Riffing off @White_Rabbit's post a few minutes ago, my #securityHygiene toot for the day:
Be careful about what you post on social media and keep in mind what you've posted when sites ask you those "password recovery questions" like "What is your favorite movie?" and "What was the make and model of your first car?"
You start reminiscing about how you miss your childhood dog named "Candy," and an attacker may have access to change your password under those forgot password pages.
This is why I have substituted various recovery questions/answers to something completely off-topic:
"What was the name of your first pet" becomes "Were/Why/Who was *******/in ******/at ******."
That way, even if I reminisce or talk about my favorite movies, my comments can't be mined for answers.
@katharsys2012 @White_Rabbit @0x56
Oops...looks like we crossed posts
@katharsys2012 @White_Rabbit @0x56 I have one, last ditch, ultimate secret password even my ex couldn’t guess. Was a childhood endearment. The few people who did know it are all dead. 😎
@katharsys2012 @White_Rabbit @opie @tyghebright @amarand - but with a good password manager, you don't even need to answer a password recovery question, so just randomly smashing the keyboard would work.
there are sites that force you to answer security questions when you create your account, not optional...can't remember the last one that did that to me, but it's def happened
@opie @katharsys2012 @White_Rabbit @tyghebright @amarand - hence the randomly smashing keys.
@0x56 @amarand @tyghebright @opie @White_Rabbit @katharsys2012 I’m not trying to be a smart ass, or disrespectful in any way; isn’t a password manager/keeper just asking for it?! “Here’s my goodies”? If you get hacked, nothing is hack proof. I’ve got a list of cryptic hints. Period. Only my ex could really get anywhere with that. His technical prowess is -100, and that’s being generous.
@Kitty62862 @katharsys2012 @White_Rabbit @opie @tyghebright @amarand - unless your master password is discovered, it cannot be "hacked" well, it could, but it would take thousands of years to do so.
A good password manager is encrypted at such a high level that it's implausible.
Eh... I would put a "it depends" qualifier on that. IIRC there was an issue with that not *that* many years ago where some were vulnerable to attack. LastPass and OneLogin come to mind.
Personally, I use a non-internet based one, using a 256 key that goes through several thousand transforms before unlocking. I sync the DB to my phone about once a week. Trying to (non-quantum) backdoor the DB would take you several thousand years.
I forget where I picked up this fun tip, but for sites that force you to pick answers to security questions (not a fan), make up unrelated gibberish answers (which are obv stored in your pwsafe):
Where did you go to elementary school?
The 1985 Chicago Bears
I will say *one* thing I've always done right is to have passwords that are nothing someone could figure out from knowing things like that about me.
@0x56 @White_Rabbit Any other supergenpass users out there? I went with that way back & have since resisted any of the major services.
I fantasize that this opts me out of the coming breachmageddon when lastpass etc. finally get pierced.
@0x56 @White_Rabbit I never had a car, never drove. I used my grandfathers stalwart favorite. Rotsa ruck.
@0x56 @White_Rabbit
This is a big one I think.