Hrefna (DHC)

If you are talking to someone who is not currently using:

* A password manager
* MFA on most or all accounts that allow it
* An up to date operating system on all of their devices

Please stop yourself from recommending:

* A VPN
* Tor
* Tails (or any variations/equivalents)

Just… rewind a bit and help with the first items first.

Jul 20, 2023 at 9:28pmWeb
Show threadHrefna (DHC)Jul 20, 2023

It often feels like tech geeks love to recommend solutions to the avant garde horrors of Pringles cans (ht James Mickens), ICANN, and ISPs (who hate retaining data unless forced to do so) while ignoring the threats posed by password reuse, depending on passwords for security in the first place, or keeping your system patched.

It's like telling someone whose last oil change was five years ago all of the user-accessible parts they can swap out to make their car run better.

Show threadsmolwaffleJul 21, 2023

@hrefna
Ugh I *almost* got my dad to start using password manager, and then he read about the LastPass hack. I've personally since switched to Bitwarden but he went back to his file of passwords made from variations on a theme.

They're not the worst passwords, and that's a big step up from using the exact same password everywhere, but I'd really like to get him on something more secure. I'll try again on hardware keys for email and the financial accounts.

Show threadTomAug 8, 2023
@smolwaffle @hrefna if one is compromised, others can be inferred? @haveibeenpwned can help to convince him.
Show threadDio9sysAug 2, 2023

@hrefna The other day I was at the grocery store and the checkout person was chatting to me about work. When I mentioned what I do she was like "wow I bet you never get hacked!"

It was great when I told her "actually, somebody tried to access my amazon account the other day. I learned about it because I set up text notifications and MFA. I recommend it!"

So many people think that to have good security you need to be super smart or have niche knowledge, when the best answers are so often the simplest

(and yes I know SMS MFA isn't perfect, but I'm really not in a high enough position to be at risk of SIM spoofing)

Show threadNina "Erina" Satragno 💫Jul 20, 2023

@hrefna VPNs or Tor are not particularly useful to protect users either! Are people really jumping at recommending those? Sheesh.

Also an updated browser is hugeeeee and probably the biggest difference other than you know, not running random executables.

Show threadFriedPicanteJul 21, 2023
@nsa @hrefna YES, VPNs are all over youtuber ads as THE way to protect yourself from hackers, trackers, and geo gating. That's one of the few things a lot of people know about.
Show threadShineJul 21, 2023
@cromulentkeebs @nsa @hrefna I really like streamers who don't go with that and just say "It's good for when you want a streaming service content that isn't accessible in your country", because yes, VPN is fine for that.
Show threadFriedPicanteJul 22, 2023
@shine @nsa @hrefna Which is funny because it's not too difficult for services to figure out which IPs the VPNs are using and block them.
Show threadDeus Ex MacGuffin Jul 20, 2023

@hrefna

"Buh-buh-duh-dum-dum! Bah-dum!"

That's the sound of my XP machine proudly announcing it is ready for the day!

Show threadgadgetoidJul 20, 2023

@hrefna the VPN market is booming for something that - afaict - does a little less than nothing for security 😬

I don’t think we’re supposed to believe the security claims. But when Google put “hackers, solved” in their *phone ads* because it has an integrated VPN… I *wince*

Show threadBrendan TobolaskiJul 21, 2023
@hrefna also, do not acknowledge the existence of pgp. Too many ways to shoot yourself in the foot.
Show threadNicholas WeaverJul 21, 2023

@hrefna @paul_ipv6
I did a guest lecture for the non-major programming class at Berkeley the other day.

I think the students were impressed by how password manager + security key made the login flow they have to deal with so much easier AND more secure at the same time.

Show threadFlexi Bell Jul 24, 2023
@hrefna
Or ask them (and listen) why some of the first items possibly are really bad ideas.
Show threadbriaAug 3, 2023
@flexi @hrefna
Not a bad idea per se, but MFA with the phone number is a security advantage, but with anti-privacy consequences since it allows tracking user accross multiple accounts/services.
Totp or email are great but not so many offer this choice.
Show threadTomJul 24, 2023
@hrefna I appreciate you and what you have to say. It’s like you’ve read r/privacy and see the inanity.
Show threadTomAug 3, 2023
@hrefna I would also put backup in the first list!
Show threadAlan MartelloAug 3, 2023
@hrefna @publicvoit One more add that it’s easy to walk people through and they actually reap tangible benefits and use (faster web page loads, less spam and junk): use Firefox +uBlock Origin
Show threadJonathan Kamens 86 47Aug 3, 2023
@hrefna *stares in every small business and startup out there*
Show threadSimonAug 3, 2023

@hrefna I'd add to this an adblocker in the browser because in my experience it helps if they are not getting bombarded with fake play buttons, fake articles on new websites which are actually ads, shitty ads for health, diet, fake security /antivirus popups.

My big two are

1. Password manager
2. Ad blocker

Show threadNothing2HideAug 4, 2023
@hrefna true when it comes to digital safety and digital safety only however a VPN or TOR is also very useful to circumvent censorship
Show threadTheAnymouseProphetAug 8, 2023

@hrefna
Sorry but I do not like password managers.

I don't understand why the industry doesn't move to something like ssh keys that git uses. Much more secure than passwords, hence why those who develop software prefer it.

As far as 2FA, have you ever not been able to pay a bill because your phone died?

Happened to my mom.

Frack that.

Show threadBryanAug 8, 2023
@SocialJusticeHeals Why? Most major services have multiple methods.
Show threadTheAnymouseProphetAug 8, 2023

@bryan
She couldn't log into her bank account with 2FA because her phone was dead and couldn't authenticate her login.

Many people may have multiple 2FA methods set up but not everyone does, nor can everyone afford to just immediately replace their phone when it dies (or is stolen).

I like 2FA but for many people, it can become a single point of failure. You know, the exact thing intelligent engineers try to avoid.

Passwords are bad technology anyway, authentication keys are better and it +

Show threadTheAnymouseProphetAug 8, 2023
@bryan
literally boggles my mind that the industry still doesn't use authentication keys for secure logins. It's not exactly new technology.
Show threadswagg boi 🚩Aug 8, 2023
@hrefna Well the YouTubers don’t get paid unless they get you to sign up for NordVPN. And frankly, why wouldn’t you sign up? Did you know that if you use public wifi you will literally DIE? Use code SRSBIZ23 for 25% off your first month of NordVPN w/ Symantec Email Vault!
Show threadferricoxideAug 8, 2023
@hrefna

Got my 76yo mom set up with a password manager and TOTP app a few years ago. If I can do that for her, helping younger olds has to be easier.
Show threadBryanAug 8, 2023
@hrefna thank god for passkeys.