App and website developers: please do not disable paste on your login forms.
Let people use password managers so they can keep a unique password for your site that’s resistant to both password-guessing and password-sharing attacks.
Thank you.
Category: Computer Security
Taking the Safety Off
Purism’s explanations for removing various safety features from Librem One’s social network sound like someone explaining why they removed the mirrors, brakes, horns, seat belts, airbags and signals from the cars they’re reselling, because they know those cars are only ever going to be driven on a track where they’ll never have to change lanes or negotiate with other drivers.
Even though there’s a bunch of driveways on that track, connecting to the public road system.
If a collision does happen, we can call in the tow trucks and ambulances. But giving drivers tools to avoid collisions or reduce injuries? That would be interfering with their freedom!
Treat Passwords Like Driving: Separate Your Hazards.
The last time I set up a new computer, I was surprised to find that installing a password manager has become a critical part of getting the system ready to use.
It used to be that you could pick a few unique passwords for critical services like your primary email and banking sites, and reuse some passwords for less important sites, and maybe remember them all. But when so much of what we do happens online in so many places with so many different levels of security (and visibility), the attack surface is huge. Add in how many criminals and others are trying to break into those sites, and it’s no longer safe to reuse passwords.
Why?
If one site gets hacked, and you use the same password at another site, someone will try it just to see if it works.
The only way to protect against that is to use a different password on every site. And unless your online activity is very narrow, chances are you can only memorize a few of them. You can stretch it out with mnemonics like XKCD’s passphrase scheme, but eventually you’re going to have to record them somewhere. Putting it in a text file or spreadsheet is bad, because anything that gets onto your system can read it, but password managers are designed to encrypt them.
You still have to protect the master password on that file, but now you don’t need to worry that when someone finds your old MySpace password, they’ll start buying stuff on one of your shopping accounts, or hijack your Twitter as part of a harassment campaign, or use your email account to send malware to all your friends.
LastPass is a popular one. It’s cloud-based, which makes it convenient to use on multiple devices, but you do have to trust them. If you’d rather not trust your passwords to someone else’s computer, you can go with an offline manager like KeePass, which stores everything locally on your system in an encrypted file.
It’s amazing more email accounts weren’t hacked back in the 2000s
At a tech training session, I wanted to get access to some of my class-related email on the training computer. But I didn’t want to log into my primary email on an open network, or on someone else’s computer at all. I have no idea what they’re logging, whether they’re doing SSL inspection, whether there’s a keylogger on it — probably not, but who knows?
Heck, I didn’t even want to use my own device on the hotel Wi-Fi without a VPN, and that was at least secured by WPA2! (then again…)
I ended up forwarding the extra class materials to a disposable email account and logging into that one. No risk to other accounts if it got sniffed, at any level.
But I remembered how we all used to get at email when traveling back in the early 2000s, before smartphones, and before every laptop and every Starbucks had Wi-Fi:
Internet Cafes.
We’d walk into a storefront and rent time on one of their computers. Then we’d go to our webmail site and type in our primary email login and password over plain, unsecured HTTP without TLS.
I’d never do that today. Admittedly, I wouldn’t need to in most cases — I can access my email wirelessly from a device I own that I carry in my pocket. (Whether that’s a good thing remains up for debate.)
But more importantly, we know how easy it is for someone to break into that sort of setup. Even if your own devices are clean, someone else’s computer might have malware or keyloggers or a bogus SSL cert authority on their browser to let them intercept HTTPS traffic. An HTTP website is wide open, no matter whose device you use. And an open network is easy to spoof.
So these days it’s defense in depth: If it needs a password, it had better be running on HTTPS. If I don’t trust the network, I use a VPN. And I really don’t want to enter my login info on somebody else’s device.
Rogue One (Star Wars) and Imperial IT (SPOILERS!)
I liked Rogue One: A Star Wars Story quite a bit. Despite having a very different tone from either the original trilogy or the prequels, it’s still recognizable as a Star Wars film, and successfully weaves in and out of the events leading up to A New Hope.
There’s a somewhat odd setup for where they actually find the Death Star plans, though. SPOILERS after the cut: