Account Security Reminder 2015

[Teddy]

Hello,

This is another reminder about your account security. This shouldn't apply to just Argonath but in general any form of digital account you own. Today we live in an era where virtually everything about us exists somewhere on the Internet in a database and to ensure that we aren't the source of that information falling into the wrong hands; or being access by someone with malicious intent; we need to protect our accounts and in turn protect our digital footprint.

Here are the same old common password tips:

* Never share your password with anyone.
* Never use a password that is a plain text word (e.g "password", "cookies", "boobs"), phrase ("Iambred", "Ilovepie"), statement ("thequickbrownfoxjumpedoverthefence"), or personally relatable (pet's name, date of birth, government id, etc)
* Never use the same password on more than one, or two at most, sites. (note for sensitive accounts like banking; use a unique password per account)
* Never store passwords on a non-airgapped machine (does not connect to Internet/Network at any point), or in plain-text.
* Never write passwords down (on paper (wtf is paper?)) in a place they can be easily accessed.
* Change passwords frequently. For sensitive accounts (e.g banking), at least every 30 days; for everything else at least every 90 days.
* Never trust anything with absolute certainty, there is no such thing as absolute security.

Generate Secure Passwords
https://www.random.org/passwords/ (use at least 12 characters)
http://passwordsgenerator.net/ (use at least 12, recommends 16 which is also fine, and ensure "generate client side is selected")
https://identitysafe.norton.com/password-generator/ (right sidebar has generator, use default checkboxes, increase size to at least 12)
https://lastpass.com/generatepassword.php (use 12 length)

Recommended Password Manager: Lastpass

I've been a premium member for over a year now and I use it for everything including my multiple real life bank accounts, credit card sites, and Argonath sites. I generally use randomly generated passwords with at least 20 characters in length. In addition I use Google Authenticator and it requires I authenticate frequently. I've provided below recommended security settings to ensure it's safe. Do note your passwords are stored on the cloud but they are encrypted, and the encryption key is ALWAYS kept on the client side so the server can never decrypt your password. If you don't trust this, don't use it. You must have trust in such a system for it to work.
https://lastpass.com/

Notes: Use 10,000 (45,000 if not planning on using mobile / low end devices) password iterations w/ Google Authenticator. Ensure the setting is enabled requiring authenticated access, require re-two factor authentication to change/view raw passwords, and at least every 7 days on authenticated devices. If you use on a mobile device, ensure it has at least a PIN or password protection; do not use pattern or facial recognition. Change your master password to something incredibly secure that you can remember, and ensure you change the password at least every 30 days, 60 at maximum.

Additional Notes
+ Ensure websites are using SSL (on most browsers you'll see a green lock in the URL). For site's without SSL, ensure it has a unique password.
+ Never enter your password directly from an email. If you get an email from a company, always manually navigate to their site and authenticate.
+ No company, game, or entity will EVER ask you for your password this includes Argonath and it's staff.

[Exterminator]

Recommended Password Manager: Lastpass

I've been a premium member for over a year now and I use it for everything including my multiple real life bank accounts, credit card sites, and Argonath sites. I generally use randomly generated passwords with at least 20 characters in length. In addition I use Google Authenticator and it requires I authenticate frequently. I've provided below recommended security settings to ensure it's safe. Do note your passwords are stored on the cloud but they are encrypted, and the encryption key is ALWAYS kept on the client side so the server can never decrypt your password. If you don't trust this, don't use it. You must have trust in such a system for it to work.
https://lastpass.com/

Password managers are not safe at all.. You have bank accounts, credit cards and everything else up there, and your passwords are random so i doubt that you remember every single one of them (If you did, that would defeat the purpose of the password manager anyway).

I'll try to make a formal definition of the assumption here,
So, the assumption made here is that instead of logging onto x different sites from y different devices (Assuming that using another operating system on the save device qualifies as a separate device), you are less at risk by using a password manager rather than using different passwords for different sites.

But here's the thing, this would imply that using your own x passwords instead of a password manager is less safe. Which would then imply that at least one of your x passwords can be compromised. Yet, by using a password manager that password won't be compromised. But how will you authenticate to the password manager?
Afaik, lastpass does not permit you to login without a master password. This means that you still had to enter your master password on that device.

So if the device has a keylogger, instead of getting your password for your bank, it has your master password, with your password for everything instead. If someone looked over your shoulder to see you type in the password to your bank, he has now seen you type in the master password to your password manager.
So on the overall, if you used seperate passwords then you would only risk the loss from that single website which is compromised. On the other hand, if you use a password manager, you now have the same risk of getting your password stolen, as getting it stolen is not in any way in the hands of the password manager but owes to external factors (Keylogging, social engineering or just peeping over the shoulder).  So all in all, password managers are the most retarded inventions that have managed to stick around. What's more is that people keep using (And recommending) password managers without ever actually thinking of how secure they are. This gives them a false sense of security which might even make them more lenient in their safety, putting them at even more risk.

Please stop recommending password managers. They are just a fancy excuse to have the same password for 30 different sites.

Edit: Not to mention the fact that with password managers you also lose another factor of security. Instead of trying to hack into your password manager the attacker could also try to hack into your email. Using security questions most likely but there are plenty of other ways too. If they did get access to your email they would be able to reset all your passwords but important ones like Banks wouldn't let them reset the password with reset emails. If you can recover the password manager's password (Even if the password manager sends a hint instead of a reset email, you can still use the hint to drastically increase your chances) then you can get also get into the target's banks and other things the banks were smart enough to prevent resetting for this very reason. Not to mention the fact that it's much much easier to just get your master password and then your bank accounts directly.

[Pandalink]

Password Managers work on the basis that having a single point of failure (the manager) is better than having multiple points of failure across the internet. If you use the same password for like 10 different things, then they are ALL points of failure for each other.
At the end of the day there is always going to be a single point of failure unless you have a pretty complex system or an extroadinarily good memory, and even then email reset systems introduce a single point of failure that you can't get rid of.

The best method is to have a system only you can understand with a key list of modifiers kept somewhere safe (but in such a way that the list itself isn't useful to anyone but you).

[Marcel]

Password managers are not safe at all.. You have bank accounts, credit cards and everything else up there, and your passwords are random so i doubt that you remember every single one of them (If you did, that would defeat the purpose of the password manager anyway).

I'll try to make a formal definition of the assumption here,
So, the assumption made here is that instead of logging onto x different sites from y different devices (Assuming that using another operating system on the save device qualifies as a separate device), you are less at risk by using a password manager rather than using different passwords for different sites.

But here's the thing, this would imply that using your own x passwords instead of a password manager is less safe. Which would then imply that at least one of your x passwords can be compromised. Yet, by using a password manager that password won't be compromised. But how will you authenticate to the password manager?
Afaik, lastpass does not permit you to login without a master password. This means that you still had to enter your master password on that device.

So if the device has a keylogger, instead of getting your password for your bank, it has your master password, with your password for everything instead. If someone looked over your shoulder to see you type in the password to your bank, he has now seen you type in the master password to your password manager.
So on the overall, if you used seperate passwords then you would only risk the loss from that single website which is compromised. On the other hand, if you use a password manager, you now have the same risk of getting your password stolen, as getting it stolen is not in any way in the hands of the password manager but owes to external factors (Keylogging, social engineering or just peeping over the shoulder).  So all in all, password managers are the most retarded inventions that have managed to stick around. What's more is that people keep using (And recommending) password managers without ever actually thinking of how secure they are. This gives them a false sense of security which might even make them more lenient in their safety, putting them at even more risk.

Please stop recommending password managers. They are just a fancy excuse to have the same password for 30 different sites.

use a YubiKey together with LastPass, and you'll be pretty darn safe. https://lastpass.com/yubico/

[Exterminator]

use a YubiKey together with LastPass, and you'll be pretty darn safe. https://lastpass.com/yubico/

Irl friend/thief steals yubikey > Now they can steal a lot more than just your speaker and your TV.

Break up with ex > She takes your clothes and your bank balance.

Also, plant a virus on the target's computer > The virus can then steal the yubikey signatures and emulate the key to login wherever the hacker wants. Not to mention the fact that even a kid can easily open an invisible browser and do any transactions from that computer.

No matter how safe you make password managers, they are still less safe than just using your head and using proper passwords on different sites. Not to mention you save 50$. If you know anything about risk economy you'd know that given the risk of your accounts being hacked are nearly zero (And are multiplied a lot by using a password manager) you still save quite a bit of money.

[Pandalink]

Philip, how do you remember ~70 unique passwords?

[Marcel]

Irl friend/thief steals yubikey > Now they can steal a lot more than just your speaker and your TV.

Break up with ex > She takes your clothes and your bank balance.

Also, plant a virus on the target's computer > The virus can then steal the yubikey signatures and emulate the key to login wherever the hacker wants. Not to mention the fact that even a kid can easily open an invisible browser and do any transactions from that computer.

No matter how safe you make password managers, they are still less safe than just using your head and using proper passwords on different sites. Not to mention you save 50$. If you know anything about risk economy you'd know that given the risk of your accounts being hacked are nearly zero (And are multiplied a lot by using a password manager) you still save quite a bit of money.

Thief steals YubiKey -> deauth YubiKey, passwords safe. Thief steals password -> still needs YubiKey.

[Kaze]

I find the process to use programs very long for stuff like this. I use passwords that are easy to remember that I see everyday. An example might be I have a lamp next to me so my password would be something like 1amp1997

[Exterminator]

Philip, how do you remember ~70 unique passwords?

Simple, keep the passwords in a manner that they can be kept safely.

I like to start with a phrase and just mutate it from there, so a password would become ILoveHorses.jump > IL0v3H0rs3s.pumj > 1L0v3H0r$3$>pUmJ. Now you only have to remember the phrase, which is much easier to remember. In general it's nice to have any two different phrases. Kaze and you both have already pointed towards the idea.

Thief steals YubiKey -> deauth YubiKey, passwords safe. Thief steals password -> still needs YubiKey.

You're asleep/Went out/Whatever > Thief broke in, took the ubikey and already wiped your bank balance a long time before you even found out.

[Brian]

You're asleep/Went out/Whatever > Thief broke in, took the ubikey and already wiped your bank balance a long time before you even found out.

One will not simply break in to a house of an Argonath player, steal his yubikey, crack his master password and then clean his bank account.

[Exterminator]

One will not simply break in to a house of an Argonath player, steal his yubikey, crack his master password and then clean his bank account.

What's so special about Argonath players?

Also stealing his yubikey is pretty straightforward. There is no reason whatsoever that a thief wouldn't try to take a giant pot of gold if he has the option to do it pretty safely. Except this time instead of a heavy pot of gold, it's a tiny pendrive/sd card.

[Brian]

What's so special about Argonath players?

Also stealing his yubikey is pretty straightforward. There is no reason whatsoever that a thief wouldn't try to take a giant pot of gold if he has the option to do it pretty safely. Except this time instead of a heavy pot of gold, it's a tiny pendrive/sd card.

If someone would even know how this would work, I doubt he'll break in to someones house to steal that, as he would also know he'd need his master key and needs to do this fast enough to not get caught. Most banks do not allow transactions over a certain amount, so you should be rather safe.
I am not saying that I find the lastpass stuff a smart idea, but I rather think that you ideology of 'stealing it' has a few flaws in it.

[Exterminator]

If someone would even know how this would work, I doubt he'll break in to someones house to steal that, as he would also know he'd need his master key and needs to do this fast enough to not get caught. Most banks do not allow transactions over a certain amount, so you should be rather safe.
I am not saying that I find the lastpass stuff a smart idea, but I rather think that you ideology of 'stealing it' has a few flaws in it.

Stealing it was just an example. I was just gonna post the part about jacking the signature (Or if you fail to do that, you can just use the virus you already have on the victim's computer to fire up an invisible browser on it and do your transactions from the victim's computer itself) but i figured that i should give a few more examples. Either way though, a friend could easily peep over your shoulders as you enter your master password and then steal your key.

Similarly, your girlfriend could easily find out your master password and take the yubikey with her when she leaves you. You can call your bank and a few other sites to have your account blocked but i doubt that you can just call them and they'll block it within seconds. By the time that you're done getting even one of your accounts blocked she has had more than enough time to swipe your bank and cards for the maximum limit.

These are just a few examples. I can think of many more where it still wouldn't be safe. Not to mention the fact that no matter the software you're running, just being smart about your passwords still beats it.

[Nexxt]

I find the process to use programs very long for stuff like this. I use passwords that are easy to remember that I see everyday. An example might be I have a lamp next to me so my password would be something like 1amp1997

b4rb13leg1995

[Teddy]

Password managers are actually fairly secure; mainly one like last pass where the encryption key is never uploaded nor stored on the client. If you understand the fundamentals of public key cryptography then it'd make more sense. Breaking the encryptions, mainly with 10,000 password iterations would take at least a year of work for even the most advanced of mainframes. NSA broke the keyspace in partnership with a University as a demonstration; it took two datacenters along with a supercomputer 4 months to do it. So if you change the master password at least once a month; you're golden and change all other passwords at least every 30/90 days (1 month/ 3 months). Granted you follow all other precautions such as a two factor authentication, re-authentication strategy, etc. As with two factor authentication; even if the key is broken you'd steel need another origin to break and since as I recommended Google Authenticator; it isn't subject-able to common attacks that could bypass the TFA method.

If you use the manager just as is; without additional security measures then sure it'll only protect against site-specific targeting of passwords but not really a broad scale. But if you use it logically and with the additional security measures in place then you have a fairly trustworthy system.