Hacker News new | past | comments | ask | show | jobs | submit login
Defensive Computing Checklist (defensivecomputingchecklist.com)
30 points by jrvarela56 on Aug 17, 2022 | hide | past | favorite | 3 comments



Preferring a formula over a password manager is advice of dubious quality. Yes, a password manager may be a hassle to setup, but it offers protection under a wider variety of threat models.

E.g. using the BaseballRules!<word> formula for your passwords gives you decent protection from completely automated attacks with no feedback loop. But if a human intercepts just one of these passwords, then they can easily brute-force their way to any of your accounts that doesn't have some sort of 2FA. Not nice. And good luck remembering the special <word> for more than a handful of web sites.

Plus, xeroxing/printing your password list is also not as benign as it sounds. Any professional copying machines or printer typically includes some sort of non-volatile memory, that could be used to recover recent printouts.


The detailed blog on passwords is quite clear that very often people need more than one approach to dealing with passwords because all passwords are not the same.

https://michaelhorowitz.com/BestPasswordAdvice.php

A formula is one approach that people should consider and it is often overlooked. The blog also makes a clear distinction between hard and soft formulas (my terms) A soft formula can not be cracked, even if many of the passwords leak. Michael Horowitz


https://defensivecomputingchecklist.com/rulesoftheroad.php

- When you get a text message, you have no idea who sent it

- When you get an email message, you have no idea who sent it

- When you get a phone call, you have no idea who the caller is




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: