Apparently it's Safer Internet Day.
So, here's my list for the average user:
1. Use a #PasswordManager
2. Use an ad-blocker whenever possible. (lots of malware comes from ads)
3. Turn on 2 Factor Authentication (a.k.a. 2FA, MFA) whenever possible.
4. If you see something outrageous, really think about that link, the source, the probable outcome and if you really need to expose your computer or mental health to that.
5. Backup your devices to non-connected media.
@0x56 Is using iOS/macOS passwords keychains considered a #passwordmanager? I always get a little doubt about relying on an external service to store passwords as they might be compromised without my knowledge. Also, I don’t use passwords on important accounts, I use pass phrases with mixed alpha/numerals/symbols. One things that makes me crazy is when setting up an account, they have specific restrictions on the length and forbids pass phrase creativity.
@magicsoda - I don't have enough experience on iOS to answer this specific question, but perhaps another #CoSoSec contributor can.
But honestly, you should only remember a few passwords - one for each device, one for your work account and one for your primary email. (if it's not already covered by the other 2). These should technically be long, strong pass phrases. All others should be randomly generated.
But yes, artificially lowering password strength is infuriating.
@0x56 @magicsoda
0 iOS experience here but I generally avoid using OS/browser built-in password managers. I don't want a Bad Guy to gain access to all my stuff just because they breached a single device.
Keeping the passwords separate gives an extra layer of protection in my eyes. Sure, you bypassed my phone's lock screen but you still need to find a way to authenticate to my password manager.
And definitely use 2FA for your password manager too!
@john_b @0x56 @magicsoda
I also agree, don't use the browser based password managers, especially if they'll sync between multiple devices. Use a 3rd party app with plugins.
Last year my gmail account got compromised and in my cleanup of that mess I discovered that all of the saved passwords were accessible in Chrome/Google, so I had to do a full password reset on all of my important accounts.
Nothing more triggering when special characters are "too secure" and can't be used