TexasCHLforum.com

The Annoyed Man wrote: ↑Mon Dec 13, 2021 11:15 am Mine is so secure, I don’t mind sharing it publicly. It is: ************

Hey! Wait a minute! That... That looks just like mine!!

Whenever feasible, for sensitive accounts I always opt to use two-factor authentication. Bit of a pain, but worth it. We even used it as a product from RSA over 15 years ago at a company I worked for. That particular method never caught-on widely, though. We were issued a little key fob manufactured by RSA (in case Andy is reading, not that RSA; RSA Security LLC, now owned by Dell). Each key fob was unique, and every three minutes (I think that was the duration) the fob would display a new numeric code. The code was synched with the RSA servers, so we had to enter our password plus the code to log in; impossible to log in without the key fob.

Today the most common two-factor auth method is to to send you a numeric code via an SMS text message to your cell number on file and have that code expire in a few minutes. You're still hosed if you need to log-on but have lost your phone...or dropped it in the bay that time you lost all your firearms while boating off Galveston.

I had one two-factor account that drove me crazy because they used email to send you the code. And the code expired similarly in just a couple of minutes. But my email of record was a Gmail account that I had set to forward to an email server that I managed, and then I handled the emails from that account in Outlook. So the email had to chain through a series of forwarders. By the time I got the code in Outlook, most of the time it was already expired. They eventually enabled SMS messaging for the code, finally.

RoyGBiv wrote: ↑Mon Dec 06, 2021 11:56 am
Lots and lots of creative criminals on the internet.

Yep; and we didn't mention another local-computer favorite: Trojan key-loggers. The popular anti-virus anti-malware programs do a good job of catching these, but load-in-RAM Trojan apps exist that will record your every keystroke and then send the data over the internet to the hacker's repository. There are even ways, if your WiFi network isn't secured, for hackers to be able to mirror your screen to a device not too far away...say a nondescript white van parked near your house. They can watch what you do and simultaneously capture the data being sent, including usernames and passwords. Always use strong encryption on your WiFi router. For example, WEP 64 and WEP 128 are deprecated and really shouldn't be used any longer. WPA and WPA1 are also outdated and shouldn't be used if you can avoid it. WPA2 is the way to go right now, but there are two flavors: TKIP and AES. TKIP is an older encryption carryover and really should only be used if you have older devices that can't use AES. On newer routers, you'll often just see "WPA2" or "WPS2-PSK."

03Lightningrocks wrote: ↑Mon Dec 06, 2021 11:29 am Time for armature hour folks. How does someone go about "hacking" a password? Is this something they do by using your user name or do they have to get access to your computer?

Here's one of the better explanations I've seen. It's a couple of years old, though, and I'm sure there are more sophisticated options today.

I use a unique password for every website and registration and email account I have...that's like a lot of passwords. I use the free Dashlane password generator (it's recently been tweaked with some improvements, BTW). The only passwords I set that are fewer than 30 characters are ones I know I'll have to type in on my cell phone for app access; those are still at least 15 mixed characters, and it takes me forever to get some of them typed correctly...I'm not good at tiny touch screens; they're made for people with pianist fingers.

I'm old-school and get the jeebies at the notion of a password management application taking care of that for me. If the application fails or the data gets corrupted, I'm in a world of hurt. I keep all my account information in MS Word documents that are 256-bit AES encrypted; separate documents for for clients' websites I manage. On the first of each month I copy the previous month's document and rename it to indicate the current month and year. Then I use an app called AxCrypt to encrypt the already encrypted prior month's document. Then I archive the double-encrypted file to local storage as well as the cloud: one year of files locally, 24 months in the cloud. Stupidly complex, I know. But the whole two is one, one is none thing. Several times I've needed to go back and see the state of things for a client in previous months and those encrypted archives are lifesavers.

For the majority of website registrations I also use unique email addresses. I really don't want a password compromised, but I also don't want an email address siphoned off. For that purpose I use 33mail.com. It isn't a disposable email service (technically I guess it's an email masking service), and to use it effectively you really need one of the tiers of paid accounts. You get an unlimited number of email addresses (at last count I was using over 140), and inbound email will forward to a single account that you specify. You choose a subdomain name that isn't in use--say, "acme" as a Wile E. Coyote example--and then on the fly you just use any name in front "@acme.33mail.com"; don't have to create the alias, just use it and it creates automatically. Works like a charm. Then if spammers get hold of that email from a website whose security is too lax, you can just turn off that particular alias name. Easy and painless. To stay anonymous, you can even reply to an email and it will be sent as if under whatever 33mail alias was used for the inbound message. I seldom use that, but it's a handy feature.

Yeah, the internet has become a more treacherous place over the last couple of decades. Be careful out there.