-
Notifications
You must be signed in to change notification settings - Fork 1
/
Copy pathqna.tex
90 lines (47 loc) · 6.28 KB
/
qna.tex
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
\chapter*{Security questions}
\label{ch:qna}
\subsubsection{Shouldn't I never write my password down?}
In today's world, major corporations are hacked every week, and distributed cracking networks can break complex passwords in record time. It's safest to use a strong, unique password for each account you hold, but this makes memorization impractical.
Once, people were told not to write passwords down, ever, but the consensus among security professionals has evolved. You're better at protecting this book than corporations are at securing their password databases.
\subsubsection{Can I just pick my own words from the list?}
No. Humans are terrible at being unpredictable, and hackers are great at exploiting predictability. The primary reason that Diceware creates secure passwords is that you have no agency in the process.
\subsubsection{Should I leave spaces between the words?}
Yes. It makes your passphrase more secure, and easier to type.
\subsubsection{How many words should I use in my passphrase?}
The most important accounts, such as email, e-commerce and financial sites, should use at least five words.
Encrypted drives storing sensitive personal and financial documents should use seven words.
Less critical accounts, like social media, can use three words provided the passwords are unique.
\subsubsection{My passphrase was rejected because it is too long, or because it lacks capitalization and numbers.}
You may shorten words to no less than three letters without affecting the security of your passphrase. You may also replace words with their associated 4 digit number. You may \textit{not} choose different words.
Capitalization adds a very small amount of security; if required, pick a memorable word to capitalize.
\subsubsection{What if I lose this book?}
The real purpose of this book is to provide you with the tools to generate strong, memorable passwords that are unbreakable by the world's most powerful computers. It need not be the only place that you record them.
\subsubsection{Are password managers like 1Password safe?}
Yes, as long as the master password is strong \& secure. For example, if Google Chrome is configured to store your password, make sure that you have a strong Google password, and don't leave your account logged in on computers or mobile devices that are not physically secure. The same is true of Safari and iCloud, Internet Explorer and Windows Live, etc.
\subsubsection{Who invented Diceware?}
Diceware was invented by Arnold G. Reinhold, a computer scientist in Cambridge, MA. It was first published to Usenet's \textit{sci.crypt.research} on August \ordinalnum{1}, 1995. For lots more information, visit
\url{https://goo.gl/xobzeV}.
%\url{http://world.std.com/~reinhold/diceware.html}.
This book implements a simplified version developed by the Electronic Frontier Foundation (EFF) in 2016.
\subsubsection{What is the danger in reusing a password?}
Imagine that you used the same password for an online clothing store, and your email provider. Months later, the clothing store is hacked and your password is stolen. The hackers login to your email and find correspondence from your bank. They use the bank website to reset your online banking password, and intercept the confirmation email. Next, they use the bank website to order checks in your name, initiate transfers, etc.
This story illustrates why the security of your email ranks above others in importance: for hackers, it is the gateway to all your accounts.
\subsubsection{How can I find out if my password has been stolen?}
Visit \url{haveibeenpwned.com}, and type in your email address. This helpful site tracks the data leaks released by hackers, and maintains a database of email addresses hacked and what kind of data was stolen.
If your email tests positive, immediately change the password for the sites listed \textit{and} any sites that might have shared the same password.
\subsubsection{What is two-factor authentication?}
Two-factor authentication enhances your password by sending a code to your phone or another device, which you must supply in order to be authorized. This ensures that even if someone has your password, they also need to have your phone.
It's a good idea to set up two-factor authentication on any account linked to your bank account or credit cards.
The US Government no longer recommends SMS for two-factor authentication, due to the ease with which text messages can be intercepted. Mobile apps like Google Authenticator are more secure.
\subsubsection{What is phishing?}
Phishing is when a hacker sends you an email message which appears to be from an organization you have a relationship with, but is actually a trap to make you give up your password.
Phishing emails typically warn you that something is wrong with your account, a delivery, or another kind of transaction, and urge you to open a document or log in via a link. They can be very realistic and insidious.
Always check the URL in any emailed links you click, and be sure that they take you to the site you expect.
\subsubsection{What is social engineering?}
Social engineering is when a hacker contacts a company you do business with and pretends to be you. Often this means telling customer service that you have lost your password, and trying to convince the representative to change it or otherwise unlock your account.
The best protection against social engineering is to avoid easily-guessed security questions, such as your mother's maiden name. When asked for such information, generate a Diceware password instead.
\subsubsection{How can I stay safe online?}
Above all, practice good operational security (\textit{opsec}). Be suspicious and careful online.
Minimize the number of accounts you open, and always choose the best account security available. Keep track of the accounts you open, close unused accounts, and change passwords on active accounts regularly. Prefer to shop with businesses that have strong online safeguards, and take advantage of identity protection and online shopping protection services offered by reputable financial institutions.
\subsubsection{What to do if I've been hacked?}
The resources at \url{crashoverridenetwork.com} and at \\ \url{staysafeonline.org} are a good starting point. They provide tools to help determine whether you have been hacked and can help you to regain control over your online accounts.