Privacy and Security Discussion

[Axel PC]

What do to protect your identity online? What's your threat model? How did you come up with your threat model? What are your primary concerns with your information being online and the online services and apps you use? How do you protect yourself online? Do you use Gmail or Protonmail? Do you use your bank/credit card or a service like Blur.com/Privacy.com? Do you use a password manager like Keypass/Lastpass or an Excel spreadsheet or "old fashioned" paper and pencil? Have you had to change how you do things online because of the changing times or an incident happening to you? Do you have any great tips to share?

Just thought I'd try getting a good and varied discussion about privacy and security. Mainly looking for an on going discussion, discovering some cool services and new tips. Thanks

 

[Neemobeer]

The short and skinny of it is you can't protect your identity online. Sure you can use long complex passwords generated from KeePass and use different ones on each site you visit, but you are basically putting your security and privacy practices in someone else's hands and even the best of those sites Google, Apple, etc get breached and then your data is flung to four corners of the wind (and criminal dark webs) of the world and you're not getting that data back. You're better off paying for an identity/ financial watch dog such as Life Lock.

 

[Axel PC]

I know that you give up some privacy and security once you start going online using online service. Actually you have no choice. Even if you don't have any social media, don't have a smart phone, and don't "go online." Your bank account information is stored in the cloud, your government information is stored online, etc.

My question was about what you do to mitigate this issue, not if it can be avoided.

 

[Neemobeer]

Well since you have zero control over the data there isn't anything you can do to mitigate the issue.

Well not quite nothing you can do. You can send requests to have your information removed, but there's nothing from stopping these sites (online people search databases, marketing firms etc) from purchasing your data from companies that are willing to sell your data.

 

[Legit Labs]

Glad you asked!

I like to take the Snowden approach to life online.

I couldn't care less (that's could care less in American English I believe) about information online apart from the government and authorities seeing it. I'm not anti-government, I just mean government agents etc. and anyone who could use that information against me in some way.

I don't put any information on social media, and I don't use profile pictures of myself (or anything else that may lead to someone guessing an opinion or view I may have).

As for passwords, I use one password for everything. It's about 30 characters long and involves letters, numbers, and symbols such as $#@ and it's all I will ever need. It's stored in my head. (Your passwords should always be a mixture of letters, numbers, and symbols.)

For other websites, I have a secondary password which is only around 10 characters long, and I use that when I know there is very limited threat of anyone trying to guess it.

I find this approach better than using a different password for everything that I then have to store somewhere.

PS, I don't use profile pictures where my name is involved. Legit Labs gets a pretty one, though.

PPS, I'm always amazed how the average person leaves their Facebook photos on public for me to browse through whenever I please. I still to this day can't believe how well the world took to Facebook. Who would have guessed people liked to show off quite so much?

 

[Neemobeer]

Using a single password for everything isn't a good idea. It gets stolen once and they can get into everything you have online. I've cracked salted 24 character passwords in days on my hashing box. At the least you should use a unique long password for your main email account and unique for financial institutes. I use variations of a different password for non-essential sites I don't care about compromise.

 

[Legit Labs]

Doesn't make much sense.


If you think you can crack any 30 character password, then you can obviously crack a sub 10 character password that is auto-generated as an apparent strong password very quickly and any time you want.

So what would the point be of bothering trying to stop you?

There wouldn't be much time difference between the two options.

 

[Neemobeer]

There is a big difference. Compromising one password doesn't compromise all of them.

 

[Legit Labs]

But you could crack a shorter password much quicker.

So if you can crack any code, then you could just put your software onto each password and they'd be cracked at a similar time.

And that's actually being kind to your ideas.

The difference between a 25 character and 30 character password is apparently years let alone days like you're suggesting.

But let's say it was days, then that's still far longer than it's going to take to crack the other passwords.

To be clear, I'm following your point. But there's no reason for someone to wait until one password is cracked. If they'e confident they can crack codes, then why wait for one?

Neemobeer,

If you can crack my (roughly 30 -- giving the exact number would make it easier --) character password in a week, I'll give you a hundred bucks. Up for the challenge?

Any longer than a week and it would take the interest of the CIA to bother on the one person.

 

[Neemobeer]

While true a shorter password can be cracked quicker it would require each site's database to be dumped which isn't very common. When you use one password for everything any of the sites you use could be compromised and in turn all your accounts are compromised

 

[Legit Labs]

I don't know about the OP, but I'm riveted.

Let's continue a little bit if you've got the time.

If what you say is correct, why do you need database dumps for scenario a) but not a database dump for scenario b)? Even though it's one password, it will still require the database dump for that one password if there needs to be a database dump for multiple passwords, no?

In addition, how does one dump a database that they don't own and that should be secure? If I'm understanding you right, you're referring to a website's database?

 

[Neemobeer]

Yes I am referring to websites. Basically when you enter your password on the web site a hash is produced using the same hashing function used when you set up your account. If the password you entered hashed matches whats in the database, you are allowed access. The how it's hashed isn't that important as it won't help guess the password from the hash. That hash is stored in a database. Different sites may used different hashing algorithms which is also not really important.

Scenario 1 [Using the same password on all or multiple sites] - Bad guy dumps the password hash database of site A. Bad guy does a brute force or rainbow table attack and figures out your password is Password123. Let's say your login is your email address which is also common. Bad guy doesn't need to dump the password hash database from or crack the hash on site B. He enters your password he cracked from Site A. Site B hashes the password on Site B and (even if it hashes the password differently) will match the hash on Site B and now they have access, and Site C and Site D etc.

Scenario 2 [Different password on each site, or important sites] - Same thing up to they crack your hash on Site A as Password123, but your password on Site B is Password234. Password123 won't hash to what Site B has with their hashing algorithm only Password234 will.

In scenario 2 bad guy can't move laterally through your accounts with just one password.


*SIDE NOTES* -- If you don't want to a unique password for every site at least use a unique strong password for your main email account.
WHY THIS IS IMPORTANT - Assume Site A's password is the same as your email account. Site B, C D etc have your email as the email account on it. Bad guy can now log into your email. Bad guy goes to Site B and tries your password he cracked from Site A but it doesn't work. Bad guy logs into your email and does a password reset on Site B. Via email bad guy resets your password for Site B.

 

[Legit Labs]

Good point about email at the end there. My opinions are still butting heads a little bit with that, but even if you had all unique passwords, it's important to protect that main email.

It's also why it's necessary to bother taking the time to have two factory security on that maim email also (aka hooked up to your phone). Most good email clients won't allow people to enter if they're signing in from an unknown location to prevent the bad guy getting in.

I'm straining my brain to think what happens next. I think the email will send another email to your backup email client, i.e. from Gmail to Hotmail, and then you need to confirm it was you.

So also a good reason to have different passwords on each of your emails.

 

[Axel PC]

This is great thanks for participating guys. I was away for a few days. Great points from both of you. I use LastPass right now. I like it the experience is easy. But I've also heard good things about BitWarden that it's great like LastPass but that it's better because it's open source. But I don't know if that makes it better automatically?

I try and use different passwords for almost everything. But even with a password manager it can be a chore. I also have a big family and I'm the de facto IT guy so I keep everyone's login/pass.

A couple questions.

Are you hesitant to try new online services, apps or sign up for email newsletters because of database leaks? Do you have a strategy for doing this?

How do you not get overwhelmed with all the news about database leaks, Google data scraping, Android vs iOS, etc? Did you guys see this today?
Facebook hacker stole login information for 50 million accounts

Thanks!

 

[Axel PC]

This is for Google users. How do you feel about how they scrape emails and Chrome for advertising purposes? I completely understand that having this data allows them to create better services i.e. their search engine being the best. But does it bother you? Do you just accept it? Have you thought about going to another service that doesn’t scrape user data? What’s your take on it? Thanks.

 

[Neemobeer]

Facebook does this too, even reads your text messages on your phone. As the Adage goes "If you're not paying for the product, you're the product"

 

[Axel PC]

Right. So what's your view on my Google question if you don't mind?

 

[Axel PC]

I used to have a Facebook but I dipped out of it a few years back because I didn't like how much time I was spending on it. But I'm sure even back then they were scooping up everyone's information just as they are today.

 

[Neemobeer]

I do use Google, but it's probably the same thing.

 

[Axel PC]

There's no doubt they are. But what are your thoughts on it. You seem to have a pretty good IT security background? How do you feel about it. Like I said in my op I'm not looking to get into a flame war but hear opinions and dissuasions from actual users other than tech journalists and tech "experts." Thanks!