Apparently it's Safer Internet Day.
So, here's my list for the average user:
1. Use a #PasswordManager
2. Use an ad-blocker whenever possible. (lots of malware comes from ads)
3. Turn on 2 Factor Authentication (a.k.a. 2FA, MFA) whenever possible.
4. If you see something outrageous, really think about that link, the source, the probable outcome and if you really need to expose your computer or mental health to that.
5. Backup your devices to non-connected media.
@0x56 @john_b thnx! from what I understand, to breach into my iOS keychain you need to breach into my Apple ID. So if you are able to do that, my computer and iOS device technically belongs to you now, so an external password manager is not providing an extra layer of security. Here’s the Apple resume of it: https://support.apple.com/guide/security/keychain-data-protection-overview-secb0694df1a/1/web/1
@magicsoda @0x56
Ah, okay. So that sounds like it's more about how iOS stores the credentials you've input into applications rather than helping you to keep track of what password you use for what account. I think?
@john_b @0x56 iOS keeps track of which passwords goes where and suggest to auto-fill/store new passwords with that kind of structure: "a1ASD-111Fg-BTGH2-2FygH". You need to prove access to your AppleId to use them (TouchID, FaceID or account password). From what I understands it all happens in what they call the "Secure Enclave" https://support.apple.com/guide/security/secure-enclave-overview-sec59b0b31ff/web
Hypothetical time: someone manages to compromise your Apple ID and change the password. How do you access your passwords for other accounts - particularly any alternate email accounts which might be needed for account recovery?
@john_b @0x56 you probably can’t unless using “Forgot password” on each account and wish that your email account is still accessible, because there is no way you could remember 100+ gibberish passwords. But using a different personal pass phrase (changed every couple time a year) for the most important accounts bypass this difficulty. Recently, I also use “sign-in with Apple” which create a fake email for each new online account.
@john_b @0x56 and that’s why I have 2FA. If someone would like to change my Apple ID password it would imply that :
1: I agreed the connection from a new device
2: I agreed the send the 6 digit passcode generated to an email address/ phone # unknown to me in order to allow access to my account
3: I was perfectly fine providing those info without any idea of what is going on
@magicsoda @0x56
In any case, breaking into an Apple ID (or Google account, or Microsoft account) would clearly be a Very Bad Thing. I want to make sure that even if that worst-case scenario occurs:
(1) the attacker can't get access to the hundreds of passwords I have stored in my password manager and
(2) *I* can still access those passwords for my other accounts.
For me, that means using an external password manager (Bitwarden).