Computer security and Malware

I have always considered anything that allows access to all your passwords with the knowledge of one a risk in itself, so I keep well away from them. But that's just me. The best way of staying clear of any Microsoft problem is to keep away from anything that uses Windows. I have one application that need Windows to work, but my time there is minimal, and if possible, while disconnected from the Internet.

Exactly

I have windows to run 2-3 apps only. And to test websites with. MY websites with.

It never goes near the Internet beyond that.

And I shut down the virtual machine as soon as I have finished with it.

With Mint 17 released, there is now no reason to use Windows for general purpose work at all.

And for security reasons, every reason not to.

Chris Hogg put finger to keyboard:

uk.comp.homebuilt is an active group with helpful posters.

I used to have that view too. But with the variable nature of other peoples security being a key factor in driving unique high-security passwords, you need to weigh the relative risks up.

I use "Lastpass"[1] which seems as secure as you can get without getting stupid. It has some nice features to help you lock down as much/little as you wish. For myself I have configured my vault to only be accessible from the UK, and from my machines, with a requirement to re-enter the master password when any site which could spend money is accessed. It's also got a password generator which generates high security passwords.

My thinking is to make myself high-hanging fruit.

EMET is not a replacement for AV solutions so much as a "hardening" tool that sets out to make life harder for malware that *does* get through the AV detection and is allowed to run. So its a second line of defence.

From what I have seen its not perfect (main problem being that it runs in user space rather than kernel space), but still worth having. It also back ports some of the enhanced security technologies that are available in Win 7 and later to older OSs.

No idea...

Would you please explain that, it means nothing to me.

It means that as long as there is no enforceable ISO regulation on the nature, and operation of web-based password authentication, then whenever you sign up for anything, you need to assume it's the worst code and security you have ever seen. Starting with plaintext passwords stored together with usernames (usually emails addys) in a database open to all, and moving up from there.

Therefore, as a user, you need to (a) use as complex a password as the site will let you, [ideally a random collection of letters, cases, symbols and numbers] and (b) never use the same password twice.

If you want to be extra vigilant, you should also change them regularly.

Looking in my password vault, I have 124 username/password combinations. Writing them down would be the worst form of security.

By far and away the biggest risk when you hear of website hacks, is to people who use the same password for everything.

Nonsense.

On 06 Jun 2014, Chris Hogg grunted:

I use Keepass, which seems to be very well thought of, and is open-source. No idea how it stacks up against Password Safe.

Personally, I certainly feel more comfortable with a method of storing passwords that is independent of my web browser.

On 06 Jun 2014, Jethro_uk grunted:

Just checked mine - OMG I've got 450 in there! Though I'm afraid not all unique combos.

I agree with all you're saying. I must admit I still have a few with less than optimal password security; but those certainly doesn't include any linked to anything money/bank/credit card related. And to be honest, I do have one particular username/password combo which I use on a lot of websites, but only ever on stuff like web forums or other anonymous entities, where it really wouldn't serve anyone any purpose to hack into, and really wouldn't worry me particularly if they did. But it's convenient for me not having to do a lookup for every damned site I look at.

This is oft quoted, but I feel misleading advice in the current age...

Making all the passwords the same, easy to guess dictionary words, and sticking them on the post-it note on the side of the screen would obviously not be good.

However Passwords of adequate security need to be recorded these days.

A written list has a number if security advantages over a machine accessible list (and some disadvantages!) - it severely curtails any remote access vulnerability for starters.

We have also learnt over the years that we are remarkably good at keeping track of bits of paper and storing them safely (in a wallet, a safe, secreted at home etc).

Yup.

I don't do that, but it actually wouldn't matter much if I did for most of my accounts.

I recommend that people identify the handful of accounts that really matter, take great care over them, then do whatever's convenient for the rest. After all, who's going to bother hacking into my EasyJet account? My bank account is a different matter altogether.

TBH, for a home user where nobody's likely to see the list, I can't get excited about it. Especially if _lightly_ disguised against any nosy visitors.

The threat isn't local, it's remote.

My bank issues a reader which generates a code off my debit card. Even if I pasted the password on Facebook, it's [theoretically] safe.

Of course this assumes/trusts that the coding behind it was done to the requisite standard. Which I don't.

Generally this is a fair point, although it is worth keeping in mind that a compromised account can be used as a stepping stone to another in some cases.

Its also usually safe to assume that if an attacker gains physical access to your computer, then its game over unless you are hyper careful and diligent with security.

Surely you also take account of whether you *care* if someone guesses or works out your password.

I use a trivial algorithm to generate passwords for the dozens (hundreds?) of sites that ask me to create an 'account' so I can buy tuppence worth of something. I make sure that I *don't* store any credit card or similar details and don't worry about security. My E-Mail address is common knowledge anyway (there's a perfectly valid one to reply to here for that matter).

Not always a good plan alas:

Barclays uses that system too - a right PITA. But you can still log in using your old password. But can't pay a bill or transfer money to a new account but can to one you've used before.

Thanks for the replies, especially JR for his comment on EMET. I'll investigate further.

A question for those using Lastpass, Roboform, Keepass etc: do these programmes store your password information on your computer, or out in some 'cloud' somewhere? (I think I would be nervous if it were the latter). Is it possible to use any of these programmes with, say, a USB memory stick to store the password information, that you could plug in when necessary and unplug when not in use?