
What you need to know to keep your online accounts safe - lexz0r
http://www.stavros.io/tutorials/online-security/?
======
300bps
Didn't see a lot of practical advice. For example: they say there aren't
really defenses against keyloggers but that is not true. One defense to
protect a web password is to inject characters into the key logger that are
ignored by the browser. One method of doing this is to click in the password
text box, type one character of your password then click on the background of
the page and type a bunch of gibberish then repeat. The keylogger will be
filled with random gibberish instead of your password.

~~~
StavrosK
Most keyloggers include the window title (and the really advanced ones take
screenshots as well), so this countermeasure is easily defeated.

~~~
300bps
I'm not sure if you understood what I was saying because the window title
would remain the same (i.e. the browser). You would just be clicking inside
and outside of a textbox within the same browser.

As for taking a screenshot - that wouldn't help either with something
meaningful like a password. Not to mention that doing screenshots totally
changes the dynamic of a "key logger" and exponentially raises the amount of
storage needed and makes it even more difficult to glean useful data from it.

I think you're trying to stretch to make this countermeasure "easily defeated"
when it really isn't.

------
txutxu
Well all the _best practices_ in the article, are ok, in 2006.

Nowadays there are many more treats, entry points (hint: browser setup and
plugins), and more authentication methods than "passwords".

We have even evidences of major upstream compromises.

In resume: for me the article is a little bit short in scope.

~~~
StavrosK
This is meant for casual users. For power users, the advice would be "never
use a computer again because you can trust NOTHING EVER".

~~~
txutxu
OK.

But that you cannot defend yourself of NSA, until you're in an enemy country
or something like, does not mean, that you cannot protect yourself against all
the rest of the world.

Using a master password, implies the clipboard (on average). Does anybody
trust desktop browsing over linux, assuming that clipboard usage on Xorg is in
some way _safe_? it's convenient, but not safe.

If I try to tell best-practices to a user of mine, I try to group all my
experience and knowledge, before compile to user slang.

Even if for casual users, short in scope (for my personal taste).

And maybe too many prose, a more direct style maybe better to stamp on the
user mind a list of best practices.

~~~
StavrosK
What are your best practices?

~~~
txutxu
0) Do not publish your best practices

1) ...

:-)

If you want a more serious response, at least, talk to the user about attacks
that remains exposed, and keywords to the solution, if I resume too much.

~~~
StavrosK
Well, that certainly is better advice than mine! :P

------
vinceguidry
Yeah, those 20-character long random strings are great until you have to type
them into your iPhone. And type them again. And again. And again. With your
browser window open on your desktop/laptop so you can read them from
LastPass/1Password/Keepass.

~~~
matthewdavis
That's why I use QR codes. And offline QR code generation.

------
sfsdsdfsdfsdf
Silent Circle's website is full of grammar errors and typos. The how-it-works
videos don't tell you how it works and the videos are awfully cheesy.

