Following the news of the Yahoo hack of half a billion users (noted as the biggest data breach in history), you may be interested in some more tips regarding online security.
In their latest issue, Consumer Reports has a 10-minute digital privacy tune-up. Here are highlights and direct links for your convenience:
- Turn on automatic software updates wherever available.
- Use screen locks wherever available.
- Check where else you’ve been hacked at haveibeenpwned.com. You’ve probably been pwned. Adobe and Dropbox for me.
- Use temporary e-mail addresses. I tested their recommendation 10minutemail.com and I will definitely use it in the future for those “Give me your e-mail and get XXX” offers.
- Cover up your laptop webcam.
- Use the HTTPS Everywhere Browser Extension (available on Chrome, Firefox, Firefox for Android, and Opera). Help you use encrypted https whenever possible.
- Turn off location tracking in apps.
I would also add a reminder about free and/or cheap password managers. All of my accounts now have their own unique, complex passwords. I can’t imagine not using one anymore. I still use 1Password mostly because it was the first one I tried, but if they force me into a monthly subscription I will likely bail. I’ve heard positive things about LastPass, KeePass, Dashlane, and RoboForm.
Some things in life are worth paying a fee for….things like Netflix, Youtube, Amazon Prime…and now LastPass which is just like $9 for the entire year. Nothing is hacker-proof…password managers still have a central point of entry (master password to get into it’s web interface) and it has already been hacked once (2015) but whatever…it’s the new normal. If you want privacy you need to get offline.
I don’t mind paying for software, I just don’t want to pay for it multiple times. I think paying ~$50 for a one-time download is appropriate, and if I choose not to upgrade any further then I shouldn’t have to pay any more. I don’t like how all software is being moved to a subscription-based model like Microsoft Office. For now, 1Password still sells one-time licenses:
https://1password.com/extlink/purchase-license/
I also don’t keep my passwords in someone else’s cloud. 1Password lets you manage your database however you like. Locally, on a thumbdrive, on your own Dropbox/Amazon S3, or in your own private server. If Lastpass has everyone’s password database in one place… that sounds like a perfect place to hack.
I think some services are switching to subscription model due to pressure from investors/board members. They would rather have a product that is $10/year subscription compared to $100 one-time purchase because it provides more reliable and continuous revenue stream.
They key is subscription models give you continuous updates — and this means security (in most cases). Like how you keep Windows updated. But, you pay for a new windows every 5 years …so in a sense, it’s like a subscription model at the end of the day. Everything in life is subscription…it may not be labeled that way. You buy a car every decade or so…that’s a subscription. Doubt you will use 1Password for more than 5 years. Something better comes along, you pay up.
I don’t agree. When you start turning one-time use products into subscriptions, you lose control and usually money. Is leasing a car better vs owning and holding as long as I want? Is going on the iPhone-every-year rental plan better than buying upfront and selling whenever I want? The last time I bought MS Office was 2009-ish and I have no plans to every buy a new copy again. I use Google Docs primary and fire up my old version when I need it. If I want to, I am free to use my old copy as long as I want. It doesn’t stop working when I stop wanting to pay them $10 a month forever.
I think software vendors often move to subscription model because well, like all of us, need to pay their bills too. Developers have to pay mortgages, eat, raise their children.
The problem is the cost of living keeps going up, but the price of software keeps going down. How many people would pay $50 for an app on their phone or tablet? Most wouldn’t pay more than a few bucks. Yet it takes just as much development effort to make a good phone app as it does a desktop PC app.
It’s great when companies can keep charging an upfront cost – but remember, there has to be enough of us that are willing to pay that upfront cost to keep them in business.
If they have a good security model, concerns about the cloud provider being hacked are largely unfounded. Other sites that get hacked do one of two things:
1. They do not encrypt the data, leaving it in the clear for the hacker to read.
2. They do encrypt the data, but they store the keys online so the hacker gets the keys do. Sites that need to process your data must do this. A password manager only needs to store it, they have no reason to store the keys online.
Any good online password manager will use good encryption methods and the keys will be not stored with them. They’re usually stored with the customer in the form of your one password, or other key.
So even if the server of an online password manager gets hacked, all they’ll get is unreadable encrypted blobs. Without your password (assuming you use a good one), they won’t be able to decrypt your data – not for hundreds or thousands of years, at least.
Accessing a password manager’s data online is a bit different from another site. People’s view of hacking is quite distorted, likely from watching bad depictions of hacking. A hacker can access a password manager’s site in two ways.
1. Guessing your password. Choose a good one and a hacker won’t be able to guess it.
2. Exploiting a bug in the server. I believe this is what you are concerned about. However, a good password manager will encrypt all of your data with your master password, and possibly another key. The thing is, unlike Netflix, YouTube, or Amazon, a password manager vendor doesn’t need, and shouldn’t want to be able to read your data, so they don’t store the password to decrypt the data. Other sites need to process your movie-watching habits, uploaded video, and orders for products so they need to be able to read the data. So they either don’t encrypt the data, or store the keys online, where the hacker can get them. But without the key, a hacker will only get encrypted blobs of data. They still won’t be able to read your passwords.
I use KeePass because it’s free, though I made a donation to the developer. KeePass has plugin’s, one of which allows you to connect to your password database from a cloud provider. I found KeeAnywhere to be the best one. Also, there’s an Android app on the Google PlayStore called Keepass2Android Password Safe that allows you to connect to your password database from your cloud provider, too.
http://keepass.info/plugins.html#keeanywhere
https://play.google.com/store/apps/details?id=keepass2android.keepass2android
I use 1password as well.
Another good advice is to setup 2-step authentication when available.
For disposable email, I use a service called Throttle (https://throttlehq.com)
They provide you with the basic service of providing you with disposable emails but takes it a step further by:
* Generating new disposable emails for each service/promotion you sign up for and associate those emails with your account.
* Above ability also allows you to find out which site shared/sold your email without your explicit consent since you’ll start seeing new emails received through that address.
* You can deactivate the email address to stop receiving email to that address.
* You can get instant notification or daily digest of all the emails you’ve received. Or, no notification as all.
* Browser extension that detects email field and places a button in the field to generate new disposable email to use. Or, generate one from the extension button in the toolbar.
Why is 1Password crossed out?
I have a link checker plugin that automatically looks for broken links on my behalf, but it has problems with https links (somewhat ironic for this post). I’ll remove the s and it should be fine.