a password. Now when I tap on Skype on my Android phone or use Outlook email on my computer, I am prompted to confirm a two-digit number I can see in the Microsoft Authenticator app on my phone. (I need to unlock the Authenticator app with my fingerprint.) That’s it.
Two digits, really? So if they give you three tries to get it right, an attacker has a 1 in 33.3 chance of a successful guess?

Something seems amiss there.
No this is Microsoft's implementation of mobile push-notification-based MFA number matching to minimize risk to "MFA fatigue". Here is the CISA explanation of this mechanism across a number of vendors.
https://www.cisa.gov/sites/default/file ... s-508c.pdf

Although not phishing-resistant MFA, like FIDO2 security key solutions, it is more secure than most of the other legacy-MFA mechanisms.
inv123
Posts: 28
Joined: Sat Jun 08, 2013 11:45 am

Re: SoftwareGeek's Guide to Computer Security

Post by inv123 »

Northern Flicker wrote: Thu Jan 12, 2023 12:49 am
inv123 wrote: Tue Jan 10, 2023 6:55 pm
Last week, I deleted the password from my Microsoft account and asked to log in without a password. Now when I tap on Skype on my Android phone or use Outlook email on my computer, I am prompted to confirm a two-digit number I can see in the Microsoft Authenticator app on my phone. (I need to unlock the Authenticator app with my fingerprint.) That’s it.
Two digits, really? So if they give you three tries to get it right, an attacker has a 1 in 33.3 chance of a successful guess?

Something seems amiss there.
Just wanted to clarify that the quoted section ("Last week, I deleted the password from my Microsoft Account") is from the Washington Post article and not something I've done myself.
jebmke
Posts: 25476
Joined: Thu Apr 05, 2007 2:44 pm
Location: Delmarva Peninsula

Re: SoftwareGeek's Guide to Computer Security

Post by jebmke »

inv123 wrote: Tue Jan 10, 2023 6:55 pm Aim for longer password phrases (at least 16 characters)
Consider two-step authentication on your important accounts
Use a password manager if you can (she uses Dashlane subscription)
I saw this piece and I found it cringe-worthy that these were worded in such a wishy-washy way. "Aim", "consider," "if you can."

On 2FA I'd be more direct and say, implement it if it is available and strongly consider changing institutions if it isn't offered by your existing institution.

I suppose there might technically be a case where a PW manager can't be used but I sure can't think of one. Maybe someone who doesn't have any devices and only uses a device not belonging to them.
Don't trust me, look it up. https://www.irs.gov/forms-instructions-and-publications
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

StrongMBS wrote: Thu Jan 12, 2023 11:41 am
Northern Flicker wrote: Thu Jan 12, 2023 12:49 am
inv123 wrote: Tue Jan 10, 2023 6:55 pm
Last week, I deleted the password from my Microsoft account and asked to log in without a password. Now when I tap on Skype on my Android phone or use Outlook email on my computer, I am prompted to confirm a two-digit number I can see in the Microsoft Authenticator app on my phone. (I need to unlock the Authenticator app with my fingerprint.) That’s it.
Two digits, really? So if they give you three tries to get it right, an attacker has a 1 in 33.3 chance of a successful guess?

Something seems amiss there.
No this is Microsoft's implementation of mobile push-notification-based MFA number matching to minimize risk to "MFA fatigue". Here is the CISA explanation of this mechanism across a number of vendors.
https://www.cisa.gov/sites/default/file ... s-508c.pdf

Although not phishing-resistant MFA, like FIDO2 security key solutions, it is more secure than most of the other legacy-MFA mechanisms.
What was amiss in the description is that it requires both entering a 2-digit number and clicking a button received on a phone by the push notification, ie it requires access to the phone as the primary part of the authentication, with the 2-digit number augmenting it to deal with a specific additional issue.
Last edited by Northern Flicker on Sun Jan 15, 2023 12:51 am, edited 1 time in total.
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

It appears that the iPhone password safe currently supports public key based challenge-response authentication. I was able to set up password-less authentication to eBay using it. There was no way to disable the password, however. I think setting the password to a long random string and not saving it anywhere or using it would accomplish the task, were it not for a password reset protocol.
pwill112
Posts: 60
Joined: Thu Sep 21, 2017 10:38 am

Re: SoftwareGeek's Guide to Computer Security

Post by pwill112 »

The latest version of 1password's mobile software has had outstanding issues dating back to September. I totally got stuck with the android version not working. I am not sure it is worth sticking with this product. Actually it's all one issue, auto-fill does not work. If you read the thread 1password support tries to make it seem like various issues but the previous version of 1password did not have mobile issues.

https://1password.community/discussion/ ... 1password8

It should not take 4 months (and counting) to resolve this issue. This seems to indicate a very small support and development team.
User avatar
dual
Posts: 1383
Joined: Mon Feb 26, 2007 6:02 pm

Re: SoftwareGeek's Guide to Computer Security

Post by dual »

SoftwareGeek:
Lots of people use password managers to store variations on the same password. WeakPassword1, WeakPassword2, etc. I want you to consider the concept of a rainbow table. Basically, a rainbow table is a giant file with millions or billions of precracked passwords. Now, if you're dealing with Microsoft or Google or Amazon, they probably take steps to protect against this (for the technical types out there, this is "Salting the Hash") but basically the vast majority of sites don't bother. So you can pretty much assume that if you are not using one of the giant providers, your password will be cracked in about 30 seconds if it is 10 digits or less. Use the automatic generator in your password manager to make a long complicated password and store it.
I’m trying to understand your assumptions in this statement. You seem to assume that the hacker has available an encrypted version of my password. The hacker then uses a fast computer to try different variations of a clear text password and somehow is able to know when one is valid.

My first question is where does the hacker get the encrypted version of my password?

How common is it for an encrypted version of my password with for example Fidelity to be available in the dark web?

Another question is how does he know when he has a valid clear text password?
URSnshn
Posts: 441
Joined: Sun Mar 13, 2016 6:10 pm

Re: SoftwareGeek's Guide to Computer Security

Post by URSnshn »

Regarding 1Password. I too have had issues with support. I was interested in changing up my security after reading through this thread although I didn't use LastPass. 1Password seemed appropriate for my situation, however I was unsure which 1Password version to use. On the site they have version 8, but on the Mac's App Store they have version 7, and also a separate version for Safari. I sent 1Password a question asking the difference in the versions, but they have yet to get back to me - it's been five days - no response and I also haven't been able to find the answers to my questions. Disappointed.

2 questions:

- Is 1Password's support team viable?
- And, for curiosity's sake does anyone have idea of the differences between 1Password (for the Mac) from their site (version 8) vs the Mac App Store which has vs 7, versus the App Store which also has a1Password Safari version?

I'm also going to investigate Keepass XC and Bitwarden as well.
stan1
Posts: 14246
Joined: Mon Oct 08, 2007 4:35 pm

Re: SoftwareGeek's Guide to Computer Security

Post by stan1 »

dual wrote: Mon Jan 16, 2023 10:59 am My first question is where does the hacker get the encrypted version of my password?

How common is it for an encrypted version of my password with for example Fidelity to be available in the dark web?

Another question is how does he know when he has a valid clear text password?
This is part of the LastPass issue. They stole unencrypted data (such as LP login name and website URLs) plus encrypted data (site username, site password). It was in a proprietary format used on the LP backup server. If someone's LP login name (email address) and website login name were the same it would just be a matter of being able to identify the encrypted password. We don't know how easy or hard that is. Cybersecurity is all about layers of defense, so if one is broken there are multiple layers left. The problem with this LP breach is that multiple layers of defenses were penetrated and made worse by sloppy implementation (such as not encrypting URLs).
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

stan1 wrote: Mon Jan 16, 2023 4:11 pm
dual wrote: Mon Jan 16, 2023 10:59 am My first question is where does the hacker get the encrypted version of my password?

How common is it for an encrypted version of my password with for example Fidelity to be available in the dark web?

Another question is how does he know when he has a valid clear text password?
This is part of the LastPass issue. They stole unencrypted data (such as LP login name and website URLs) plus encrypted data (site username, site password). It was in a proprietary format used on the LP backup server. If someone's LP login name (email address) and website login name were the same it would just be a matter of being able to identify the encrypted password.
An attacker would have to have a dictionary of cleartext passwords encrypted with the proprietary encryption protocol. To have done that, an attacker would have need to know the encryption algorithm used and the encryption key. I've not followed the details of this breach but I am skeptical that these were known in advance, and I've not heard that they were divulged in the breach. If they were, the passwords could just be decrypted directly without a dictionary of encrypted passwords, and the news would be that cleartext passwords were compromised. This is a different scenario from a 1-way hash of a password being divulged.

Encrypted passwords are different from 1-way hashes (cryptohashes) of passwords. The simplest 1-way hash algorithm was the original Unix algorithm that appended a salt (fixed constant string) to an 8-character password, and used that as a key to encrypt the number 0. That result was stored in a password file that was readable by anyone with an account on the machine. The purpose of the salt was to increase the computation time of a single trial in a brute force attack. It does not increase the search space.

Today, more sophisticated salting protocols are used, longer strings than the number zero are encrypted, and more robust encryption is used. The result is not an encrypted password, but a 1-way hash of the password. A password safe needs to recover the cleartext password, so will encrypt the password with a secret key, which could be compromised. There is no direct decryption to recover the password from a 1-way hash-- there is no decryption key.

If the details of such a 1-way hash protocol were public for some service, someone might make a dictionary file of possible passwords and their cryptohash values. Then, if there were a breach of the service provider so that the file of password cryptohashes were compromised, it would be a simple search of the dictionary file to break any password that was included in the dictionary file. No beefy computer would be needed if your password were in the file. Two factor authentication being enabled most likely would give you time to change your password before your account was compromised.
stan1
Posts: 14246
Joined: Mon Oct 08, 2007 4:35 pm

Re: SoftwareGeek's Guide to Computer Security

Post by stan1 »

Northern Flicker wrote: Tue Jan 17, 2023 7:47 pm
stan1 wrote: Mon Jan 16, 2023 4:11 pm
dual wrote: Mon Jan 16, 2023 10:59 am My first question is where does the hacker get the encrypted version of my password?

How common is it for an encrypted version of my password with for example Fidelity to be available in the dark web?

Another question is how does he know when he has a valid clear text password?
This is part of the LastPass issue. They stole unencrypted data (such as LP login name and website URLs) plus encrypted data (site username, site password). It was in a proprietary format used on the LP backup server. If someone's LP login name (email address) and website login name were the same it would just be a matter of being able to identify the encrypted password.
An attacker would have to have a dictionary of cleartext passwords encrypted with the proprietary encryption protocol. To have done that, an attacker would have need to know the encryption algorithm used and the encryption key. I've not followed the details of this breach but I am skeptical that these were known in advance, and I've not heard that they were divulged in the breach. If they were, the passwords could just be decrypted directly without a dictionary of encrypted passwords, and the news would be that cleartext passwords were compromised. This is a different scenario from a 1-way hash of a password being divulged.
We don't know. The LP actor also got some source code, maybe all. It's quite possible they know how to decode the proprietary format, and could identify a vulnerability in the software. We don't know how much source code was taken. We don't know how many vaults were taken. We don't know the age of the vaults (possibly years) that were taken.

Given no information about this it is basically necessary to assume a bad scenario not a rosy one. Part of a bad scenario is that the actor still has undetected access somewhere in the LP environment and LP doesn't know it (yet).
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

Agree. This is still not the scenario of looking up a 1-way hash or encrypted value of a password in a file of precomputed ones. Users who had passwords stored in the service certainly should change them at each service.
gtd98765
Posts: 952
Joined: Sun Jan 08, 2017 3:15 am

Re: SoftwareGeek's Guide to Computer Security

Post by gtd98765 »

dual wrote: Mon Jan 16, 2023 10:59 am

I’m trying to understand your assumptions in this statement. You seem to assume that the hacker has available an encrypted version of my password. The hacker then uses a fast computer to try different variations of a clear text password and somehow is able to know when one is valid.

My first question is where does the hacker get the encrypted version of my password?

How common is it for an encrypted version of my password with for example Fidelity to be available in the dark web?

Another question is how does he know when he has a valid clear text password?
Hackers create "rainbow tables" of tens of millions of precomputed hashed passwords and compare the hash of your password with the rainbow table. If they find a match of the hash they know your password. Millions of common variations on weak passwords like pA55w0rd1234 are part of the table. Unless you use a random, machine-generated password or a lengthy passphrase your password is likely to be in the rainbow table.
A rainbow table is a precomputed table for caching the output of cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a key derivation function (or credit card numbers, etc.) up to a certain length consisting of a limited set of characters. It is a practical example of a space–time tradeoff, using less computer processing time and more storage than a brute-force attack
https://en.wikipedia.org/wiki/Rainbow_table
Northern Flicker
Posts: 15365
Joined: Fri Apr 10, 2015 12:29 am

Re: SoftwareGeek's Guide to Computer Security

Post by Northern Flicker »

gtd98765 wrote: Wed Jan 18, 2023 7:10 am
dual wrote: Mon Jan 16, 2023 10:59 am

I’m trying to understand your assumptions in this statement. You seem to assume that the hacker has available an encrypted version of my password. The hacker then uses a fast computer to try different variations of a clear text password and somehow is able to know when one is valid.

My first question is where does the hacker get the encrypted version of my password?

How common is it for an encrypted version of my password with for example Fidelity to be available in the dark web?

Another question is how does he know when he has a valid clear text password?
Hackers create "rainbow tables" of tens of millions of precomputed hashed passwords and compare the hash of your password with the rainbow table. If they find a match of the hash they know your password. Millions of common variations on weak passwords like pA55w0rd1234 are part of the table. Unless you use a random, machine-generated password or a lengthy passphrase your password is likely to be in the rainbow table.
A rainbow table is a precomputed table for caching the output of cryptographic hash functions, usually for cracking password hashes. Tables are usually used in recovering a key derivation function (or credit card numbers, etc.) up to a certain length consisting of a limited set of characters. It is a practical example of a space–time tradeoff, using less computer processing time and more storage than a brute-force attack
https://en.wikipedia.org/wiki/Rainbow_table
They have to have the cryptohash of your password from some provider, and the table has to have included the cryptohash of your password using the particular 1-way hash algorithm and salt used by that particular provider. Still, it is true that the the longer and more random a password, the less likely it will be present in such a file.
JD2775
Posts: 1503
Joined: Thu Jul 09, 2015 10:47 pm

Re: SoftwareGeek's Guide to Computer Security

Post by JD2775 »

If Bitwarden claims it would take "centuries" to crack a given password here: https://bitwarden.com/password-strength/, is it safe to assume that password would NOT be a part of any rainbow table?
User avatar
samsoes
Posts: 2802
Joined: Tue Mar 05, 2013 8:12 am
Location: Northeast Rat Race

Re: SoftwareGeek's Guide to Computer Security

Post by samsoes »

JD2775 wrote: Wed Jan 18, 2023 1:34 pm If Bitwarden claims it would take "centuries" to crack a given password here: https://bitwarden.com/password-strength/, is it safe to assume that password would NOT be a part of any rainbow table?
No, not at all. It can certainly be a part of a rainbow table. The "x centuries to crack" calculation is based on length and complexity. Choosing a password by typing every key on your keyboard in sequence (!@#$%^&*()_+QWERTY...) will yield a "centuries" password since it is long and complex, but I'm sure such a sequential password's hash is in a rainbow table.

Rainbow tables are used to bypass brute-force attempts which would take centuries.
"Happiness Is Not My Companion" - Gen. Gouverneur K. Warren. | (Avatar is the statue of Gen. Warren atop Little Round Top @ Gettysburg National Military Park.)
URSnshn
Posts: 441
Joined: Sun Mar 13, 2016 6:10 pm

Re: SoftwareGeek's Guide to Computer Security

Post by URSnshn »

I have read this entire thread. Many thanks to all contributors especially SoftwareGeek for starting the thread. I find myself stuck not knowing which way to turn with respect to a password manager. I'm more technically inclined than some family members but obviously not as technically skilled as many on this thread. All family members are willing to learn. I also realize there is no perfect password management solution. I would probably go with cloudless solution myself but this would not be a family solution. This decision rests with me and it is not just a decision I am making for myself.

I find myself caught between (my questions are bolded):

- 1Password which only allows around 100,000 iterations (can't increase) has a secret key, and is apparently more family friendly). I would have thought I could have increased the iterations to over 300,000 and feel a bit skittish after reading what happened to LastPass users. I've also read it keeps less personal info. Is 1Password secure even though it only uses about 100,000 iterations? Is it any more secure than Bitwarden?

- Bitwarden. With this product I can increase the iterations, it seems as secure as 1Password, though no secret password and apparently collects more personal info. However I read today that Bitwarden has just acquired Passwordless.dev and I find myself a little concerned that that Bitwarden may possibly chase ROI and this might be an issue in the future with this product. I've read of the history of LastPass. Is this acquisition an issue? https://bitwarden.com/blog/bitwarden-ex ... quisition/

-Encrypted flash drive (Apple system) with a document on it that has the passwords and other info OR another alternative is an encrypted image on a hard drive, but I am unsure of either of these because I'd still be using a document and I'm concerned about leakage, for ex, the passwords showing up in images in recent. I am also concerned about how family members might understand the in's and outs of all of this. Is there a reasonable and secure way to deploy either an encrypted flash drive process or an encrypted image on a hard drive to eliminate security leakages?

Your thoughts would be appreciated.
JD2775
Posts: 1503
Joined: Thu Jul 09, 2015 10:47 pm

Re: SoftwareGeek's Guide to Computer Security

Post by JD2775 »

samsoes wrote: Wed Jan 18, 2023 2:07 pm
JD2775 wrote: Wed Jan 18, 2023 1:34 pm If Bitwarden claims it would take "centuries" to crack a given password here: https://bitwarden.com/password-strength/, is it safe to assume that password would NOT be a part of any rainbow table?
No, not at all. It can certainly be a part of a rainbow table. The "x centuries to crack" calculation is based on length and complexity. Choosing a password by typing every key on your keyboard in sequence (!@#$%^&*()_+QWERTY...) will yield a "centuries" password since it is long and complex, but I'm sure such a sequential password's hash is in a rainbow table.

Rainbow tables are used to bypass brute-force attempts which would take centuries.
Got it. It's my understanding if specific institutions (Google, Vanguard, Fidelity etc....) use "salt" techniques with their encryption then the rainbow table hacking ability is greatly reduced? (forgive my ignorance if I am stating some of incorrectly, this is all new to me)
NewRain
Posts: 29
Joined: Sat Nov 20, 2021 10:40 am

Re: SoftwareGeek's Guide to Computer Security

Post by NewRain »

JD2775 wrote: Wed Jan 18, 2023 1:34 pm If Bitwarden claims it would take "centuries" to crack a given password here: https://bitwarden.com/password-strength/, is it safe to assume that password would NOT be a part of any rainbow table?
Consider the password ji32k7au4a83

The Bitwarden link says it will take three years to crack, and it might look secure, but it's really a very common password in Mandarin that appears in hundreds of data breaches.

Although the Bitwarden link does show that mypassword12345 would take less that a minute to crack.

https://www.theverge.com/tldr/2019/3/5/ ... been-pwned
pwill112
Posts: 60
Joined: Thu Sep 21, 2017 10:38 am

Re: SoftwareGeek's Guide to Computer Security

Post by pwill112 »

URSnshn wrote: Wed Jan 18, 2023 2:55 pm I have read this entire thread. Many thanks to all contributors especially SoftwareGeek for starting the thread. I find myself stuck not knowing which way to turn with respect to a password manager. I'm more technically inclined than some family members but obviously not as technically skilled as many on this thread. All family members are willing to learn. I also realize there is no perfect password management solution. I would probably go with cloudless solution myself but this would not be a family solution. This decision rests with me and it is not just a decision I am making for myself.

I find myself caught between (my questions are bolded):

- 1Password which only allows around 100,000 iterations (can't increase) has a secret key, and is apparently more family friendly). I would have thought I could have increased the iterations to over 300,000 and feel a bit skittish after reading what happened to LastPass users. I've also read it keeps less personal info. Is 1Password secure even though it only uses about 100,000 iterations? Is it any more secure than Bitwarden?

- Bitwarden. With this product I can increase the iterations, it seems as secure as 1Password, though no secret password and apparently collects more personal info. However I read today that Bitwarden has just acquired Passwordless.dev and I find myself a little concerned that that Bitwarden may possibly chase ROI and this might be an issue in the future with this product. I've read of the history of LastPass. Is this acquisition an issue? https://bitwarden.com/blog/bitwarden-ex ... quisition/

-Encrypted flash drive (Apple system) with a document on it that has the passwords and other info OR another alternative is an encrypted image on a hard drive, but I am unsure of either of these because I'd still be using a document and I'm concerned about leakage, for ex, the passwords showing up in images in recent. I am also concerned about how family members might understand the in's and outs of all of this. Is there a reasonable and secure way to deploy either an encrypted flash drive process or an encrypted image on a hard drive to eliminate security leakages?

Your thoughts would be appreciated.
For what it's worth, 1password is buggy. I am a retired Oracle Database Admin and I find 1password a headache. I don't know that I would want to support a whole family when, for example, the popup prompts randomly don't work on cell phones for 1Password. Especially if my family had different cell phones as 1Password has different solutions for each cell phone. I am going to look at NordPass since at least they have chat support.
Post Reply