Apparently it's Safer Internet Day.
So, here's my list for the average user:
1. Use a #PasswordManager
2. Use an ad-blocker whenever possible. (lots of malware comes from ads)
3. Turn on 2 Factor Authentication (a.k.a. 2FA, MFA) whenever possible.
4. If you see something outrageous, really think about that link, the source, the probable outcome and if you really need to expose your computer or mental health to that.
5. Backup your devices to non-connected media.
I would add
6. Get a fireproof*, waterproof safe or lockbox to keep your nonconnected backup device in when you're not actively using it.
*Nothing's really fireproof, but something that's rated to delay the destruction of its contents in a house fire for two hours is good.
@Dobo - good advice.
Thanks. When I figured out a small two hour rated lockbox wasn't all that expensive I went ahead and got one.
Then I discovered an unexpected side benefit: now I always know *where* my backup disk is. The box is too heavy to move around casually.
All of these are great ideas.
If you want help in doing any of these just ask.
Many of us have experience in helping others to implement these.
If I had to pick an order to do them in.
1. Backup
2. Password Manager
3. Ad block
4. 2 factor authentication
@corlin - I'd actually add if you want to go further than this list, many of us are willing to help too.
@0x56
And don't just use a password manager to store passwords - let it also generate a long, complex, and unique password for *every* account, no matter how minor or insignificant it might seem.
@0x56 Is using iOS/macOS passwords keychains considered a #passwordmanager? I always get a little doubt about relying on an external service to store passwords as they might be compromised without my knowledge. Also, I don’t use passwords on important accounts, I use pass phrases with mixed alpha/numerals/symbols. One things that makes me crazy is when setting up an account, they have specific restrictions on the length and forbids pass phrase creativity.
@magicsoda - I don't have enough experience on iOS to answer this specific question, but perhaps another #CoSoSec contributor can.
But honestly, you should only remember a few passwords - one for each device, one for your work account and one for your primary email. (if it's not already covered by the other 2). These should technically be long, strong pass phrases. All others should be randomly generated.
But yes, artificially lowering password strength is infuriating.
@0x56 @magicsoda
0 iOS experience here but I generally avoid using OS/browser built-in password managers. I don't want a Bad Guy to gain access to all my stuff just because they breached a single device.
Keeping the passwords separate gives an extra layer of protection in my eyes. Sure, you bypassed my phone's lock screen but you still need to find a way to authenticate to my password manager.
And definitely use 2FA for your password manager too!
@john_b @0x56 @magicsoda
I also agree, don't use the browser based password managers, especially if they'll sync between multiple devices. Use a 3rd party app with plugins.
Last year my gmail account got compromised and in my cleanup of that mess I discovered that all of the saved passwords were accessible in Chrome/Google, so I had to do a full password reset on all of my important accounts.
Nothing more triggering when special characters are "too secure" and can't be used
@0x56 @john_b thnx! from what I understand, to breach into my iOS keychain you need to breach into my Apple ID. So if you are able to do that, my computer and iOS device technically belongs to you now, so an external password manager is not providing an extra layer of security. Here’s the Apple resume of it: https://support.apple.com/guide/security/keychain-data-protection-overview-secb0694df1a/1/web/1
@magicsoda @0x56
Ah, okay. So that sounds like it's more about how iOS stores the credentials you've input into applications rather than helping you to keep track of what password you use for what account. I think?
In any case, breaking into an Apple ID (or Google account, or Microsoft account) would clearly be a Very Bad Thing. I want to make sure that even if that worst-case scenario occurs:
(1) the attacker can't get access to the hundreds of passwords I have stored in my password manager and
(2) *I* can still access those passwords for my other accounts.
For me, that means using an external password manager (Bitwarden).
@john_b @0x56 iOS keeps track of which passwords goes where and suggest to auto-fill/store new passwords with that kind of structure: "a1ASD-111Fg-BTGH2-2FygH". You need to prove access to your AppleId to use them (TouchID, FaceID or account password). From what I understands it all happens in what they call the "Secure Enclave" https://support.apple.com/guide/security/secure-enclave-overview-sec59b0b31ff/web
Hypothetical time: someone manages to compromise your Apple ID and change the password. How do you access your passwords for other accounts - particularly any alternate email accounts which might be needed for account recovery?
@john_b @0x56 you probably can’t unless using “Forgot password” on each account and wish that your email account is still accessible, because there is no way you could remember 100+ gibberish passwords. But using a different personal pass phrase (changed every couple time a year) for the most important accounts bypass this difficulty. Recently, I also use “sign-in with Apple” which create a fake email for each new online account.
@john_b @0x56 and that’s why I have 2FA. If someone would like to change my Apple ID password it would imply that :
1: I agreed the connection from a new device
2: I agreed the send the 6 digit passcode generated to an email address/ phone # unknown to me in order to allow access to my account
3: I was perfectly fine providing those info without any idea of what is going on
^^ There's a lot more you can do, (pi holes, custom DNS settings, etc) but all of these are easy for the average user and really shouldn't take more than a few minutes and all but the backups are free.