#password managers

Okay, look, they talk to a Google rep in some of the video clips, but I give it a pass because this FREE course is a good baseline for personal internet safety that so many people just do not seem to have anymore. It's done in short video clip and article format (the videos average about a minute and a half). This is some super basic stuff like "What is PII and why you shouldn't put it on your twitter" and "what is a phishing scam?" Or "what is the difference between HTTP and HTTPS and why do you care?"

It's worrying to me how many people I meet or see online who just do not know even these absolute basic things, who are at constant risk of being scammed or hacked and losing everything. People who barely know how to turn their own computers on because corporations have made everything a proprietary app or exclusive hardware option that you must pay constant fees just to use. Especially young, somewhat isolated people who have never known a different world and don't realize they are being conditioned to be metaphorical prey animals in the digital landscape.

Anyway, this isn't the best internet safety course but it's free and easy to access. Gotta start somewhere.

Here's another short, easy, free online course about personal cyber security (GCFGlobal.org Introduction to Internet Safety)

Bonus videos:

(Jul 13, 2023, runtime 15:29)

"He didn't have anything to hide, he didn't do anything wrong, anything illegal, and yet he was still punished."

(Apr 20, 2023; runtime 9:24 minutes)

"At least 60% use their name or date of birth as a password, and that's something you should never do."

(March 4, 2020, runtime 11:18 minutes)

So it is true that online password managers present a big juicy target, and if you have very stringent security requirements you'd be better off with an offline password manager that is not exposed to attack.

However, for most people the alternative is "reusing the same password/closely related password patterns for everything", the risk that one random site gets compromised is much higher than the risk that a highly security focussed password provider gets compromised.

Which is not to say it can't happen, LastPass gets hacked alarmingly often, but most online password managers do their due diligence. I am more willing to stash my passwords with 1Password or Bitwarden or Dashlane than I am to go through the rigamarole of self-managing an array of unique passwords across multiple devices.

Bitwarden and other password managers try to store only an encrypted copy of your password vault, and they take steps to ensure you never ever send them your decryption key. When you want a password, you ask them for your vault, you decrypt it with your key, and now you have a local decrypted copy without ever sending your key to anyone. If you make changes, you make them locally and send back an encrypted updated vault.

As a result, someone who hacks Bitwarden should in the absolute worst case get a pile of encrypted vaults, but without each individuals' decryption key those vaults are useless. They'd still have to go around decrypting each vault one by one. Combining a good encryption algorithm, robust salting, and a decent key, you can easily get a vault to "taking the full lifetime of the universe" levels on security against modern cryptographic attacks.

Now there can be issues with this. Auto-fill can be attacked if you go onto a malicious website, poorly coded managers can leak information or accidentally include logging of passwords when they shouldn't, and obviously you don't know that 1Password isn't backdoored by the CIA/Mossad/Vatican. If these are concerns then you shouldn't trust online password managers, and you should use something where you remain in control of your vault and only ever manually handle your password.

Bitwarden is open source and fairly regularly audited, so you can be somewhat assured that they're not compromised. If you are worried about that, you can use something like KeePassXC/GNU Pass/Himitsu/ (which all hand you the vault file and it's your job to keep track of it and keep it safe) or use clever cryptographic methods (like instead of storing a password you use a secret key to encrypt and hash a reproducible code and use that as your password, e.g. my netflix password could be hash(crypt("netflixkalium", MySecretKey)), I know a few people who use that method.

It feels like my account got hacked. I shall be taking the necessary steps of precaution. And here I was, thinking 🤔 that the e-mail 📧 message was just a part of an annoying routine. 🙄

Please use free and open source password 🔑 managers like Bitwarden (with EU servers, not US ones, and the choice is clearly given — no thank you, US Cloud Act, EU's GDPR is much more protective), or better still, Proton Pass from Switzerland 🇨🇭 created by (ex?) CERN employees. The one advantage that Bitwarden has is in its easy to use complicated password 🔑 generator.

No longer do I use either Apple's or Google's password managers. It's an entrapment.

I decided to finally go ahead and move over to a dedicated cross-platform password manager from the one built into Firefox.

Sure, sounds fine. It'll do local encrypted database with optional cloud access, it's available off F-Droid and the AUR among other sources, it'll handle autofill on Android, the interface looks fine, transparency seems good, and the dev is answering questions reasonably over on Reddit.

Only problem is it doesn't seem to support importing from other database formats directly (yet?). But, this person kindly has us covered with a simple enough workaround:

!!! NOTE: THIS GUIDE WILL BE UPDATED AND REFINED; CONSIDER THIS A FIRST PASS !!!

Preamble

this is a GUIDE on the basics of security, and how to set up a password manager. i'll run-through of the aims of security practices and include a glossary at the end for some of the more technical terms d:

The point of security

contrary to popular belief, the point of security measures (in cyber- or meatspace) is not to make it impossible to gain access to the Protected Thing; the point is to significantly reduce the chance of unauthorised access to the Protected Thing.

we do this by making it:

harder (think rpg skill check)

more time consuming (people get bored; it's also less profitable)

less appealing (add obstacles)

Security basics

the golden rules of security and privacy:

SHUT THE FUCK UP (for the love of Void, stop sharing your personal info publicly! or privately, for that matter)

sandboxes and containers ! (keep your personal shit separate from your work shit; doubly so for activists)

change passwords regularly

use 2FA/MFA (security layers are important !)

don't sign up for accounts/services you don't need ??

In my research into the matter, it seems that one of the biggest headaches is a basic security measure: creating and maintaining passwords.

Some people are aware of password managers, but they either forget the password manager's password (which is ironic considering that the password manager is supposed to be the ONLY password you actually remember) or think that it's too cumbersome to set it up.

Another pain point is resetting passwords, especially if a website asks you to reset the password, hence why people are locked out of websites, such as... well, Tumblr and ironically, their emails... which is also needed to reset said password.

So, basically, people need to be educated on passwords... which might be a topic worthy of exploring, but here's the kicker...

... the average user don't really care to do proper password maintenance at all.

Which is sad considering the possibilities of losing a lot of data.

So, I guess if I have to give five pieces of good information - it would be the following:

1) Learn to use ONE password manager.

Are passwords annoying? Yes. But it's part of the Internet and the more you use it, the more you are going to forget which sites you visit. Having 5 go-to passwords was great in... say, 2001, but you will easily have to maintain at least 30 websites, which includes email, bank, utility bills, rent, and more. So, stop whining and complaining and learn one.

My personal favorite is Bitwarden. It's free, open sourced, and you can use it with any operating system and browser. So, you can carry it over to your mobile device as well. And if you need advanced features, then it's only $10/year for one account. The core product is more than enough, tho.

2) If there's a breach, change your password ASAP. This isn't a system update.

Data breaches happen all the time. It's going to happen no matter if you like it or not, so if you heard of a breach or if you get prompted to change your password, just do it. Chances are, you took the first advice to heart and let your manager create a new password for you.

Don't let the notification hang! Don't tell yourself "I will do it tomorrow." Just spend a few seconds and do it right then and there.

3) If you have to choose between creating a password or using a Single Sign On (SSO), opt for the creating a password unless you use the site often enough.

You might be thinking "wait, shouldn't I use the SSO? It's one less password to create", and it might be. But what if your account you used gets suspended or worse, you get locked out of it? Then you have to go jump through hoops. Save yourself the trouble... learn the password manager and just do that. If you REALLY want to hook up the SSO, you can do so at a later time.

4) Only use two-factor authentication for anything that will put your identity or finances at risk.

Two-factor authentication is useful as it's like having two house keys. But it's also a headache to use if you are not prepare for it. Do you need to apply it at all websites that offer it? No. But you will need to prepare for it, especially if you have no choice in the manner.

There are a few ways to do it:

Cell phone

Email

Software Key/authenticator

Hardware Key

Device/software

Which one to use? It's up to you to decide, but really the best advice is to know yourself. There is really no "best practice" I can suggest here other than make notes in your password manager.

5) Noticed how EVERYTHING links back to a password manager?

As you can see, every thing circles back to the bloody manager. It's simple: It's the one place where you can safely secure it all and make notes should you really need it.

And no, don't write it in a book. NEVER WRITE YOUR PASSWORDS IN A BOOK OR A FILE!

If you learn your password manager, and you lose your device, you can always recover your manager. But if you lose a book or a file (or you make a typo), then good luck recovering from that.

Hey, just wanted to write up a little advice on security for anyone who may not not know. Post is a little long, but not too hard to read or do. TL;DR version: Use a password manager always, with autogenerated passwords; use 2 factor authentication (2FA) and prefer TOPT (google authenticator/FreeOTP apps) over SMS 2FA (or use a fido U2F dongle, but support is not too widespread yet); disable/don’t use security questions (what was your first car etc) or if you can’t, fill them with a random string and save it with your password manager

Password managers - Some will complain about them being a single point of failure. It is true that that is an issue, however it is enormously outweighed by the security issues created when not using one. The big name password managers are well written, and use data models that minimize risk. Notable even the online ones, that can sync your passwords across devices, are set up in such a way that even if an attacker get into the company database, they can’t effectively get your passwords. And that means the company itself can’t either, even if the government orders them to or they turn evil. Whereas trying to remember reasonably strong passwords for all the site accounts people end up having these days is fools errand, and virtually always leads to weak passwords and/or password reuse. Just use a password manager. The big names to trust are LastPass, Dashlane, 1password and Enpass.io has been coming up lately. If you want an offline/non-synced (though you can manually sync it with some effort) version that is totally free, there is KeePass (it is open source too). LastPass would be my first choice, it could well cover your needs with the free version. $2 per month gets premium, which lets you share logins with friends or family, gives more 2FA options, and lets you set someone as an emergency backup, so they help you get access if locked out, or get access to your accounts if you are incapacitated or die... Dashlane has a free version which allows just one device. If you want multiple devices (computer and phone, or multiple computers, whatever), it is $3.33 per month. Some say it has a little better user experience than LastPass (I haven’t tried). 1password has a 1 month trial, then you have to pay $3 per month. 1password uses other data services you might have, like DropBox, Google Drive, or your Apple account to store and sync your passwords, so you need one of those (the full list of services they support is on the website) Enpass.io also uses 3rd party storage, so again you need that. It gives you full features on as many desktops as you want, and a free client for mobile that only handles 20 sites... to get more on mobile, you pay $10 one time (though separate for Apple vs Android). It hasn’t been around as long as the others and is a bit less known.

For your master password - the one that unlocks the manager, you will need one really strong password, and you will need to memorize it and be able to type it (IDK about anyone else but certain random patterns on the KB I just *cannot* type with any speed even if I remember it perfectly, and I have to pick something else). You will want to write it down and keep it safe. If you live alone, just written down and filed away may be fine. If you live with other people, maybe in a locked jewelry box or similar. Not a bad idea to have a copy in a bank safe deposit box or something with other important papers in case of a fire...

2FA - 2 Factor Authentication -

This can mean a range of things in a security context, here we will talk about the two main ways an average user will encounter it. First to gain wide use was SMS (text message) 2FA. When you turn it on, you give the website your phone number, and when you go to log in, you first enter username and password as normal (from a password manager, right?), and then they text you a (usually) 6 digit number which you then enter to complete the log in. That number is only valid for a few minutes, any later and you will have to have them send you a new one. This was thought to be pretty good for a while, but it ultimately has some drawbacks. If you are login in on mobile, you get the code on the same device you are logging in from, which is a technical violation of the idea of 2FA. Even more important though, it is increasingly possible to intercept cell signals over the air one way or another (stingray devices mainly), and it is possible to spoof various aspects or even take over a phone number altogether (a subject for a whole other post). If a site doesn’t have TOTP 2FA, go ahead and use SMS, it is still much better than none. So the way that is spreading now is TOPT (Time-based One Time Password). Most widely known as “Google authenticator” as Google has made a free and easy to use app for it on all mobile platforms. However the protocol is open, and there is an open source app that is also very good called FreeOTP. It works anywhere “Google authenticator“ does, and in the exact same manner. TOTP is just slightly more complex than entering your phone number to set up, but really not bad. You get the app, then you go to a website that supports TOTP on your computer or a second tablet or phone, and find the option to turn it on. When you do, the site will show you a QR code (those square, 2d barcodes). In the app you press the QR code button and then point the camera at the QR code. This contains all the info needed to set up the algorithm. Then the app will display a button for the site, you press it to get a code and enter it in the site to confirm. After that, every time you go to the site, much like the SMS option, after your username and password, it asks for a 6 digit code. But instead of getting it from a text, you open the app, and tap on the site you want to log into, and it generates one. It also works if you don’t have cell service to your phone at the moment, as it isn’t sending data back and forth. (I am sure there is a way to turn on TOTP for a site when using only your phone (so not able to point the camera at it), but I haven’t tried it) Even if you don’t use 2FA on every site that supports it, at least turn it on for: Your main email (where all those “password reset” emails go) Your main social media site(s) and Facebook (if you use it for the “log in with facebook” feature on other sites, even if you don’t use it much otherwise)(Twitter, Tumblr and Instagram all have 2FA). And of course on any financial or medical sites if they have it - many of them are way behind on that though... If your main email doesn’t have 2FA, get a new one! Outlook.com and gmail both have it and are free... disable/don’t use security questions -