The Security Thread

[highlander]

This thread is for posting interesting stuff on computer security. I'll start with a basic article on online safety.

Krebs’s 3 Basic Rules for Online Safety — Krebs on Security

 

[kyuuei]

Interesting things I learned from a friend of mine who works as a legal hacker about passwords:

Making them something you can remember is useful. The XKCD guy's comic on it was sort of on point, but the reality is sites limit you on your ability to use spaces, upper/lower cases, and on top of that the comic itself's password it invented is so commonly used now that it's in password hacking databases everywhere. So, come up with your own sentence that works in most parameters.. Like using !'s for spaces or something for the sentence.
Start with numbers. Most people don't, and starting with numbers can help thwart the stereotypical format for most password hacking codes.
If you have trouble remembering different passwords for different sites and use the same passwords for everything.. Use a stem sentence and change it up for different sites. for example (this is not a password, recommended password, nor what I use): 1eLOVE!amazon .. 1eLOVE!gmail&google ... 1eLOVE!pinterest . etc.. Now, just change some of the vowels into numbers so that you always remember "if it has an a in it, I use a 4 instead.. if it has an i in it, I use a 9" 1eLOVE!4m4zon .. 1eLOVE!gm49l&google .. Or, you can change the name to one you always use. For example, I call google "the oracle" so I could write 1eLOVE!theor4cle .. Stuff like that will create something you can remember (a strong stem sentence) + different components to make the passwords different but easier to remember.
Change your passwords. I'm always SUPER bad about this because I can't remember what sites I use, if I've used them before, changed them before, and the stupid "I'll remember your password for you!!" things never work for me and end up confusing me and cluttering my system. Instead, I just use a wordpad list and change the main ones I remember, write them down, and when I encounter the lesser used ones I change it over to the new password set up and write it down.. so I know if I'm using the old sentence, or the new sentence. Changing it doesn't have to be difficult... instead of "1eLOVE!" I can write "365DAYSilike"
Longer passwords, in general, are far far better than shorter ones. If there's a maximum password set, simply type as much of your 'sentence' as it will allow and make that the password. That way you don't have to remember changing it up into a whole new sentence.
And if you think 12, 12qw, 1q2w, 12qw!@QW, 1q!Q, 1q2w!Q@W aren't in every password hacking database ever you're wrong. Think of numbers that mean something to you but are out of the ordinary for the flow of typing.

 

[highlander]

Interesting things I learned from a friend of mine who works as a legal hacker about passwords:

Making them something you can remember is useful. The XKCD guy's comic on it was sort of on point, but the reality is sites limit you on your ability to use spaces, upper/lower cases, and on top of that the comic itself's password it invented is so commonly used now that it's in password hacking databases everywhere. So, come up with your own sentence that works in most parameters.. Like using !'s for spaces or something for the sentence.
Start with numbers. Most people don't, and starting with numbers can help thwart the stereotypical format for most password hacking codes.
If you have trouble remembering different passwords for different sites and use the same passwords for everything.. Use a stem sentence and change it up for different sites. for example (this is not a password, recommended password, nor what I use): 1eLOVE!amazon .. 1eLOVE!gmail&google ... 1eLOVE!pinterest . etc.. Now, just change some of the vowels into numbers so that you always remember "if it has an a in it, I use a 4 instead.. if it has an i in it, I use a 9" 1eLOVE!4m4zon .. 1eLOVE!gm49l&google .. Or, you can change the name to one you always use. For example, I call google "the oracle" so I could write 1eLOVE!theor4cle .. Stuff like that will create something you can remember (a strong stem sentence) + different components to make the passwords different but easier to remember.
Change your passwords. I'm always SUPER bad about this because I can't remember what sites I use, if I've used them before, changed them before, and the stupid "I'll remember your password for you!!" things never work for me and end up confusing me and cluttering my system. Instead, I just use a wordpad list and change the main ones I remember, write them down, and when I encounter the lesser used ones I change it over to the new password set up and write it down.. so I know if I'm using the old sentence, or the new sentence. Changing it doesn't have to be difficult... instead of "1eLOVE!" I can write "365DAYSilike"
Longer passwords, in general, are far far better than shorter ones. If there's a maximum password set, simply type as much of your 'sentence' as it will allow and make that the password. That way you don't have to remember changing it up into a whole new sentence.
And if you think 12, 12qw, 1q2w, 12qw!@QW, 1q!Q, 1q2w!Q@W aren't in every password hacking database ever you're wrong. Think of numbers that mean something to you but are out of the ordinary for the flow of typing.

One of the problems is that we use the same password to access multiple sites. Your password is only as secure as the least secure site you have used it on because password databases are regularly exfiltrated and hacked by the bad guys. That's why changing passwords on a regular basis is a good idea. A better option is to use a password manager. They come with a password generator that allows you to create a random password for every site you visit.

On an unrelated note, this is a pretty good article on how Kaspersky Labs was compromised.

 

[highlander]

I guess the automatic thread bumping feature works

 

[SiegfriedSchtauffen]

On sites where I keep no sensitive data I use one of my "good old", "manual" passwords. When it comes to sensitive stuff like bank accounts, work related accounts then I use keepassx with a 20+ letter sentence as the master password.

Another not so often used technique: I use separate machines for serious things (work, business), and for not so serious things (forums, reading, watching films). For home entertainment you usually want to install much more suspicious stuff than for serious things. I use an old windows (XP) laptop for "home entertainment" and I have a super-strong macbook pro that I use for work and business and I further separate even these things by using virtualization on the mac.

 

[highlander]

This is one of the best blogs out there

Krebs on Security

 

[highlander]

Value of our PC being hacked.

 

[Coriolis]

I have a question. How secure is google drive? I recently learned that some of the local school districts use google docs and google drive, having the students (as young as elementary age) do work in google docs and then post it in their google drive. There is nothing sensitive here in the manner of financial information or industrial secrets. I'm sure, though, that none of these students would want their awful 8th grade essay, or journal account of some personal experience, trotted out later when they are 26 and looking for a job - or a date. The parents are not asked to approve storage of their students' work in the cloud, and sadly the teachers I have spoken with seem to have no understanding at all of what the cloud even is. They had no idea the student work was stored outside the school building, much less outside the school district.

Am I being paranoid, or is there a legitimate concern here?

 

[highlander]

I have a question. How secure is google drive? I recently learned that some of the local school districts use google docs and google drive, having the students (as young as elementary age) do work in google docs and then post it in their google drive. There is nothing sensitive here in the manner of financial information or industrial secrets. I'm sure, though, that none of these students would want their awful 8th grade essay, or journal account of some personal experience, trotted out later when they are 26 and looking for a job - or a date. The parents are not asked to approve storage of their students' work in the cloud, and sadly the teachers I have spoken with seem to have no understanding at all of what the cloud even is. They had no idea the student work was stored outside the school building, much less outside the school district.

Am I being paranoid, or is there a legitimate concern here?

I would look at Google's terms and ownership of the content that is placed out there.

 

[Coriolis]

I would look at Google's terms and ownership of the content that is placed out there.

I'll take a look, but I wouldn't trust Google (or any cloud provider) to live by them. Once something is out of your hands, especially online, it's out of your hands.

The only material I (knowingly) place in the cloud is photos and accounts of public events, for a volunteer group I work with.

 

[sprinkles]

I find it better to use passwords which make no sense and you can remember them BECAUSE they make no sense. e.g. 578Warberdings34Floodelbits

 

[Coriolis]

I find it better to use passwords which make no sense and you can remember them BECAUSE they make no sense. e.g. 578Warberdings34Floodelbits

I use lines from poems, either the first letters with numbers and symbols substituted, or whole words. Mainly, though, I use different passwords for every site. That way if one is compromised, it can access only one site/account.

 

[Julius_Van_Der_Beak]

My password for this site is Gullible!!!??? .

 

[sprinkles]

I use lines from poems, either the first letters with numbers and symbols substituted, or whole words. Mainly, though, I use different passwords for every site. That way if one is compromised, it can access only one site/account.

I suppose that works. Just make sure it's not one you go around saying is your favorite, and isn't something that you usually quote. Social hackers pick up on that stuff.

It's a lot better than using the name of your dog though. NEVER USE THE NAME OF YOUR DOG.

 

[Coriolis]

I suppose that works. Just make sure it's not one you go around saying is your favorite, and isn't something that you usually quote. Social hackers pick up on that stuff.

Are you kidding? I don't go around telling people my favorite anything. Besides, they aren't necessarily favorites, just ones that make good and memorable passwords. Even my SO couldn't guess them, I suspect.

 

[SiegfriedSchtauffen]

I think using memorable sentences/quotes is very good when a long password is needed. I've always used quotes from my favorite video games and advertisements. Even if they can restrict the scope for guessing its difficult to guess because you can play with upper/lowercase letters and special chars/numbers, making the text a bit l337.

For example an old unused password of mine: "Look, I'm your father!"
Here I've just used "Look" instead of "Luke" and I think it makes guessing very difficult.

 

[highlander]

 

[highlander]

I recommend that everyone use a password manager. This is a pretty good article on the subject. It improves security and makes your life easier.

Here is what they do:
- They autogenerate really good/strong passwords
- They autofill them when you log in which is faster
- Your password on every system you use will be unique; so if one of your passwords somehow gets compromised, it is limited to only the one system
- They are portable from one device to another - you can get an app for your phone, software on the laptop, etc
- Some of them (like LastPass) have an audit feature where you can assess how good your passwords are across all of the systems you access and they have tools for fixing the bad ones

If you notice #2, #4 and and #5 in the Security Experts Top Online Safety Practices (my last post), a password manager does all three of those things.

 

[1487610420]

I just keep all my login and passwords in really old beat up post-its on my desk.

 

[Coriolis]

I recommend that everyone use a password manager. This is a pretty good article on the subject. It improves security and makes your life easier.

Where are the passwords stored, and how secure is that server/location? I don't trust anything in the cloud further than I can throw it.

Moreover, unless you enable some form of two-factor authentication, you are back to the case of one password which, if cracked, allows someone to access all your accounts.