Guide | How To Don’t Get Pwned: A Guide to Safer Logins

[spaceoctopus]

Mozilla Blog: Password and login security tips that anyone can use

More and more of the sensitive, valuable things in our life are guarded through password-protected online accounts — love letters, medical records, bank accounts and more. Web sites use login procedures to protect those valuable things. As long as someone can’t log into your account, they can’t read your email or transfer money out of your bank account. As we live our lives online, how should we protect our logins?

• Use random passwords, and use a different password for every site
• Use a password manager to make creating and remembering passwords easier
• Make your answers to security questions just as strong as your passwords
• Use “two-factor authentication” wherever you can
• Pay attention to the browser’s security signals, and be suspicious

(link above for full article)

 

[Wave]

Use a password manager to make creating and remembering passwords easier

This won't really make your logins safer at all, but just reduces the chances of staying safe (even though you'll be safe and the chances of someone hacking you might seem slim, it still causes a chance reduction).

Since if a program/extension has access to your passwords, it means someone else can gain access to them too - maybe you will leave your system on and someone else will gain access in the time that you're away, or you will become infected with a Trojan backdoor and the attacker will see the passwords on the application storing the passwords for you.

However, it's good to improve management skills and to help push you to use different and more complex passwords for each individual website you sign up too, which does in turn outweigh the negatives IMO (since if you get hacked on one account from a network, let's say they have a network breach, then it won't affect other sites you use).

Pay attention to the browser’s security signals, and be suspicious

Speaking of this one, use HTTPSEverywhere if it's supported by your browser. When you use HTTPS, the information transmitted from the browser client to the server is actually encrypted, meaning if you ever use public WiFi networks or someone in your house/a stranger with access to your WiFi attempts to sniff the network, they won't be able to filter out the login credentials you've typed into for your sign-in attempts.

 

[509322]

Since if a program/extension has access to your passwords, it means someone else can gain access to them too - maybe you will leave your system on and someone else will gain access in the time that you're away, or you will become infected with a Trojan backdoor and the attacker will see the passwords on the application storing the passwords for you.

There's a lot of misunderstanding of the general topic of data stealing. A lot of people mistakenly think that all that is required to completely pwn their browser session and system is simply to navigate to a malicious webpage - even when everything sits there and does nothing. In reality it involves more factors than that. This misunderstanding that merely visiting a webpage can result in instant man-in-the-browser fuels a lot of the flames of ultra-paranoia.

 

[Wave]

There's a lot of misunderstanding of the general topic of data stealing. A lot of people mistakenly think that all that is required to completely pwn their browser session and system is simply to navigate to a malicious webpage - even when everything sits there and does nothing. In reality it involves more factors than that. This misunderstanding that merely visiting a webpage can result in instant man-in-the-browser fuels a lot of the flames of ultra-paranoia.

I'm not really sure if that was a quote to correct me on something, but say on case, I wasn't referring to an infection from a webpage in a scenario like that (exploit), I was just talking about if someone had access to your system when you were away from keyboard, or if the system already had malware present and installed (like a backdoor), and you had a password manager, then it could potentially access it and steal credentials depending on other factors also

 

[509322]

I'm not really sure if that was a quote to correct me on something, but say on case, I wasn't referring to an infection from a webpage in a scenario like that (exploit), I was just talking about if someone had access to your system when you were away from keyboard, or if the system already had malware present and installed (like a backdoor), and you had a password manager, then it could potentially access it and steal credentials depending on other factors also

Not meant to correct you.

I'm just relating that many people don't understand that, generally, man-in-the-browser\boy-in-the-browser requires a Trojan or an exploit that results in a Trojan being surreptitiously installed or a malicious browser extension to be installed on the system.

If you research this topic online, you will find explanations that do not explicitly state the above; it has to be inferred and sometimes the way the explanations are written - almost certainly a lot of intelligent, reasonable people will not infer it.

 

[Wave]

If you research this topic online, you will find explanations that do not explicitly state the above; it has to be inferred and sometimes the way the explanations are written - almost certainly a lot of intelligent, reasonable people will not infer it.

Thanks Do you happen to know of any good books about this sort of stuff you could recommend to me? My skill-set is kind of evolving around Windows Internals but I want to expand to network-related things also (like MITM, etc). Any advice is useful

 

[509322]

Thanks Do you happen to know of any good books about this sort of stuff you could recommend to me? My skill-set is kind of evolving around Windows Internals but I want to expand to network-related things also (like MITM, etc). Any advice is useful

Your best bet is online infos. The trick is to use carefully chose key words in your searches: "financial malware, web-based attacks, browser attacks, MitM|BitB|MitB, etc." Searching for the good stuff like all technical searches can be tedious.