“Stealing” is a stretch here but alright. That’s basically why I still use Apple Mail / Thunderbird on all my devices. All the swanky 3rd party clients are too keen on “enabling push notifications” by sending my credentials off to far shores.
ddnomad
joined 1 year ago
For MFA apps, Google Authenticator seems to be the norm.
I personally use OTPAuth with sync disabled and regular backups. Mostly because it is easier to organise and back up.
Regarding hardware security keys as part of MFA, you can either get yourself dual USB-C / Lightning or USB-C / USB-A keys from Yubikey. Then just buy a USB-A to USB-C dongle (or vice versa) and keep it on your key chain. That’s mostly what I do, not ideal but does the job.
I also use OnlyKey for some passwords, especially encryption passphrases on some servers and laptops. I usually need to enter them on boot, and it just takes too long to do that manually and I’m lazy.
I agree with you on most of the points. Some security is better than nothing. More security is better than less, layers and all.
Regarding data breaches and malware, and threat models in general. We should not forget phishing too. People voluntarily entering their credentials on a website masquerading as their bank etc.
With all of that, having your credentials split over multiple applications and devices actually saves you from an endpoint compromise and evil maid attacks, at least in a sense of limiting the fallout.
Regarding VeraCrypt and “FREE”. While it is, again, better than nothing, VeraCrypt is fiddly, not always works consistently on all operating systems (I look at you, MacOS), and is susceptible to key logging. I prefer actual certified hardware with physical keypads instead. It is not free and has its own downsides, but it is just something I find more appealing.
As a rule of thumb, do not put all your eggs into one basket. No software is infallible and vulnerabilities can be uncovered and exploited in both open and closed sourced applications.
That’s being said, as long as you don’t store all information necessary for a successful login in your password manager, you should be fine.
So storing credentials for your bank account is fine, as long as it is also protected by MFA and you do not use the same password manager for handling that.
You can store PIN codes from your debit cards in the password manager as long as you do not store card number / expiration / CVV2 there too.
Personally, I keep passwords in a password manager, MFA tokens in a separate authenticator, MFA recovery codes go to FIPS 140-2 certified encrypted USB sticks (3 separate copies). I do store debit card PIN codes in my password manager, but only alongside the last 4 digits of the card number.
Mullvad is trusted. They are pretty open with their policies, exist for a long time already, not involved in any privacy scandals (to my best knowledge), charge flat and fair fee without 60% sales and other dubious marketing practices. It is one of the better VPN providers, not in 5/9 eyes (they are in 14 eyes though), you can buy a subscription with crypto, which (assuming crypto was acquired anonymously too) is a good start for some privacy guarantees.
Pretty much every cyber security professional I know uses Mullvad in one way or another, usually as part of a more complex solution.
But all in all, please bear in mind that VPN is not some magic silver bullet to preserve your privacy and anonymity. With VPNs you basically shift your trust from your ISP to the VPN provider. That trust you put into the provider, it is still a requirement. Not to mention that a good chunk of tracking is happening on a lower level nowadays, so if you use Mullvad on Windows / any Apple device etc. do not expect to become untraceable :)
Fiercely agree. I have Samsung “smart” TV that I use as a dumb screen for my Apple TV and PS5.
Samsung’s software manages to bug out even without using it. The TV remote would randomly disconnect, screen would respring, randomly adjust contrast etc. It’s like “the printer of TVs”.
Books, online courses. Education in depth, ideally.
Books, online courses. Education in depth, ideally.
view more: next ›
There are two camps. People will constantly try to drag you into one. They will get mad if you resist. They will call you a filthy centrist if you resist.
It doesn’t not matter what’s your political view, if it is not radical enough, if it does not align unquestionably with one of the camps, people will get mad.
This is just how it is nowadays.