Security

Scammers are taking advantage of people downloading authentication apps after #ElonMusk made SMS two-factor identification a #Twitter blue premium feature.

I suggest using #Authy or the #Google Authenticator app. - [email protected]

So one could have replace a JS file with one fetched from attacker controlled server for any site behind Akamai like LastPass or PayPal. That JS could have exfiltrated all the secrets from these sites on the client side (post decryption) or replace account numbers with their own on behalf of the user.

Users of the Signal messaging app got hit by a hacker attack. We analyze what happened and why the attack demonstrates that Signal is reliable.

First question right off the bat for anyone concerned: Lastpass claims that master passwords and encrypted user data was never compromised. See: https://blog.lastpass.com/2022/08/notice-of-recent-security-incident/

I find people who agree with me for the wrong reasons to be more problematic than people who simply disagree with me. After writing a lot about why free software is important, I needed to clarify that there are good and bad reasons for supporting it.

You can audit the security of proprietary software quite thoroughly; source code isn't a necessary or sufficient precondition for a particular software implementation to be considered secure.

“Norton is pretty much amplifying energy consumption worldwide, costing their customers more in electricity use than the customer makes on the mining, yet allowing Norton to make a ton of profit,” tweeted security researcher Chris Vickery. “It’s disgusting, gross, and brand-suicide.”

Ok, so, I'm no expert, but there's a real lack of pragmatic guidance regarding password managers and their use. Over time I realized that some of what I was doing was essentially a self-imposed version of security theater, and I think I found a good balance on usability and security. Here's my advice:

1. Randomly generated strings are better than passphrases for your master password.

This might seem counterintuitive, since passphrases can get a similar amount of entropy, while being more memorable. Here's the thing though: they are much, MUCH, longer to type. Your master password is (ideally) the only password you'll be typing, so optimizing for typeability is best. And regarding ease of memorization? It doesn't really matter, you'll only need to memorize the password once, while you'll type it many, many times.

2. 60 bits of entropy is all you need, realistically.

AFAIK, there's never been a demonstration of a 60 bit password being cracked by brute force. It's just not financially smart. If you have that much hashing power, you'll probably be better off mining Bitcoin or something. There's a reason why criminals get most of their passwords through phishing: it's cost effective.

3. Longer > Complex

This comes back to typeability, adding one or 2 characters often results in higher entropy than adding an entire character class, and the result is much, MUCH more typeable. Uppercase letters, in particular, take 2 taps to write in a mobile phone. A 14 character lowercase + digits password has a little bit more entropy than a 12 character uppercase + lowercase + digits password, at the same time, the 14 character password will likely need less taps in a smartphone, be easier to type with one hand, and be easier to copy.

4. Don't go overboard with your key derivation function.

If your smartphone password manage takes forever to unlock your database, it's likely that your password manager is setup to do way too many iterations. Remember than a doubling in the number of iterations is equivalent to a bit of entropy in your password. Going from 0.1 to unlock your database to about a second gains you 3ish bits of entropy: it's just not worth it

5. The passwords in the database should be typeable too

It's tempting to assume that, since you're no longer typing these passwords regularly, having infinite passwords with large character sets is the way to go, but it's not. The safest way to log into an account in a non-trusted device is to just look up the password in your phone and type it up. Those situations will come up, I promise.

On the other hand, having 70 bits and 120 bits of entropy in your passwords is functionally equivalent, since no-one's cracking them anyway

Alright, so that's all. What do you think? I'm no infosec expert, but I like to think that I do my research. Pretty much all the advice regarding password managers I've read emphasizes security above all else, sometimes to the point of irrationality, and I felt like a guide like this was needed.

Court documents obtained by Forbes indicate the FBI has a way of accessing Signal texts even if they’re behind the lock screen of an iPhone…