PSA: Don't use third-party apps and services, period.

[DopeGhoti]

I might be able to, but "Joe" who doesn't use this forum, and can barely install an app on his phone might not.

 

[drtimhill]

The safest way to use ANY password manager (LastPass, 1Password etc):

-- Choose a password for the password manager itself that you can remember but is VERY strong. DONT use anything anyone else is ever ever likely to know. Not anyone. Not birthdays, or SSNs, or your house number etc.
-- NEVER give your password manager password to anyone. Never type it into any dialog box, support page, or anything other than the app when you use the app on a machine/browser that you know or own.
-- ALWAYS use the password manager to generate a strong random password for each web site etc you visit.
-- DONT use the same strong password for different web sites. EVER.
-- DO use the "manual auto-fill" feature of the password manager, where you have to click a button to ask the manager to fill in credentials.
-- DONT use the "auto auto-fill" feature, where the password manager anticipates things and just auto-files a form without asking you first.
-- If you EVER read about or suspect that a site you visit may have been compromised visit that site AT ONCE and change your password using a new strong password generated by the manager.
-- DO use two-factor authentication (2FA) on any all all sites that support it.
-- DO keep an ENCRYPTED backup of your password database in a SAFE location.
-- DO set a reminder on your phone to update this backup at least once a month. AND DO IT.

 

[DopeGhoti]

DO set a reminder on your phone to update this backup at least once a month. AND DO IT.

Or better yet, set up a cron job to encrypt the (already encrypted, but why not?) password database and SCP it to a remote location you own. S3 storage is pennies at this scale. Per year. We're talking $0.023 per GB per month.

 

[BayAreaCelt]

You grant access to third party apps commensurate with your understanding and abilities to manage risk and understand cybersecurity and information security. Take a look in the mirror. Do you feel lucky, punk?

 

[GreenT]

The safest way to use ANY password manager (LastPass, 1Password etc):

-- Choose a password for the password manager itself that you can remember but is VERY strong. DONT use anything anyone else is ever ever likely to know. Not anyone. Not birthdays, or SSNs, or your house number etc.
-- NEVER give your password manager password to anyone. Never type it into any dialog box, support page, or anything other than the app when you use the app on a machine/browser that you know or own.
-- ALWAYS use the password manager to generate a strong random password for each web site etc you visit.
-- DONT use the same strong password for different web sites. EVER.
-- DO use the "manual auto-fill" feature of the password manager, where you have to click a button to ask the manager to fill in credentials.
-- DONT use the "auto auto-fill" feature, where the password manager anticipates things and just auto-files a form without asking you first.
-- If you EVER read about or suspect that a site you visit may have been compromised visit that site AT ONCE and change your password using a new strong password generated by the manager.
-- DO use two-factor authentication (2FA) on any all all sites that support it.
-- DO keep an ENCRYPTED backup of your password database in a SAFE location.
-- DO set a reminder on your phone to update this backup at least once a month. AND DO IT.

Can we spell paranoid?

 

[drtimhill]

Can we spell paranoid?

Welcome to the internet. And only 2 months ago my parents (somewhat old and vulnerable) were the subject of a scam that cost them $24,000, even AFTER I had coached and trained them on network safety. Only the paranoid survive.

 

[drtimhill]

Or better yet, set up a cron job to encrypt the (already encrypted, but why not?) password database and SCP it to a remote location you own. S3 storage is pennies at this scale. Per year. We're talking $0.023 per GB per month.

Of course, but if you understand "cron job" and "S3" then you are already tech savvy enough to know all this. If not, you probably dont have any backups AT ALL (most people still dont).

 

[DopeGhoti]

If not, you probably dont have any backups AT ALL (most people still dont)

Watchoo talkin' about? I gots backups! I keep my password database on the Desktop, and I have a backup in My Documents! Sheesh!

And I know I'll never lose my password 'cause it's in a Notepad document that I keep in My Documents, with a backup of it on the Desktop!

 

[linux-works]

Can we spell paranoid?

the ecocystem of the current internet is hostile toward regular users. advertisers want to put MALWARE on your system (and so, I have no ethical problem using adblockers, javascript blockers, etc.) it IS an arms race and the sooner people realize it the safer they'll be.

disable all html email; insist on just text. if someone sends you html email, just view the text version (ignore the tags). reason: a lot of html email have 'web bugs' and just by viewing an image - that causes a hit on their webserver and you've just confirmed your email, as a real human, to a spammer.

android is horrible for security. YOU are the product, you are not the customer.

be very wary of 'apps'. almost all want to steal info from your contacts list and so on. the ecosystem is broken and since 'no one' pays for microservices, the idiots^Hwebmasters all think that they have the right to flood you with ads and spam to 'pay' for the web pages you viewed. its all so broken and such a damned shame we let it all go to hell like that. but we did. ;(

I work in the security group in my company and I see the red team (the guys who try to break in and test security) reports. I track updates to various software products and have to decide if this patch is safe to incorporate or not.

its NOT being paranoid. half of the internet people out there just want to have a normal life, but the other half have very bad intentions and some even have good tech skills (or money to hire those that do).

oh, one more thing: never use corporate systems (laptops from your company) to do ANY personal banking or email. they all have 'man in the middle' certificates installed by the IT dept and the lock icon you see on your browser is mostly worthless after that.

 

[daniel]

The safest way to use ANY password manager (LastPass, 1Password etc):

-- Choose a password for the password manager itself that you can remember but is VERY strong. DONT use anything anyone else is ever ever likely to know. Not anyone. Not birthdays, or SSNs, or your house number etc.
-- NEVER give your password manager password to anyone. Never type it into any dialog box, support page, or anything other than the app when you use the app on a machine/browser that you know or own.
-- ALWAYS use the password manager to generate a strong random password for each web site etc you visit.
-- DONT use the same strong password for different web sites. EVER.
-- DO use the "manual auto-fill" feature of the password manager, where you have to click a button to ask the manager to fill in credentials.
-- DONT use the "auto auto-fill" feature, where the password manager anticipates things and just auto-files a form without asking you first.
-- If you EVER read about or suspect that a site you visit may have been compromised visit that site AT ONCE and change your password using a new strong password generated by the manager.
-- DO use two-factor authentication (2FA) on any all all sites that support it.
-- DO keep an ENCRYPTED backup of your password database in a SAFE location.
-- DO set a reminder on your phone to update this backup at least once a month. AND DO IT.

Can we spell paranoid?

I'm so paranoid that I don't trust password managers. Some will say I'm being reckless because I'm less safe without one. But a password manager means One Password To Rule Them All, and if someone gets your master password, they have access to EVERYTHING.

 

[DopeGhoti]

if someone gets your master password, they have access to EVERYTHING

This is mitigated my MFA. But I'd really like passwords (which are something like negative fortieth century technology) to go the way of the dodo. Revocable certificates and keystores, with universal MFA please!

 

[DrDabbles]

I still didn't get an answer to how you're securing the keys in your cloud instance where you run your own metrics collector. I'm very curious.

 

[drtimhill]

I still didn't get an answer to how you're securing the keys in your cloud instance where you run your own metrics collector. I'm very curious.

I was curious about that too.

 

[DopeGhoti]

I still didn't get an answer to how you're securing the keys in your cloud instance where you run your own metrics collector.

For my instance of Teslamate, it is in fact not stored in the Cloud; it's on a server that I own and maintain. I would make here an argument that if it were in the cloud it would still be secure, but recent leaks of private data from (former) AWS employees shows just how wrong that argument would be.
For my instance if Marcone's teslausb image for the Raspberry Pi, it is also not on the Cloud. It is, however, stored on a device in the car; if that walks off, someone has already gotten into my car and I may have more pressing problems.

 

[daniel]

This is mitigated my MFA. But I'd really like passwords (which are something like negative fortieth century technology) to go the way of the dodo. Revocable certificates and keystores, with universal MFA please!

I used to decline 2FA because I was in the habit of going places where there was no cell service. I usually had internet but no phone. Since 2FA (wherever I've seen it) requires the ability to receive a cell signal, I'd have been locked out of my accounts while traveling.

It's a matter of how cautious you want to be, as the more factors needed, the more of a nuisance it is to log into an account.

 

[daniel]

P.S. There also another matter: There's no point in having a solid steel front door with 17 deadbolts if a burglar can just break a window to get into your house. Once your authentication method is two or three times harder to break than an alternative method of burgling your account, there's no point in making it more secure.

 

[DopeGhoti]

I used to decline 2FA because I was in the habit of going places where there was no cell service.

One-time pads sent via SMS are but one form of multifactor authentication (and indeed one of the less secure forms). Rather better are software or hardware that you can obtain (examples of the former might by Google Authenticator or Authy; an example of the latter might be a Yubikey) which you seed once, and continue to generate the OTPs on demand in sync with the far side. No communication side-channel needed at authentication time.

 

[daniel]

One-time pads sent via SMS are but one form of multifactor authentication (and indeed one of the less secure forms). Rather better are software or hardware that you can obtain (examples of the former might by Google Authenticator or Authy; an example of the latter might be a Yubikey) which you seed once, and continue to generate the OTPs on demand in sync with the far side. No communication side-channel needed at authentication time.

There's a long and very interesting article on MFA on Wikipedia. It seems there are controversies and drawbacks on all the various methods. Because I lack technical knowledge on the subject I cannot easily judge, so I'm probably making poor decisions. I do have unique hard-to-guess passwords for all sites that have critical information about me.

 

[GreenT]

the ecocystem of the current internet is hostile toward regular users. advertisers want to put MALWARE on your system (and so, I have no ethical problem using adblockers, javascript blockers, etc.) it IS an arms race and the sooner people realize it the safer they'll be.

disable all html email; insist on just text. if someone sends you html email, just view the text version (ignore the tags). reason: a lot of html email have 'web bugs' and just by viewing an image - that causes a hit on their webserver and you've just confirmed your email, as a real human, to a spammer.

android is horrible for security. YOU are the product, you are not the customer.

be very wary of 'apps'. almost all want to steal info from your contacts list and so on. the ecosystem is broken and since 'no one' pays for microservices, the idiots^Hwebmasters all think that they have the right to flood you with ads and spam to 'pay' for the web pages you viewed. its all so broken and such a damned shame we let it all go to hell like that. but we did. ;(

I work in the security group in my company and I see the red team (the guys who try to break in and test security) reports. I track updates to various software products and have to decide if this patch is safe to incorporate or not.

its NOT being paranoid. half of the internet people out there just want to have a normal life, but the other half have very bad intentions and some even have good tech skills (or money to hire those that do).

oh, one more thing: never use corporate systems (laptops from your company) to do ANY personal banking or email. they all have 'man in the middle' certificates installed by the IT dept and the lock icon you see on your browser is mostly worthless after that.

I will assume you have anti-virus protection for your dogs laptop?
Again, paranoia!

 

[linux-works]

so, greent, do you work in the field? have experience with computer or network security? programming background? sysadmin experience? any/all of that?

I'm a software person who has been doing this (and other related) jobs for over 35 years. I'm not saying this based out of things I've read; I have the sysadmin and programming experience to know what I'm talking about.

do you? if we are to take you seriously, please support your simplistic 'no' vote.