@xpac
This is taped on the outside of my office door since some years.

@xpac ‘6. Include a word none of your friends would expect you to use in a password.’

@xpac Wo is der Unterschied zwischen "unique" und "strong" passwords?

@jfml @xpac if you use the same strong password everywhere, a data breach on one service might make the same password weak on other services

@jfml unique = ein anderes Passwort für jeden Dienst
strong = total komplexes Passwort, aber überall das selbe...

@xpac

Number 6:

Don’t use the same nickname for everything.

OCR Output (chars: 422) 

@zigg
ONLINE SAFETY PRACTICES

SECURITY NONEXPERTS’ TOP SECURITY EXPERTS’ TOP
ONLINE SAFETY PRACTICES

1, USE ANTIVIRUS,
SOFTWARE

1, INSTALL SOFTWARE
UPDATES.

2. USE STRONG
PASSWORDS

2. USE UNIQUE
PASSWORDS

3. CHANGE PASSWORDS.
FREQUENTLY

3. USE TWO-FACTOR
AUTHENTICATION

4, ONLY VISIT WEBSITES
THEY KNOW

4, USE STRONG
PASSWORDS

5. DON'T SHARE 5. USE A PASSWORD.
PERSONAL INFORMATION MANAGER
Ly” —l wy

@xpac @bortzmeyer changing password regularly is often considered as a bad practice because it tends to make passwords predictable

@bortzmeyer @Matlink exactly. That's also why all IT departments still do it 😑

@bortzmeyer

That's also why the ANSSI (french gov security experts) recommends :
- using unique passwords
- making them hard to remember, by using lower case, higher case, numbers, and special characters
- making them even harder to remember, with frequent rotation

Of course usage of any kind of software to store your passwords (web browser nor password manager) is forbidden: otherwise it would be no fun.

ssi.gouv.fr/guide/mot-de-passe

@Matlink @xpac

@tham @bortzmeyer @Matlink @xpac ils ne disent pas de ne pas utiliser de logiciel pour stocker ses mots de passe... juste de ne pas les stocker dans un fichier simple, sur un poste exposé. Ils ont d’ailleurs certifié une version de KeePass, de mémoire.

@Freeben

> Configurez les logiciels, y compris votre navigateur web, pour qu’ils ne se « souviennent » pas des mots de passe choisis.

Ben je sais pas… Le lien que j'ai donné recommande de *choisir* des mots de passe qui répondent à des moyens mnémothechniques. En gros, généré par l'humain.

Le gestionnaires de mdp, intégré au navigateur web ou un dédié (comme Keepass), si tu ne t'en sers pas pour retenir le mdp en question, tu vas en avoir un usage limité…

@bortzmeyer @Matlink @xpac

@tham @Matlink @xpac Bullshit. There are no such recommandations ssi.gouv.fr/guide/mot-de-passe

1) They don't mention the stupid rule "lowercase, uppercase, digits, special[sic]" and for good reasons
2) They don't forbid password managers.

@bortzmeyer

1. Yes they do, in the pdf given before (direct link here[1]), they suggest a password above 12 chars matching this rule will be strong. Page 7 of 10, "comment créer un bon mot de passe ?". Also, this is their first recommandation towards small businesses [2].
And this is the kind of shit chief security officers enforce in french administrations. Just because they believe ANSSI says so.

[1]: ssi.gouv.fr/uploads/IMG/pdf/NP
[2]: ssi.gouv.fr/uploads/2017/01/gu

@Matlink @xpac

@bortzmeyer

2. Yes they do. To be accurate, they do not forbid password managers, they forbid using any kind of software to store user-defined passwords. This is their 8th of "minimal recommandations that must be applied in any context". Again, first link.

@Matlink @xpac

@bortzmeyer @xpac then I don't really understand what the header means.

@xpac Most non experts use weak passwords… And change them only if forced to. Even though it not a good idea to change them regularly as it leads to bad habits (choosing easy to remember/predictable passwords, written and kept on the screen/underkeyboard…), they should at least be changed when compromission is either suspected or confirmed. But most people don't want change them even when they are comprised…

@xpac Don't agree with the ordering of the second column. Without a password manager you can't really unique and strong passwords, so it' gotta be #2.

@xpac I avoid sharing personal information, but I guess that's not a common practice. :blobthinking:

@xpac "change passwords frequently" is pretty terrible advice unless you're constantly publishing your passwords in some kind of newsletter

@xpac ich würde das gerne regelmäßig Biosten können. Danke fürs tooten :)

@rabbit @ruemaleficent

hey, we recently have talked about computer security, this above picture might be relevant/interesting in this area

@xpac

@xpac the quintessential difference between "looking secure" and "being secure",,,

@xpac "Use strong passwords" is the only one to make both lists, I noticed. Does running an OS incompatible with most viruses count as antivirus software? I would hope it does.

@xpac security ultraexperts top online safety practices:

use public key authentication
you’re now more protected than anyone using 2 factor authentication, without the spying that comes with 2-factor auth,
check for known exploits before compiling software updates

@cy
Sorry if this is an obvious question but how does 2fa increase spying?
@xpac

@karmanyaahm @xpac Because you can’t set it up without giving the authority your phone number. Or your email address. Or your gene sequence. Or whatever they call the second “factor.” It lets them profile you more easily, which helps them with behavioral analysis, which they can use to throw elections or suppress protest.

Technically public key authentication is 2fa without any surveillance. The first factor is the private key, which you have. The second factor is your private password encrypting your private key, which you know. But otherwise, 2fa is just an excuse to exploit people, far as I can tell.

@karmanyaahm @xpac Far as I know, TOTP (“Time based One Time Password”) is just the method that your authority uses to generate a verification code. They’ll want it to expire right away, so that they can prove you’re currently carrying your cell phone, or whatever telemetry they’re after. Thus, TOTP.

@xpac
Perhaps I'm no "security expert" but I value "don't share personal information", possibly over MFA.

We can mock the "nonexperts" list but those practices are what "security experts" used to preach, roughly in that order, it's not something "nonexperts" came up with themselves.

@xpac
if you use a password mamager with strong password, why would you need to change password?

@xpac I do miss the mention of "tested backup" (Would be my number 1 or 2.)

Sign in to participate in the conversation
chaos.social

chaos.social – a Fediverse instance for & by the Chaos community