Chris Chesley wrote:Beau, do you advocate for a password 'wallet' type thing like One Password or Last Pass?
You can get very encrypted passwords that are all different. Remembering them all is the challenge. Having iCloud or your browser remember them seems barely secure----or only as secure as your laptop.
I've systematized my password 'rules' so I can almost always kinda 'know' what it is. But this doesn't help when they need to be changed regularly or when my 'system' doesn't quite follow the rules of a website regarding symbols, or a max or min. number of entries.
Thoughts?
Chris, this is longer than you many have wanted. The answer to your quesiton is in the first two paragraphs, the rest is just more thoughts on the topic.
What I strongly recommend is a two-factor system. My opinion is that any site worth beans will require that one not only have the laptop but also a phone/pager/second computer that is required to get in. Obviously, I this doesn't happen for lots of sites. I've decided that I can live with that for what I keep on the computer, which is very little.
For the initial password, I actually cut and paste my passwords into a file that is then encrypted on my hard disk by me. The passwords are long. It is further encrypted by Apple as a part of its standard security system. If you aren't using an encrypted file system, I'd strongly recommend it. I don't use one of the standard packages for the reason you've all probably thought of: If someone hacks them they have everything. I just don't want to take the risk. The cut-n-paste process leaves things in the OS memory, so I do the obvious, which is to cut-n-paste something else after I've logged in using this technique.
Whenever I walk away from my laptop, I close the lid. To get back in again one has to enter the biometric data or password. When I dealt with really secure stuff, even logging in require two factors. My iPhone is always in my pocket or in my hand (it's a habit), not ever on a tabletop or ever in a briefcase. The trick is to never ever lose both of the two-factor devices at once.
Finally, I really strongly believe in diversifying risk. For our funds, they are in multiple places. It's easy to get to a bank account with a small amount of money in it. It takes a personal phone call to someone I know and who recognizes me to get to any large amount of money. It's really hard to fool a friend. There is no electronic way for me to move funds out fo the places that hold a significant amount. I have to call or visit physically. Obviously, this is a pain in the ass, but it is really hard to crack for a bad guy. Frankly, it is so old-school that I doubt many hackers believe it still exists. The bank didn't believe it when I set it up, I had to explain it to their President (who is a friend). He was incredulous many years ago but understands now. We have multiple places like this. We could have a bank take a hit and still be fine, which is the real goal here.
There is no 100% secure system. But given someone needs to have either my fingerprint or face recognition to work to get my portable devices open, and my fingerprint to open my laptop, it's reasonably ok as a first layer. Once in, they can't do anything but look at a few pictures of boats and kids, and read some Board Documents if they can figure out the password. I'm not worried about that stuff.
There appear to be two major holes in security systems online.
The first and most common one is that someone gets phished. They get something that looks as if it's from a place like Apple: "You're Credit Card has failed to go through, please log in here with your iCloud user name and password so you can re-enter..." blah blah blah. We've all seen them. But they remain the most effective way to get someone's credentials. Please don't ever EVERY answer one of these emails. If you think that Apple (or anyone else) is asking you by email for this information, call them on the phone at a phone number you look up for yourself and are reasonably certain it's really their web site. Tell them about the email and that you'd like to address the issue. They will almost always tell you that email was not from them. A variant of this is exactly how the Russians hacked both the Democratic and Republican party HQ.
The second is that folks will use the same login name and password on multiple sites so they can remember it easily. Once again, it's diversification of risk. You want them all to be unique. Of course, there are some sites, like the ones Rob just mentioned, where you'll be using BigGuyWithMoney as your login name and IGotTheGirl22 as the password.
- But, I think all of us here know better than that for sites that matter.
If you address these two attacks, you'll cover the vast majority of amateur or lightweight attacks. Sadly, most folks don't bother.
Then there is the issue of an intercept. You really should run a VPN whenever doing things that matter. Seriously, please run a VPN. If you won't, please use your telephone as a hotspot while visiting important sites, as it is a lot harder to work an intercept on a cell phone call, especially if the car is moving.
In many foreign countries, you should simply assume that even cell phone lines are all being intercepted. Everything that is not encrypted is being taken. They probably are in the US too, but we don't have a government corrupt enough (yet) to steal from folks in this way. Whenever you're online banking or anything you really value, your VPN should be on NordVPN is a good product and only takes seconds to turn on and off. It will slow your internet speed, but there is no free lunch.
If you're interested, we can get into using Signal rather than txt or Apple Messenger etc.... Please don't use any of the software vendor messaging services - like Facebook. The problem is not the company stealing your data/info it is an employee or the crumby security at the company. I can go on and on.... ask if you're interested.
