Because I think this one is undershared.
@jfml unique = ein anderes Passwort für jeden Dienst
strong = total komplexes Passwort, aber überall das selbe...
OCR Output (chars: 422)
ONLINE SAFETY PRACTICES
SECURITY NONEXPERTS’ TOP SECURITY EXPERTS’ TOP
ONLINE SAFETY PRACTICES
1, USE ANTIVIRUS,
1, INSTALL SOFTWARE
2. USE STRONG
2. USE UNIQUE
3. CHANGE PASSWORDS.
3. USE TWO-FACTOR
4, ONLY VISIT WEBSITES
4, USE STRONG
5. DON'T SHARE 5. USE A PASSWORD.
PERSONAL INFORMATION MANAGER
Ly” —l wy
That's also why the ANSSI (french gov security experts) recommends :
- using unique passwords
- making them hard to remember, by using lower case, higher case, numbers, and special characters
- making them even harder to remember, with frequent rotation
Of course usage of any kind of software to store your passwords (web browser nor password manager) is forbidden: otherwise it would be no fun.
> Configurez les logiciels, y compris votre navigateur web, pour qu’ils ne se « souviennent » pas des mots de passe choisis.
Ben je sais pas… Le lien que j'ai donné recommande de *choisir* des mots de passe qui répondent à des moyens mnémothechniques. En gros, généré par l'humain.
Le gestionnaires de mdp, intégré au navigateur web ou un dédié (comme Keepass), si tu ne t'en sers pas pour retenir le mdp en question, tu vas en avoir un usage limité…
1. Yes they do, in the pdf given before (direct link here), they suggest a password above 12 chars matching this rule will be strong. Page 7 of 10, "comment créer un bon mot de passe ?". Also, this is their first recommandation towards small businesses .
And this is the kind of shit chief security officers enforce in french administrations. Just because they believe ANSSI says so.
@xpac Most non experts use weak passwords… And change them only if forced to. Even though it not a good idea to change them regularly as it leads to bad habits (choosing easy to remember/predictable passwords, written and kept on the screen/underkeyboard…), they should at least be changed when compromission is either suspected or confirmed. But most people don't want change them even when they are comprised…
@xpac "change passwords frequently" is pretty terrible advice unless you're constantly publishing your passwords in some kind of newsletter
@xpac "Use strong passwords" is the only one to make both lists, I noticed. Does running an OS incompatible with most viruses count as antivirus software? I would hope it does.
@xpac security ultraexperts top online safety practices:
use public key authentication
you’re now more protected than anyone using 2 factor authentication, without the spying that comes with 2-factor auth,
check for known exploits before compiling software updates
@karmanyaahm @xpac Because you can’t set it up without giving the authority your phone number. Or your email address. Or your gene sequence. Or whatever they call the second “factor.” It lets them profile you more easily, which helps them with behavioral analysis, which they can use to throw elections or suppress protest.
Technically public key authentication is 2fa without any surveillance. The first factor is the private key, which you have. The second factor is your private password encrypting your private key, which you know. But otherwise, 2fa is just an excuse to exploit people, far as I can tell.
@karmanyaahm @xpac Far as I know, TOTP (“Time based One Time Password”) is just the method that your authority uses to generate a verification code. They’ll want it to expire right away, so that they can prove you’re currently carrying your cell phone, or whatever telemetry they’re after. Thus, TOTP.
Perhaps I'm no "security expert" but I value "don't share personal information", possibly over MFA.
We can mock the "nonexperts" list but those practices are what "security experts" used to preach, roughly in that order, it's not something "nonexperts" came up with themselves.
chaos.social – a Fediverse instance for & by the Chaos community