Great work funkyworms!

I added a couple of things i didnt use earlier and tomorrow im adding untangle and will use truecrypt and then i have everything from your list.

Im doing some things different from you

...my important passwords im not saving in firefox.

...my poker and internet banking passwords are made up of two parts, the first being strong from Keepass and the second weaker and not saved in Keepass.

...I use several secure email-accounts.

...Also, im not using AIM, MSN or similar, but maybe you mentioned this in online behaviour, i dont remember.

...And im using the full version of Avast...and run some other scanners on a regular basis.


I have a question. Keeping a majority of your passwords on Keepass and all your poker accounts on the same email, is that safe?

If they get to your Keepass or your email they basically get access to all your online money except for the sites where you have a security token.

Also thinking about downloading GnuPG.
Is this good if i want to encrypt my other emails.
Like windows mail and yahoo?

The easiest way to implement OpenPGP encryption for your email is with Thunderbird + Enigmail + GnuPG.

You should note that in order to send/receive encrypted emails, both sender and recipient must have some OpenPGP compatible client installed. So while installing and configuring OpenPGP might be fun for you, the actual benefits of doing so will be pretty limited unless you convince all of your friends to install it too.

Ok, didnt know that, thx for saving me an hour of unnecessary work.

Is a windows mail (i.e non-webmail) account more secure than a gmail account if it is set up in the same way as you recommend for the gmail?

No more. No less.

Are you serious? Thats alot of stuff to implement isn't it? Isn't there some SIMPLE way to protect yourself from would be attackers?

Yes
Is it?

• Install a proper Anti-virus (5 minutes to install Avira)
• Use strong and unique passwords (5 minutes to install Keepass)
• Use Firefox with NoScript (2 minutes to install)
• Secure your network (10 minutes to configure router)
• Don't install junk software (8 minutes to watch video and learn what is junk)
• Keep all software updated (5 minutes to install Secunia)
• *Optional* Encrypt your hard drive if you're concerned about personal data (30 minutes to install and learn about Truecrypt)

I'll be generous and assume it takes you twice as long as I quoted above. I'll also assume that you watch all the videos. That's a one-time commitment of 2 hours for a secure computer and a better understanding of computer security. How much simpler do you want? Plus you have a video guide showing you exactly how to do it.

Are you serious?

I encrypted my hard drive with truecrypt but I just realized I probaly dont need it. How do I turn my hard drive back to the way it was before truecrypt?

Truecrypt > System > Permanently decrypt system partition/drive.

About password security, still a bit unclear on some items:

1) In case I get infected by a keylogger, is Keepass going to help me at all? I still have to enter the password for that and after that, everything stored in the database is open for invaders?
2) Assuming that I have password that are not found by dictionary attacks but I can remember, does Keepass offer me anything other than the ease of copy pasting the stuff on poker clients?
3) If I keep passwords stored on poker clients or my browser, I evade the risk of keyloggers but there are other risks involved. I assume the Keepass route is still considered more safe?
4) If I use an unsafe PC to log in to my email/poker client, is there any way of making that secure, other than right away changing the password from a safe computer (kind of redundant idea... if I had the safe computer at hand, I'd use it in the first place)?

A bonus question: I suppose it's more likely that someone grabs my password from my PC and uses it elsewhere, rather than somehow making use of my data at my PC directly, while I'm happily browsing away at 2+2?

I want to preface my response by saying that this is all dealing in the hypothetical. If you follow the advice in the videos you won't get a keylogger. You just won't. I can't put it more plainly. You have a better chance of getting struck by lightning.

1) No, but nothing will. If you get a keylogger and continue using your computer, nothing is safe. Once malware is active on your system your entire system should be considered compromised. Nothing can protect you regardless of their claims. Simply having malware on your system won't allow a would-be attacker to crack your keepass database. However, they would probably have your master password. They would need a keylogger and some sort of access to your computer to have open reign on your keepass database. The important step is not getting a keylogger.

2) Every account should have a unique password. Are you capable of remembering all of your passwords and password recovery questions? If so, I guess you don't need Keepass.

3) Storing passwords in clients doesn't protect you from keyloggers. I store passwords in my poker clients and Firefox.

4) Don't do it.

Bonus: I don't know what you're asking, but someone doesn't just "grab your password" and if they do they almost certainly don't have remote access to your machine. This is a far-fetched situation that simply won't happen if you follow the videos.

funkyworms, first of all, thanks for all the info in the thread. I don't want to appear stubborn, just needed to get some things cleared in my head.

As for 3) I was a bit surprised... if you keep passwords stored in poker client, what is Keepass actually needed for? Generating a strong password? Actually I was under the impression that the client is not the safest place to store the password in the first place. I assume different sites use different (proprietary) ways of securing the data. Do you know about those?

Sometimes sites will ask you for your password even if you have them remember it. Sometimes sites will forget that you have told them to remember your password. So you may need to re-enter the password even if it is saved. You may have password you don't use very often that you don't want to have to remember. Also, the sites always know what your password is, even if you don't remember it. If you are going to be afraid of trusting the site with a password to that site you may be a bit too paranoid.

I would have though they only know the hash of my password? Although there's one site where online support always asks for 2 first letters of my password before they answer anything, and the password is only a couple of letters and always autogenerated... I don't keep money on that site any more.

Trusting a site with my credentials and money is still different from trusting my password to the client software, as it's somehow stored on my computer (I assume). Unfortunately I don't know how it's stored.

Thanks for all your work on this funky. I might have to give that Yubico key a shot!

Thanks a lot for producing these videos funkyworms, they really are so informative! I was pleased to see that I already take some of the precautions you recommend, but there are a few things I'm not clear on:

No-Script

I don't have a clue about how scripts work, but I'd like to understand this better. You mentioned that if one were to use Firefox with No-Script it would be pretty much impossible to get infected from browsing YouTube. But then you allowed (white-listed) the youtube & ytimg domains. Does this mean that if a dangerous script were on that page, it would be listed as something other than those two?

Also, since I installed No-Script, I have only been to a handful of sites but have had to allow scripts at most of them. Right here for example, when typing this post, I had to white-list 2+2 before I could use the bold/italics buttons in the editor. As I'm not an expert on these things and, if I need to keep 'allowing' all the sites I want to visit then isn't it just like a novice who uses a personal firewall and clicks 'allow allow allow'?

I don't mean this to sound like an argument haha. It's just that if I have to allow scripts at every forum, every site that has embedded videos, every site that uses flash etc, then it basically comes down to 'allow everything, but don't visit suspicious sites' which is just like saying 'don't install trash and you won't need to use something like Comodo'. Hopefully I have misunderstood how this works, and will be tutored shortly! I mentioned the firewall thing here because, for some time, I was doing exactly what you said - using Comodo and after deciding that I will install something, then just clicking 'allow allow allow' which is pretty damn pointless lol.

Installing Software

Until I read your advice about osalt & sourceforge my usual procedure for finding new software was to select something and then upload it to Virus Total. If it came back clean I would trust it. Was this a really poor system?

Torrents & Rapidshare etc

Kerowo says "don't use 'em" and don't talk about them.


And one final query was about checking the 'remember my username/password' box in the PokerStars client. Does it mean my details are saved into the user.ini file? Is this not recommended?

Thanks again for all the advice you've given here!!

good work with the videos funky, ur voice soothes my soul

I'm basically a computer illiterate and I am very interested in your thread. I tried firefox as my browser with no script and found them really slow. A tech from some site I can't recall recommended Google Chrome which I'm using as my browser now. I haven't even seen this in the few threads I've read so far. Is Google Chrome an option if I want to follow your thread? TKS nytim
PS I'm going to follow your advise.

funkyworms,
For a laptop user that travels a great deal, would you recommend getting some sort of LoJack program? If so, which one?

What is the best way to backup Windows? I'm looking for something that I can use to boot from an external drive in the event that my primary hard drive somehow became damaged or corrupted.

Thanks.

funky,

matousec.com says Avira is among the worst performing security suites. I know you don't care too much about software firewalls and antivirus programs, but do you have any thoughts on that site or their test results?

Matousec tests firewalls. Avira firewall sucks, their AV is very good.

Hey this might be a really stupid question, but I can't find an answer on here or on google. If your computer crashes and you have to reformat or buy a new one can you still access KeePass passwords or are you screwed? Thanks.

You should keep your Keepass database stored on multiple drives. I also recommend keeping it stored online. You can use Dropbox to keep store it online and keep it synced with all of your computers.

I made this post in HSNL but I believe it belongs here too.

I don't believe this problem has much to do with the AIM client, weak passwords, or weak password recovery questions. The problem is that someone can change your AOL credentials without much information at all. All they have to know is your:

1. username
2. birth date
3. gender
4. zip code

With this information they can reset your password recovery question and answer. This means they can access your account without any prior knowledge of your email address, password, or password recovery info. Using such public information as an authentication mechanism is a major security failure on AOL's part.

If you insist on using AIM you should either (1) Log on to your account at AOL's website and change your zip code or (2) Create a new AIM account with a fake zip code and birthday. In both cases you should also make sure that your password and password recovery questions are strong. Use Keepass to remember your passwords, recovery questions, fake zip code and birthday.

If you'd like to move away from AOL products completely, I recommend using the open-source XMPP protocol for chat. This is what gChat uses so you already have an XMPP account if you have a Google account. There are many other free XMPP servers if you'd rather not create a Google account (all XMPP accounts can chat with other XMPP accounts so it's possible to talk to gChat people without a Google account). I also recommend using Pidgin for your chat client combined with OTR encryption.

This is what AOL requires if you don't know your password or password recovery question.



For comparison, this is what Google requires.