Current Computer Security Ruminations

Current Computer Security Ruminations

Written: September 4th, 2023, last updated September 5th, 2023

My current musings on Computer Security….

Password Manager – I recommend bitwarden ( Bitwarden is an open source software that is really, really well supported.  At a basic level, you pick a passphrase, and bitwarden uses the passphrase as a key to encrypt all your data, passwords, websites, notes etc.  This decryption happens locally on the local device (computer, phone, etc).  If someone were to steal your vault from bitwarden it would simply be an encrypted mess of a file.

    1. Choosing a passphrase – a long string of words and/or numbers. It helps if you make it funny.  ‘MyDogatemysiddurin2bites’, ‘MandyLewistellsfunnystories’, ‘My2ndgradeteacherwaspoopy’. It should not contain anything biographical about your family, or house numbers, street names, old school names etc.
    2. Use the family plan. For $40/year you can use bitwarden for up to 6 people in a family plan.  You can create a family ‘organization’ and have separate sharing space for you and your spouse and you and your whole family.  So, I have my ‘private’ vault which are only visible to me, my wife and I have a shared vault which has all of the passwords we share, like Amazon or many of the bank and credit card passwords, we have a ‘shared’ family folder for subscriptions, Netflix etc.
    3. Install it everywhere – Download the mac or PC app to your computer – download the IOS or Android app – on your computer there are extensions for each browser that you can install, you can configure you iphone to use it for passwords by default. Also works for any ipads.
    4. To make like easier enable biometrics – on the iphone you can use either your thumb or your face, on a portable mac your thumb to verify that it’s actually you, using bitwarden. IF YOU DO THIS PUT YOUR PASSPHASE INTO BITWARDEN because you’ll forget it.
    5. There is a recovery option that you can explicitly grant someone access, you should configure this for each other and maybe a kid.

In a perfect world you wouldn’t need a password manager, but in my universe it’s better than any of the alternatives.  Other people disagree, but I can’t keep more than 5 or so passwords in my head and for me this is the best solution I’ve found.

Securing your password life – Now that you have a way to store passwords, the next step is making sure that all your passwords are unique and secure. Bitwarden has a generate function which will create passwords.  I have the default set to length of 24 characters and including special symbols.  Some sites don’t like special symbols, so I go into the generator and turn those off for a specific site.   Using the generator I create a password, copy it, change the password, make sure the password is correctly in bitwarden before I move to the next password.  Then I use bitwarden to login to the account to test it.  If I fail I reset the password and start over.

    1. NEVER reuse a password for any account you’d like to keep.
    2. Be cautious about how you share passwords.  SMS, iMessage, Whatsapp and Signal messages tend to stick around forever, so we like to avoid transmitting passwords in the clear.  You can ‘share’ a password on bitwarden, but someone would have to join.
    3. The number 1 password which should be secure is your email password. This is the key to someone hacking you.  It should be very strong, since it holds the key to resetting all your passwords.
    4. As a rule, my wife and I also put our recovery questions in to bitwarden for sites that ask for 3 questions. In general, it’s a good idea to not answer the question they are asking, ‘What town was your mother born in?’ this tends to be biographical which may be searchable.  We create nonsense answers and document it in the secure notes section of bitwarden.
    5. Next passwords to secure are bank passwords and credit card passwords.
    6. Secure your apple account if you use apple. Keep your icloud photos private.
    7. Last secure any social media – it’s a pain the the ass to have your friends get spammed because you used an insecure password.
    8. Beyond that we’ve just gotten into password habits of using a generator for everything and stuffing it into bitwarden.

You should assume that every institution you use will lose all your data once every few years.  We have such weak privacy laws that currently corporations are not required to tell you what they’ve lost.

Securing Financial institutions – If you have the option, you should always use 2 factor authentication if it’s available. For us it’s available for many of our brokerage accounts.  It’s best practices to use an app and not a text message for 2 factor authentication since hackers can call your cell phone company and impersonate you and get the company to issue a new sim card which has the effect of giving the hacker your phone without your knowledge.  If you use an app like google authenticator or the like the hacker would need your physical phone.  Even if they stole your sim and downloaded the app, the google authorization app would need to be reset to work, so you are protected.

Phishing and Pig Butchering – As you’ve noticed, we all get lots of spammy email, texts, social media spam, etc. You should assume everything is spam.  Phishing is where someone wants you to think they are someone they are not: “Your bank account has been compromised! Click here!”.  Pig butchering is new and it’s an innocent ‘hi’ text from a cute girl or guy which usually leads to someone pitching a ‘can’t lose’ investment which you are sure to lose.  As Articifial Intelligence gets better, these schemes will be better.  They rely primarily on fear and urgency: So, if you get an email from your kid saying they are in desperate trouble click here, find another method, pick up the phone and call them, etc.  I have fallen for phishing in the past, bought something fake then had to go through my credit card to cancel; I received email threats after cancelling.  We use gmail primarily because it’s good at sorting out spam and phishing and putting it in the trash before you see it.  In 2005, we used a password like ‘XYZ3467’ everywhere.  This was the year that yahoo was hacked and it stored all it’s passwords in the clear.  I currently get spam emails with the subject ‘XYZ3467′ which tell me that the spammers have connected to my camera and recorded me doing nasty things, please send bitcoin to this address’. LOL.

Securing Credit Agencies – these agencies offer free credit freezes because the government force them to. TRW, Equifax, and Experian allow you to create a free account which EACH of you should do.  One for each person.  You can then put a freeze on your credit account.  When you go to apply for a new credit card, open a bank account, need to get new phone service, or move and need new utilities, you can unfreeze your account.  If I’m lazy I unfreeze all of them for 3 days, then apply. If you forget your application will be rejected and you can usually call and customer service for the credit card will answer what agency they used, and while on the phone I have been able to unlock my credit and have the credit card company process it, right then.  The reason to do this is people who have your social security number, and some biographical info can open a credit card in your name which they control.  If you credit is frozen, they cannot do this.

Securing your SSN online. If you haven’t yet each of you should take control of your online social security account.

Use antivirus software – We’ve used free antivirus software in the past, but it’s too damned annoying with free ads. On our Mac we currently use bitdefender which we pay $120 a year for the equivalent of a family plan which allow us to secure 15 devices.  We send invitations for our kid’s computers.  Unless you travel internationally a lot you don’t also need to spend extra money on Virtual Private Networks (VPNS).

Have a backup strategy: One looming risk is downloading a nasty application, which hopefully your antivirus software will catch. This is how people get their data encrypted and forced to pay ransom.  We have a 2-pronged approach to this: first we each pay dropbox for 2TB of dropbox and put our whole computer on the cloud it’s $120 a year each.  Our second strategy is we backup at home every day to a network connected device.  This is too nerdy for most.  What I’ve encouraged my kids to do is use a 2TB disk drive which they plug in when they remember.  (LOL).

Use Airtags or equivalent: If you’re an Apple person or even just a iphone person, we have found airtags to be interesting peace of mind. We purchased enough air tags to put one in each of our checked and carryon suitcases.  So, when we are on the plane, we can visually see that our checked bags are onboard.  We have had lost luggage on an Israel trip that took the airline several weeks to find; airtags would have been very helpful in recovering those.  The latest trend is to bury an airtag in your car, so if it’s stolen you can tell the police where the stolen car is.

Risks:  I’ve feel like my risk of compromise is not only for me and my wife, but extends to my children.  So helping my kids secure their universe as much as I can is as important as securing our risk.

Summary: You can’t stop a hacker who has enough money/ time to hack you.  You can however make it not worth their time.  Which if you do everything above, make it less likely you’ll get hacked.

Access to all the blog