Saw this article about 184 million passwords being stolen from Apple, Facebook, Snapchat and its something Ive been thinking about lately. If they're stored on my computer and automatically...
Saw this article about 184 million passwords being stolen from Apple, Facebook, Snapchat and its something Ive been thinking about lately.
If they're stored on my computer and automatically entered when I go back to a site, they're obviously stored in a file on my machine. What keeps anyone, including Microsoft, from copying that file?
At least I use a unique password for every site, but that doesnt give me much assurance. I know that my email was hacked last year when I signed up on an art evaluator site that turned out to just be a scam. Ive had tons of scam emails since then. Fortunately I never put my phone number online otherwise Im sure Id be getting scam texts too.
Lots of people store everything they have on the cloud. How in the world do you know that any of your financial information is safe once its on the cloud? It's just someone else's computer.
These are some good questions. I've been wanting to author some materials on basic cybersecurity practices to benefit small businesses, so I'll share some of the highlights that have been on my...
These are some good questions. I've been wanting to author some materials on basic cybersecurity practices to benefit small businesses, so I'll share some of the highlights that have been on my mind, in relation to your concerns. (Some of this is more detail than I would give an average small business that doesn't work in the tech space.)
If they're stored on my computer and automatically entered when I go back to a site, they're obviously stored in a file on my machine. What keeps anyone, including Microsoft, from copying that file?
This is entirely dependent on the password storage method you are using. At one point in time, some browsers (like internet explorer) stored saved passwords insecurely enough that other browsers (like Chrome) could import them if you switched browsers. Those days are behind us, and any password manager built into a browser should use local encryption, preventing access to the passwords unless your "master password" is provided. While some of the information is a bit technical, Microsoft's article on the Edge password manager provides a good overview of the pros and cons of a password manager.
I do highly recommend using a cross-platform password manager. Personally, I recommend Bitwarden, but there are other options. While your password database, sometimes called a "vault file," is transferred to other servers during save and sync operations, the encryption makes it unreadable to anyone who does not have that master password. So, by design, your password database is copied! But without your master password, it's useless.
How encryption works (abstract explanation)
The details of how this encryption works on a technical level are fairly complex, but it can be loosely compared to a cipher. Before computers, people would encode messages that needed to be transferred securely. Going very far back, encoding decoding these messages would be done by hand. In this case, consider a message to simply be a paragraph of text.
An easy to understand cipher is the Caesar cipher, which uses a basic rule: shift each letter by 3.
Obviously, if it is this simple, and the rule(s) become known, your cipher is no longer beneficial as anyone can decode it. With modern encryption, this works quite differently, and there are entire college courses and books on how it works! But you can compare it to a cipher that has hundreds of rules on how to shift characters, and is considered secure due to the massive amounts of computational power that would be required to "crack" the encryption (years of very powerful computers trying to break it).
(This isn't a completely accurate comparison, but I believe it gets the point across.)
Ive had tons of scam emails since then.
One technique you can use when signing up for specific sites: Most email providers (gmail and several others) allow you to append characters to the first part of your email address if you use the '+' character. So if your email address is john@gmail.com, you can sign up for a website with the email address john+something@gmail.com. Some people will do this from a category level (john+social@gmail.com) while others will do it for every site (john+facebook@gmail.com). Note that this isn't foolproof - some websites will strip these extra characters from your email address, and others may not allow you to sign up for them with a '+' character in the email address field.
The benefit of this method is you can create rules for handling these emails. Maybe you don't care about any emails from Facebook, so you create a rule to move anything addressed to john+facebook@gmail.com directly into trash.
Lots of people store everything they have on the cloud. How in the world do you know that any of your financial information is safe once its on the cloud? It's just someone else's computer.
If you are referring to banking websites and such: encryption is the answer for this one as well. But there's no way to be sure your information is safe in the hands of others. There are regulations and requirements for data handling in various industries, including finance and healthcare, but nothing is foolproof, as it may only take one weak link in the chain for a data breach. And even if a company's cybersecurity posture is exceptional, there's always a risk of an insider (disgruntled employee) retrieving this information and then selling it illegally.
If you're thinking about documents, such as tax statements and budgeting spreadsheets that you maintain on your own computer, but transfer to the cloud with a provider like onedrive or dropbox: These also use encryption, but I would recommend using your own encryption on top of it, if possible. This can be done in a variety of ways, and I would recommend different methods depending on the specifics of the information and the tech savvy level of the people involved.
I do have to disagree with @stu2b50 on this statement:
if an attacker has complete access to your disk you’re cooked anyway.
If you are using full-disk encryption, if a person was to steal your physical computer and try to look through your files, they would be unable to without your password. Microsoft allows you do this on Windows with Bitlocker (but the requirements vary). If you are exceptionally concerned about privacy, there are tools like Veracrypt that will prompt you for a password before Windows even begins to load.
Some of this may be more detail than you wanted, but hopefully that helps! I'm happy to explain more - sometimes I find it difficult to balance general topic knowledge with the appropriate amount of technical information.
They don't have full access to your disk, then. I meant the scenario OP presented, where the attacker has unrestricted read access to every file on your disk.
If you are using full-disk encryption, if a person was to steal your physical computer and try to look through your files, they would be unable to without your password.
They don't have full access to your disk, then. I meant the scenario OP presented, where the attacker has unrestricted read access to every file on your disk.
They’re not. Some kind of session token is stored which is how you’re able to login again without typing your password. The password itself is never persisted anywhere in memory. Either way,...
If they're stored on my computer and automatically entered when I go back to a site, they're obviously stored in a file on my machine. What keeps anyone, including Microsoft, from copying that file?
They’re not. Some kind of session token is stored which is how you’re able to login again without typing your password. The password itself is never persisted anywhere in memory.
Either way, though, if an attacker has complete access to your disk you’re cooked anyway.
I think they're talking about browser auto fill, which absolutely stores them to disk. I've use nirsofts tools in the past to recover passwords from borked windows installs. In particular,...
I think they're talking about browser auto fill, which absolutely stores them to disk. I've use nirsofts tools in the past to recover passwords from borked windows installs. In particular, webbrowserpassview:
Reputation, mostly. You have to trust the operating system you use. There's simply no way around that. No matter what method of storing and retrieving passwords you use, everything still has to...
What keeps anyone, including Microsoft, from copying that file?
Reputation, mostly.
You have to trust the operating system you use. There's simply no way around that. No matter what method of storing and retrieving passwords you use, everything still has to pass through your operating system, and if they're a malicious actor, they can steal your passwords.
There are people who audit operating systems, but now you have to trust that the auditor did their job properly. There are people who test operating systems for security flaws and built-in malware, but again, you have to trust that they're doing their job properly. Somewhere along the line, you just have to trust a number of different companies and/or people.
Strong encryption. I mean, they (anyone) could copy your vault, but it would be useless without the master password. End-to-end encryption is a guarantee that your files hosted on the cloud are...
What keeps anyone, including Microsoft, from copying that file?
Strong encryption. I mean, they (anyone) could copy your vault, but it would be useless without the master password.
How in the world do you know that any of your financial information is safe once its on the cloud?
End-to-end encryption is a guarantee that your files hosted on the cloud are for your eyes only. You only need to trust the provider of your cloud storage and/or encryption tool that they are doing what they are supposed to do.
Sounds like you're having you browser store them? That's not ideal. When the browser asks if you want it to save a password, hit no/never ask and store it somewhere else. I switched to KeepassXC a...
automatically entered when I go back to a site
Sounds like you're having you browser store them? That's not ideal. When the browser asks if you want it to save a password, hit no/never ask and store it somewhere else.
I switched to KeepassXC a few years back. No cloud or any of that BS. Everything is stored locally in an encrypted file; I just manually share that file to separate devices. I do keep one or two sites' passwords stored in the browser but that's just for stuff I don't care about.
No, there's nothing stopping an OS from stealing passwords. At any moment a programmer could slip in some code capable of collecting login info from keystrokes or video from everyone into an OS...
No, there's nothing stopping an OS from stealing passwords. At any moment a programmer could slip in some code capable of collecting login info from keystrokes or video from everyone into an OS update. It's one of the reason Microsoft Recall wasn't received too well. Even a browser could secretly record keystrokes, I would not be surprised if Chrome already does that. So it's best just to assume your password will be hacked.
This is why authentication was invented, always activate it if given the option. Authenticator apps and key files were invented because anyone rich enough to afford the hardware can reroute your texts and emails are too often hacked. I suppose Android could hack my phone and with that get into anything.
I had my passwords on lastpass, I wasn't even alarmed when I heard they'd been hacked because anything of value has authentication attached and I'm not rich or famous enough for someone to go thru the effort of rerouting phone numbers or hacking my phone to get into my accounts. I did change the passwords of a lot of stuff though and I use Bitwarden now, for the convenience of in browser and in phone access. Password managers do the typing for you, it's harder to record that way. My brother uses keypass on his phone, he's a bit more paranoid than me and doesn't want his info in the cloud.
Edit: Oh and "the cloud" is usually in a highly protected environment, at least using encrypted communication with far more security than the average home or small business computer. You're data is less secure on your home computer. The main issue with it being in the cloud is the bigger trove of data and popularity a company has, the more of a target it will become.
Saw this article about 184 million passwords being stolen from Apple, Facebook, Snapchat and its something Ive been thinking about lately.
If they're stored on my computer and automatically entered when I go back to a site, they're obviously stored in a file on my machine. What keeps anyone, including Microsoft, from copying that file?
At least I use a unique password for every site, but that doesnt give me much assurance. I know that my email was hacked last year when I signed up on an art evaluator site that turned out to just be a scam. Ive had tons of scam emails since then. Fortunately I never put my phone number online otherwise Im sure Id be getting scam texts too.
Lots of people store everything they have on the cloud. How in the world do you know that any of your financial information is safe once its on the cloud? It's just someone else's computer.
These are some good questions. I've been wanting to author some materials on basic cybersecurity practices to benefit small businesses, so I'll share some of the highlights that have been on my mind, in relation to your concerns. (Some of this is more detail than I would give an average small business that doesn't work in the tech space.)
This is entirely dependent on the password storage method you are using. At one point in time, some browsers (like internet explorer) stored saved passwords insecurely enough that other browsers (like Chrome) could import them if you switched browsers. Those days are behind us, and any password manager built into a browser should use local encryption, preventing access to the passwords unless your "master password" is provided. While some of the information is a bit technical, Microsoft's article on the Edge password manager provides a good overview of the pros and cons of a password manager.
I do highly recommend using a cross-platform password manager. Personally, I recommend Bitwarden, but there are other options. While your password database, sometimes called a "vault file," is transferred to other servers during save and sync operations, the encryption makes it unreadable to anyone who does not have that master password. So, by design, your password database is copied! But without your master password, it's useless.
How encryption works (abstract explanation)
The details of how this encryption works on a technical level are fairly complex, but it can be loosely compared to a cipher. Before computers, people would encode messages that needed to be transferred securely. Going very far back, encoding decoding these messages would be done by hand. In this case, consider a message to simply be a paragraph of text.An easy to understand cipher is the Caesar cipher, which uses a basic rule: shift each letter by 3.
Obviously, if it is this simple, and the rule(s) become known, your cipher is no longer beneficial as anyone can decode it. With modern encryption, this works quite differently, and there are entire college courses and books on how it works! But you can compare it to a cipher that has hundreds of rules on how to shift characters, and is considered secure due to the massive amounts of computational power that would be required to "crack" the encryption (years of very powerful computers trying to break it).
(This isn't a completely accurate comparison, but I believe it gets the point across.)
One technique you can use when signing up for specific sites: Most email providers (gmail and several others) allow you to append characters to the first part of your email address if you use the '+' character. So if your email address is john@gmail.com, you can sign up for a website with the email address john+something@gmail.com. Some people will do this from a category level (john+social@gmail.com) while others will do it for every site (john+facebook@gmail.com). Note that this isn't foolproof - some websites will strip these extra characters from your email address, and others may not allow you to sign up for them with a '+' character in the email address field.
The benefit of this method is you can create rules for handling these emails. Maybe you don't care about any emails from Facebook, so you create a rule to move anything addressed to john+facebook@gmail.com directly into trash.
If you are referring to banking websites and such: encryption is the answer for this one as well. But there's no way to be sure your information is safe in the hands of others. There are regulations and requirements for data handling in various industries, including finance and healthcare, but nothing is foolproof, as it may only take one weak link in the chain for a data breach. And even if a company's cybersecurity posture is exceptional, there's always a risk of an insider (disgruntled employee) retrieving this information and then selling it illegally.
If you're thinking about documents, such as tax statements and budgeting spreadsheets that you maintain on your own computer, but transfer to the cloud with a provider like onedrive or dropbox: These also use encryption, but I would recommend using your own encryption on top of it, if possible. This can be done in a variety of ways, and I would recommend different methods depending on the specifics of the information and the tech savvy level of the people involved.
I do have to disagree with @stu2b50 on this statement:
If you are using full-disk encryption, if a person was to steal your physical computer and try to look through your files, they would be unable to without your password. Microsoft allows you do this on Windows with Bitlocker (but the requirements vary). If you are exceptionally concerned about privacy, there are tools like Veracrypt that will prompt you for a password before Windows even begins to load.
Some of this may be more detail than you wanted, but hopefully that helps! I'm happy to explain more - sometimes I find it difficult to balance general topic knowledge with the appropriate amount of technical information.
They don't have full access to your disk, then. I meant the scenario OP presented, where the attacker has unrestricted read access to every file on your disk.
Few things prove to me Microsoft's evilness than pay-gating basic security features from the cheapest tier.
They do this all the time.
They’re not. Some kind of session token is stored which is how you’re able to login again without typing your password. The password itself is never persisted anywhere in memory.
Either way, though, if an attacker has complete access to your disk you’re cooked anyway.
I think they're talking about browser auto fill, which absolutely stores them to disk. I've use nirsofts tools in the past to recover passwords from borked windows installs. In particular, webbrowserpassview:
https://www.nirsoft.net/password_recovery_tools.html
Reputation, mostly.
You have to trust the operating system you use. There's simply no way around that. No matter what method of storing and retrieving passwords you use, everything still has to pass through your operating system, and if they're a malicious actor, they can steal your passwords.
There are people who audit operating systems, but now you have to trust that the auditor did their job properly. There are people who test operating systems for security flaws and built-in malware, but again, you have to trust that they're doing their job properly. Somewhere along the line, you just have to trust a number of different companies and/or people.
Strong encryption. I mean, they (anyone) could copy your vault, but it would be useless without the master password.
End-to-end encryption is a guarantee that your files hosted on the cloud are for your eyes only. You only need to trust the provider of your cloud storage and/or encryption tool that they are doing what they are supposed to do.
Sounds like you're having you browser store them? That's not ideal. When the browser asks if you want it to save a password, hit no/never ask and store it somewhere else.
I switched to KeepassXC a few years back. No cloud or any of that BS. Everything is stored locally in an encrypted file; I just manually share that file to separate devices. I do keep one or two sites' passwords stored in the browser but that's just for stuff I don't care about.
No, there's nothing stopping an OS from stealing passwords. At any moment a programmer could slip in some code capable of collecting login info from keystrokes or video from everyone into an OS update. It's one of the reason Microsoft Recall wasn't received too well. Even a browser could secretly record keystrokes, I would not be surprised if Chrome already does that. So it's best just to assume your password will be hacked.
This is why authentication was invented, always activate it if given the option. Authenticator apps and key files were invented because anyone rich enough to afford the hardware can reroute your texts and emails are too often hacked. I suppose Android could hack my phone and with that get into anything.
I had my passwords on lastpass, I wasn't even alarmed when I heard they'd been hacked because anything of value has authentication attached and I'm not rich or famous enough for someone to go thru the effort of rerouting phone numbers or hacking my phone to get into my accounts. I did change the passwords of a lot of stuff though and I use Bitwarden now, for the convenience of in browser and in phone access. Password managers do the typing for you, it's harder to record that way. My brother uses keypass on his phone, he's a bit more paranoid than me and doesn't want his info in the cloud.
Edit: Oh and "the cloud" is usually in a highly protected environment, at least using encrypted communication with far more security than the average home or small business computer. You're data is less secure on your home computer. The main issue with it being in the cloud is the bigger trove of data and popularity a company has, the more of a target it will become.
Mirror: https://archive.is/3gA4m