Why do we keep coming to these here ERE forums?

Questions and comments
George the original one
Posts: 5369
Joined: Wed Jul 28, 2010 3:28 am
Location: Wettest corner of Orygun

Re: Why do we keep coming to these here ERE forums?

Post by George the original one »

Devil's Advocate wrote:George : How is my bank login etc dependent on goodwill for privacy? They claim to use encryption that masks these even from their employees.
Yes, the encryption & hashing work to hide it from employees. However, they have the ability to change your password (or delete your account!) and masquerade as you. They can also look up your balances and other info, to determine if you're a target worth pursuing.

Look into how simple check fraud is. Do you really believe banks protect your internet information any better than they protect the checking system?

George the original one
Posts: 5369
Joined: Wed Jul 28, 2010 3:28 am
Location: Wettest corner of Orygun

Re: Why do we keep coming to these here ERE forums?

Post by George the original one »

Devil's Advocate wrote:Using separate passwords for every account ... Hmm, as you say, additional hassle does seem to be the cost of additional safety.

Do people really do this, or is that just the theory?

If you tech-savvy folks tell me that's the only way to be safe, in practice not just theory, I'll take your advice. At least for sites involving money transactions.

And if I'm writing down my passwords, as opposed to memorizing them, I suppose I can throw in some @%& characters as well.
Yes, we really do this. With throw-away sites, such as ERE forums, you can be less rigourous. Banking and brokerage and work accounts... yes, I change those passwords frequently and they're not the same.

Devil's Advocate
Posts: 187
Joined: Wed Apr 09, 2014 8:25 am

Re: Why do we keep coming to these here ERE forums?

Post by Devil's Advocate »

George : You're right, if banks can reset my login for me, crooked employees can reset it (my login) for their own purposes too!

You know what I'm seriously thinking? Keep just one credit card and one bank account for online transactions, and deal with the rest the old-fashioned way. That way the risk will be limited. But yes, the hassle component will shoot up.

jacob
Site Admin
Posts: 12860
Joined: Fri Jun 28, 2013 8:38 pm
Location: USA, Zone 5b, Koppen Dfa, Elev. 620ft, Walkscore 73
Contact:

Re: Why do we keep coming to these here ERE forums?

Post by jacob »

Yeah, they do. You're probably more the exception than the rule. And even this doesn't make you safe, it just makes you safer(*). It means that if one of your accounts get compromised (e.g. like when linkedin was hacked), the hackers can't use the same password to access your bank, your other email accounts (gmail? yahoo? aol?), paypal, amazon, netflix, facebook, etc. accounts with the info they already have.

It's the same reason that you don't have all the locks in your house/car/boat/safe keyed exactly the same as your front door. What if you lost your front door key? Now whoever finds it has access to everything you own.

(*) There really is no such thing as theoretical safety. Basically you just want to make the cost of an attack higher than your cost of defence, in practice.

Devil's Advocate
Posts: 187
Joined: Wed Apr 09, 2014 8:25 am

Re: Why do we keep coming to these here ERE forums?

Post by Devil's Advocate »

Jacob : If you say so. Walking around with your pocket stuffed with passwords scribbled on pieces of paper sounds silly, but I'm sure being swindled of real money will feel far more silly.

Very glad I had this conversation. Jacob, Henrik, George : thanks!

jacob
Site Admin
Posts: 12860
Joined: Fri Jun 28, 2013 8:38 pm
Location: USA, Zone 5b, Koppen Dfa, Elev. 620ft, Walkscore 73
Contact:

Re: Why do we keep coming to these here ERE forums?

Post by jacob »

If you're going to write them down and actually walk around with them (ever had your wallet stolen or lost?) I'd suggest adding a master password to each of them, e.g.

amazon: p8JJJa#!!l45537y1
linkedin: p8JJJa459098qhb1
facebook: p8JJJaK!$J!O$J!o4j

Do not write down the p8JJJa part. This ensures that if you lose the paper you're not compromised.

Devil's Advocate
Posts: 187
Joined: Wed Apr 09, 2014 8:25 am

Re: Why do we keep coming to these here ERE forums?

Post by Devil's Advocate »

No no, I meant that figuratively. Even I wouldn't actually keep all of them on me at all times! (*Smile*)

but hey, that master password idea sounds really great! Easy enough to start them all with a @% and end with a %@, or something similar. Great idea : may be common practice I suppose, but I hadn't heard of this strategy before.

God I actually miss work at times like these! You work crazyy hours, true, but most real world issues they take care of for you. We used to have really wonderful tech and admin/hr deptts. They'd go out of their way to help you with everything, actually do most things for you! And you have people to help even with purely personal stuff.

Sigh (*smile*) -- never thought i'd miss work, but I do ... just a little bit!

Scrubby
Posts: 153
Joined: Wed Mar 05, 2014 4:46 pm

Re: Why do we keep coming to these here ERE forums?

Post by Scrubby »

I use http://keepass.info/, which stores your passwords in an encrypted file on your computer. It's open source and very popular among nerds, so I supposed it's about as safe as you can get. There are plugins for browsers which fills in the password for you, and apps for Android and Apple. Basically you make a hard random password for each site, and a master password which gives access to them. The file can be very strongly encrypted, so you don't need an extremely hard master password. It shouldn't be a simple word, though.

GandK
Posts: 2018
Joined: Mon Sep 19, 2011 1:00 pm

Re: Why do we keep coming to these here ERE forums?

Post by GandK »

I really feel like a nerd:

Years ago I was working on a fantasy novel, and as part of that process I created a language (even wrote a font for it). The story got away from me and is resting on a shelf, waiting for eventual resurrection, but the language I use: it's the basis for all my passwords now. Example: Facebook = the word for face + the word for book. I then add symbols in a specific order between the words.

lilacorchid
Posts: 476
Joined: Sun Oct 16, 2011 3:20 pm
Location: Canada

Re: Why do we keep coming to these here ERE forums?

Post by lilacorchid »

To butt in at the end of the conversation: As an IT person, yes, I can delete your password at work and put in my own and pretend to be you. But everything I do is logged on a server, so I would not get far. So if I were a banker and wanted to steal all a rich person's money, there would be logs of me looking at the accounts (if I were even authorized to do that), and another log of me taking all your money. I better have a plane waiting for me... :P

Your money is not worth me risking my job and freedom.

P.S. Devil's Advocate: I hope you thanked your HR/IT people!

jacob
Site Admin
Posts: 12860
Joined: Fri Jun 28, 2013 8:38 pm
Location: USA, Zone 5b, Koppen Dfa, Elev. 620ft, Walkscore 73
Contact:

Re: Why do we keep coming to these here ERE forums?

Post by jacob »

And as an admin you could always delete/rewrite the logs. It's a good thing that 'nerds' have above and beyond ethics when it comes to these things. I suspect what differentiates banks is that they have an above-average number of white-hats working for them. As a user, the advice is similar to investing: either diversify so you won't get compromised by a single failure point or watch your account closely! Both is better.

lilacorchid
Posts: 476
Joined: Sun Oct 16, 2011 3:20 pm
Location: Canada

Re: Why do we keep coming to these here ERE forums?

Post by lilacorchid »

jacob wrote:And as an admin you could always delete/rewrite the logs. It's a good thing that 'nerds' have above and beyond ethics when it comes to these things. I suspect what differentiates banks is that they have an above-average number of white-hats working for them.
Tis true, though then you have a bunch of missing or odd logs... There always someone willing to figure out why one of these things is not like the other. We can be like hungry dogs with a piece of meat about a puzzle. Not to mention the prestige of figuring it out before all the others!

Scrubby
Posts: 153
Joined: Wed Mar 05, 2014 4:46 pm

Re: Why do we keep coming to these here ERE forums?

Post by Scrubby »

jacob wrote:And as an admin you could always delete/rewrite the logs.
This is easy on a server you've set up yourself, but unlikely to be possible in banking software unless you've added a security hole nobody else knows about.

George the original one
Posts: 5369
Joined: Wed Jul 28, 2010 3:28 am
Location: Wettest corner of Orygun

Re: Why do we keep coming to these here ERE forums?

Post by George the original one »

If you shoulder-surfed another admin's password, you can do things in their name rather than your own & subsequently avoid the inquiry...

Did
Posts: 667
Joined: Mon Apr 01, 2013 7:50 am

Re: Why do we keep coming to these here ERE forums?

Post by Did »

I keep coming back here too. Lurking for years. Angry at first, I think, but deep down knew the appeal of the culture. Now I'm out (of the workplace), I think I come here for like minded people, fun ideas, and if I am honest, reassurance. The old me and all of my peers would think I am insane doing what I'm doing. Sure, quit a job with a mindblowingly massive income just as you reach the top at 38, and consider yourself retired. Mad. But not here. .

Devil's Advocate
Posts: 187
Joined: Wed Apr 09, 2014 8:25 am

Re: Why do we keep coming to these here ERE forums?

Post by Devil's Advocate »

Scrubby wrote:I use http://keepass.info/, which stores your passwords in an encrypted file on your computer. It's open source and very popular among nerds, so I supposed it's about as safe as you can get. There are plugins for browsers which fills in the password for you, and apps for Android and Apple. Basically you make a hard random password for each site, and a master password which gives access to them. The file can be very strongly encrypted, so you don't need an extremely hard master password. It shouldn't be a simple word, though.
Thanks, Scrubby. I checked out their website and that tutorial they have there. Sounds good, except for one thought : What about the integrity of that particular website? Might that itself not be a loophole?

I mean, there’s the question of how reliable these people are. And if we take their individual integrity as a given, even then, surely this site also can be hacked, the same as any other? And if some hacker got hold of your whole password database, as opposed to one single password, they’ll be able to do so much more damage then, isn’t it?

Since you yourself use this service, I’m sure there are safety features here that I do not know of or realize. Can you talk about them?

Also, in case this (hacking) loophole that I mentioned you consider a non-issue, then would you say using Keeppass is safer than my (new) system of using a plain old Word file (see below)? In what way? Would you recommend I change to Keeppass?

- - - - - - -

What I myself have already done, in this last week, is this. Changed every important password (banks, credit cards, email) and put in “hard” passwords. I made up these passwords myself, quite at random, like so : @7hotdog8$. (That is a hard password, and difficult to break and all that, right? All of my new passwords look something like that, with random characters, numbers and words.) And I entered all of these passwords in an MSWord document, again password protected, in my stand-alone computer.

So the only way anyone can get at my passwords is (1) Get to know my “master password”, which I used on the Word file ; (2) Somehow discover what my computer log-in password is ; and (3) Enter into my house and start my stand-alone computer, open the file, and get at the passwords. I don’t think there’s any chance anyone will for a minute contemplate doing that to get at my piddling little pile. I mean, the computer’s offline, so it’s safe, right? Unless I’m overlooking something, or am ignorant of some risk here.

Which reminds me : In case I ever re-connect this home computer of mine (an old desktop) to the Internet—probably won’t, we use the wife’s laptop—but still, suppose I do, then is there any way someone can get at what’s stored in the computer by some means? (I remember back at work, since we needed to work across multiple locations, and discuss fairly large and complex spreadsheets across these locations, we had some software using which I could actually take control of someone else’s computer, located in a different city or even in a different continent. We’d do this all the time during discussions, so that we could examine one another’s spreadsheets in full detail and also, when called for, I would make some changes in their spreadsheet. This, of course, was done with the knowledge of the user and only when they were actually present at their machine : but can a hacker do this somehow just by using my Internet connection? If there is a possibility of this, then I definitely WILL keep this machine offline.)

One related question : How safe are password-protected MSWord files? I’ve heard it said that no one (include Bill Gates and his minions) can open an MSWord or XLS file without knowing the password. That is, Word and Excel files cannot be forced open, not unless someone actually cracks the password. At least that is my impression. Would you guys have an opinion on this?

I see one flaw myself in my Word-file password database. What if my computer crashes? It is not subject to Internet use at this time, and that I understand minimizes the risk of a crash, but still. So I’ll have to keep some back-up someplace, only I haven’t yet decided how or where. Somehow a sheet of paper in my locker does not seem safe, and a sheet of paper in my bank locker is too elaborate and inconvenient. If password-protected Word files are indeed hacker-proof (except by cracking the password itself somehow), then one option may to keep a back-up of this Word file in my email.)
GandK wrote:Years ago I was working on a fantasy novel, and as part of that process I created a language (even wrote a font for it). The story got away from me and is resting on a shelf, waiting for eventual resurrection
That’s so cool, and so Tolkien-esque! Sounds like a book you'll enjoy writing, when you finally get to it again.
lilacorchid wrote:P.S. Devil's Advocate: I hope you thanked your HR/IT people!
Actually I didn’t! Oh, one mouthed the usual thank-yous and so-kind-of-yous, but one didn’t really mean it. I was generally much too busy to really give it any thought, and when I did think about it, it was a usually a cynical “they’re paid to do it”, followed by “the company does this so it can keep you slaving away all day”, and finally “this job and the crazy hours, it’s killing me!”. Just the opposite of gratitude, despite the thank-you mouthed.

You know how when you greet someone with a casual “How are you doing?”, and they sometimes come out with a litany of their latest diagnoses and treatments? If you wouldn’t very much mind my doing something similar with your question, let me say this :

It’s only now, after having “retired”, after having had my life slow down to its present level (as opposed to a constant inhuman frenzy of crises, deadlines and endless activity) that I’ve come to truly understand things like appreciation and gratitude. There is so MUCH to be grateful for! Not just in theory but really. Our loved ones, our very bodies, the very breath we take, the people we meet and talk with, my garden, … well, EVERYthing!

Your question just made me realize that I truly never did feel grateful to those people (as, indeed, to so many other people who had touched my life in so many ways). In this case, these people who’d take care of your personal appointments, even child care arrangements at times, dentist appointments, people who’d generally let you forget so many of the daily necessities of life, even at the personal level. I do keep in touch with some of my colleagues, and sometimes visit the old office during those events and get-togethers they sometimes host, and I will make it a point to talk about this particular interaction of ours, and go out and thank them!

- - - - - - -

Okay, it seems I’ve derailed this thread way off track, first with the posts on the Moderators and their access to personal information, and now this cyber-security theme. Perhaps I ought to have started separate threads. Anyway, to get back to the original topic, here then is another reason to look in on these ERE forums : The very practical and useful advice you sometimes end up getting, at times quite by chance. My password-change exercise for key passwords, which I did this past week basis what people have said here, may well have saved me a great deal of trouble going forward! Once again, thanks everyone!

Dragline
Posts: 4448
Joined: Wed Aug 24, 2011 1:50 am

Re: Why do we keep coming to these here ERE forums?

Post by Dragline »

In going back to the original topic, it struck me over the weekend that this fora functions as what is described in the self-help literature (going back to Napoleon Hill) as a "Mastermind Group", albeit not with formal scheduled meetings but with continuous interactions.

"The basic philosophy of a mastermind group is that more can be achieved in less time when people work together. A mastermind group is made up of people who come together on a regular basis— weekly, biweekly, or monthly— to share ideas, thoughts, information, feedback, and resources. By getting the perspective, knowledge, experience, and resources of the others in the group, not only can you move beyond your own limited view of the world but you can also advance your own goals and projects more quickly. A mastermind group can be composed of people from your own industry or profession or people from a variety of walks of life. It can focus on business issues, personal issues, or both. But for a mastermind group to be powerfully effective, people must be comfortable enough with each other to tell the truth. Some of the most valuable feedback I have ever received has come from members of my mastermind group confronting me about overcommitting, selling my services too cheaply, focusing on the trivial, not delegating enough, thinking too small, and playing it safe."

Canfield, Jack; Switzer, Janet (2009-10-13). The Success Principles(TM) (p. 308). HarperCollins. Kindle Edition.

User avatar
jennypenny
Posts: 6636
Joined: Sun Jul 03, 2011 2:20 pm
Location: Stepford USA

Re: Why do we keep coming to these here ERE forums?

Post by jennypenny »

Dragline wrote:In going back to the original topic, it struck me over the weekend that this fora functions as what is described in the self-help literature (going back to Napoleon Hill) as a "Mastermind Group", albeit not with formal scheduled meetings but with continuous interactions.
Why do you think that is? My experience has been that most groups I've participated in have either been a waste of time or focused too much on the negative stuff and were nothing more than gripe sessions. Granted, we do our share of venting*, but the interactions are overwhelmingly positive and informative.

I'm not disagreeing with you. I'm just wondering what makes this group different.

*I admit I'm more guilty of that than most here.

Scrubby
Posts: 153
Joined: Wed Mar 05, 2014 4:46 pm

Re: Why do we keep coming to these here ERE forums?

Post by Scrubby »

Devil's Advocate wrote:Thanks, Scrubby. I checked out their website and that tutorial they have there. Sounds good, except for one thought : What about the integrity of that particular website? Might that itself not be a loophole?
Yes, there are always holes, and to be honest I don't store my all my most valuable passwords in it. Regarding the integrity of the source the biggest risk is probably the author turning rogue. The download web site is Sourceforge, which is very well protected. It's much more likely that somebody installs a keylogger on your internet connected computer than that somebody breaks into Sourceforge and changes files unnoticed.
Devil's Advocate wrote:Since you yourself use this service, I’m sure there are safety features here that I do not know of or realize. Can you talk about them?
It's hard to detect if the author turns rogue, but the files are served through https, and they use all kinds of check sums to detect if anyone tries to modify them. This makes it very certain that the file you download is the same as the one the author created.
Devil's Advocate wrote:Also, in case this (hacking) loophole that I mentioned you consider a non-issue, then would you say using Keeppass is safer than my (new) system of using a plain old Word file (see below)? In what way? Would you recommend I change to Keeppass?
Generally I think your system is probably safer. You need a stronger master password than you would with Keepass to protect the file, but of course if it's offline then it's unlikely that anyone will get it. The main risk is probably if somebody breaks into your house and steals the computer. Then it would only be a matter of booting with a USB stick or connecting the hard drive to a different computer to get the password file (unless the hard drive is encrypted). If you call it something boring instead of something obvious like passwordlist.doc it's unlikely that the thieves will even try to crack it.

If they do the level of security will depend on how long and hard your password is, and which version of Word you use. Never versions use stronger encryption than older. For instance, it's 10-15 times harder to crack Office 2013 files than Office 2010.

The main reason for using Keepass over your system is convenience. It's much easier when the log in form for a site is already filled in than having to open a separate computer and type the log in info manually.
Devil's Advocate wrote:We’d do this all the time during discussions, so that we could examine one another’s spreadsheets in full detail and also, when called for, I would make some changes in their spreadsheet. This, of course, was done with the knowledge of the user and only when they were actually present at their machine : but can a hacker do this somehow just by using my Internet connection? If there is a possibility of this, then I definitely WILL keep this machine offline.)
Yes, this is one of the most common ways to break into computers. All software is riddled with security holes which are constantly discovered and patched. This goes for Microsoft, Firefox, Adobe and everybody else. To minimize the chance of being infected you need to always have the most updated browser. Anything that is not being maintained will have known errors. I have also configured all the plugins to ask me before they start if they are needed by a site.

If your browser uses a plugin for PDF I recommend using the Foxit reader instead of Adobe, as Adobe targeted much more and very frequently has new security errors. It's also a good idea to put a router with updated firmware which doesn't forward any ports in front of the PCs. That will make it harder for attackers even if they are able to infect you.

If there is a security hole in any of the software (particularly in Windows, the browser and the plugins) then all you need to do is open a page which contains malware, and you will be infected. When infected it will usually be some kind of software which lets the attacker control your computer just like you did with the Excel files, or which logs all the keys you press and send the information somewhere.
Devil's Advocate wrote:I see one flaw myself in my Word-file password database. What if my computer crashes?
Put lots of copies of it on a CD-R or USB stick which you don't use in any other computers, and hide it well. It would still be a problem if there is a fire, though. If you put it on an email server then anyone who gets the email password will have access to it. Also you need to make sure you remember the email password.

Dragline
Posts: 4448
Joined: Wed Aug 24, 2011 1:50 am

Re: Why do we keep coming to these here ERE forums?

Post by Dragline »

jennypenny wrote:
Dragline wrote:In going back to the original topic, it struck me over the weekend that this fora functions as what is described in the self-help literature (going back to Napoleon Hill) as a "Mastermind Group", albeit not with formal scheduled meetings but with continuous interactions.
Why do you think that is? My experience has been that most groups I've participated in have either been a waste of time or focused too much on the negative stuff and were nothing more than gripe sessions. Granted, we do our share of venting*, but the interactions are overwhelmingly positive and informative.

I'm not disagreeing with you. I'm just wondering what makes this group different.

*I admit I'm more guilty of that than most here.
Well, I'm not quite sure why this seems to "work" here better than most other internet places. But here's a few educated guesses:

1. I think the journals set a tone that people are here for a serious purpose with particular personal goals in mind. In any given week, most topics seem to be journal posts. And they are detailed and honest.

2. I think the relatively small size contributes to better -- or at least more collegial -- discussions. Compare the MMM site and forums, which are quite useful, but a little too large in my view to facilitate good interactive conversations. Popularity has its disadvantages. That most people are here are introverts probably helps, too, as it decreases the "white noise" level.

3. I think the quality of collective experience and skill sets and, correspondingly, answers to specific practical queries, is high. Chances are if you have any kind of practical question about dealing with people, money, real estate, computers, fixing things or growing things, someone here has a pretty good answer or prior experience to relate, or can at least point you in the right direction. It really IS like having a bunch of experts hanging around waiting to answer a question in their area.

Post Reply