Best Practices for Online Security

[colonel_mortis]

When a website has a security breach, the effects of the password leak can affect not only your account on that site, but also your account on other sites. While it's not possible to guarantee perfect security, by following these best practices you can dramatically reduce the risk of losing multiple accounts as a result of a breach, whether that is due to a site that has been hacked or malware on your computer.
 
Key Points

• Use a password manager. I personally use LastPass to manage my passwords, which means that my passwords are stored securely, but also accessible from all my devices (though LastPass premium is required to be able to do that). There are lots of other great password managers out there with different strengths, so pick one that has the features that you need.
  The main argument that I have seen against password managers is that they become a large target, and if they are hacked then you are completely screwed. However, without a password manager, most people will use the same password or collection of passwords across all their accounts. This means that if one of those sites (which are unlikely to put as much effort into security as a dedicated password storage site) is compromised, your password for several/every site has now been leaked. By using a password manager, you reduce the number of weak points from every site that you have an account on to just a single potential weakness. It's not perfect, but it's a massive improvement.
• Use a unique password for every site that you visit. I cannot emphasise how important this is. This is why password managers are so important - it's impractical to remember loads of passwords, and if you're able to do so then your passwords probably aren't secure enough. A unique password means that if one site gets compromised, you don't need to change your passwords on the other sites, and they will still be secure.
• Make your passwords long and random, with a combination of letters, numbers and special characters. That way, assuming that the site stores your passwords correctly, even if a database breach does occur, your password is unlikely to be converted back into plain text (because when passwords are stored correctly, the only way to access the plain text is to brute force it, and most people don't have time to leave each password for days when they can just crack the easy ones in minutes). That doesn't mean that you should assume that the password is safe, but it means that you don't have to panic and change the password immediately.
• Enable two factor authentication where possible to ensure that even if an attacker does get access to your password, for example via a key logger, they still can't access your account because they don't have access to your phone or hardware authentication device. 2FA is a really important tool for protecting your account.

Additional Points

• Change your password regularly. That way, if an attacker does manage to obtain it, they will only be able to use it for a limited time.
• Regularly audit the security of your account where supported by the site. For example, Google's Security Checkup lets you check all recent logins, all your connected apps, and lets you review your security options. You can also review your security and recent logins on Facebook and Twitter, among other sites.

[PlayStation 2]

at this point, i couldn't give two craps about any of my passwords

but hey, it's there if we need it

[Aytex]

125ho1i2h5o1i2j4oi1j4oih12oihfowiajfoiwafoiawnofa is my password

 

dont hack me pls

 

(i cant use different passwords, ill either lose the list or forget them all )

[Midnitewarrior4]

i have way to many accounts and passwords to go to all of them and change, it would take hours maybe when i have a day with nothing to do ill change all my passwords 

[dom1310df]

@colonel_mortis pin this somewhere

[Midnitewarrior4]

125ho1i2h5o1i2j4oi1j4oih12oihfowiajfoiwafoiawnofa is my password

 

dont hack me pls

 

(i cant use different passwords, ill either lose the list or forget them all )

lol i have like 8 different passwords, so i look like an idiot when i forget which one i used and im sitting there trying them all

[colonel_mortis]

125ho1i2h5o1i2j4oi1j4oih12oihfowiajfoiwafoiawnofa is my password

 

dont hack me pls

 

(i cant use different passwords, ill either lose the list or forget them all )

That's why you should use a password manager - you use the one massive password that you can remember, then it generates and stores unique passwords for each site.

[Aytex]

That's why you should use a password manager - you use the one massive password that you can remember, then it generates and stores unique passwords for each site.

Huh.. I'll take it into consideration but even If i do get hacked I don't really have anything valuable lol

[Majestic]

Best is to unplug your device, build yourself a faraday cage and lie in the corner.

[AresKrieger]

Eh, I don't use a password manager I have a more secure method of writing them down and putting them in a safe and generally memorizing them, though a manger is more convenient, as for changing passwords I don't bother (unless a breach happens like LTT) as I have no credit card info connected to any site via an account. I do the other things though

[colonel_mortis]

Best is to unplug your device, build yourself a faraday cage and lie in the corner.

But then you can't watch kitten videos :'(

[WereCat]

Make your passwords long and random

 

Most services I use dont even allow me to add special characters to my passwords... not even talking about 16 character limit on passwords...

 

Change your password regularly

 

That is not so good idea actualy. Changing passwords frequently (especialy difficult ones) makes you start writing them down which increases the risk of someone getting to them.

I dont trust password managers either.. everything is in my head.

[ttam]

I've used the same 6 letter, 2 number password for 15 years and never had an issue.

Some game accounts have a 5 letter password, never an issue either.

 

It falls down to don't put your info everywhere.

[dom1310df]

Best is to unplug your device, build yourself a faraday cage and lie in the corner.

Or you could be like my granny - she doesn't own a PC, iPad etc, just a 1990s brick Nokia with a green screen

 

Or my great aunt, who didn't even have a landline. No change of anyone stealing your passwords then.

[DarkBlade2117]

Yeah.. Bad habit of making similar passwords. They aren't exactly the same but pretty close.

[DarkBlade2117]

But then you can't watch kitten videos :'(

And funny car crashes, featuring a russian.

[colonel_mortis]

I've used the same 6 letter, 2 number password for 15 years and never had an issue.

Some game accounts have a 5 letter password, never an issue either.

 

It falls down to don't put your info everywhere.

But then when a site is compromised (just as this site was last week), an attacker now has access to your password for all sites, and that is really not what you want to happen.

I strongly advise that you change your passwords because it is quite possible that your credentials were included in the recent breach, and if they were, your password is now known to the attacker.

[Enderman]

I just use unique passwords for the sites I care about, like my gmail or youtube accounts

pretty much everything else wouldn't make much of a difference to me if it got hacked

[Rohith_Kumar_Sp]

I still don't trust me passwords to be saved online, i rather have it on a plain text and and manage it locally, yes i spent a whole day changing them to all different passwords, but i rather save them locally on a notepad them managing it online. that's just me. 

[kameshss]

I've been using LastPass chrome extension. It's working real great.

[d3sl91]

I still don't trust me passwords to be saved online, i rather have it on a plain text and and manage it locally, yes i spent a whole day changing them to all different passwords, but i rather save them locally on a notepad them managing it online. that's just me. 

 

I understand that. (I trust LastPass and its encryption/multi factor auth, but, I do understand where you come from)

 

But for you any anyone else who doesn't trust online........At the very least, use a program like keepass, which is 100% offline, but will also add some needed functionality (generating passwords, excrypted password list, etc). http://keepass.info/features.html

 

All it would take is a malicious virus, leaving your PC unlocked, PC stolen, keylogger, and there you go. 

[Guest]

This is an interesting site too: https://howsecureismypassword.net/

 

Turns out it would take a desktop a number I didn't even know existed to brute force my passwords.... 

 

On a serious note, my way is KeePass and KeePass portable on my USB (only ever need to access my accounts from my PC and at college). 

 

As someone that had about two passwords used on god knows how many accounts, I thank the lord I adopted the above approach a month before the breach (was always hesitant due to the practicality of it); otherwise pretty much everything, including my PayPal, would be deaded. 

[the_giant995]

I still don't trust me passwords to be saved online, i rather have it on a plain text and and manage it locally, yes i spent a whole day changing them to all different passwords, but i rather save them locally on a notepad them managing it online. that's just me. 

Then use Keepass. It stores your crypt locally and you can even produce key file to authenticate with your password.

[Lethal Seraph]

I personally use KeePass. I'd rather have some inconvenience than have another part that could go wrong (browser support of LastPass). See article here.

[MadSprite]

As a student in an InfoSec program, I initially used KeePass 2.0 to handle my passwords, but soon I realized KeePass became unreliable as it's password database would always corrupt. Twice that happen and my peer to peer sync program kept an archive version in case something goes wrong. Many of the infosec seniors and graduates made the move to lastpass even after the breach because it was still secure than any options and guranteed that your data's integrity is safe. LastPass might have faced a breach but it was up to date in security procedures than you think a newer ("We haven't been hack so we are secure") competitor might have been. The hackers were able to get away with a hashed passwords and encrypted password vaults, where the hash or vault allone will take hundreds of billion years to crack per person.

These companies never see your data, just that you handed them a garbled mess of data that is your passwords.

And if you think it's not enough than use two factor authentication as then the hackers would have kidnap you for whatever you used to verify those.