Pseudoanonymity and/or exiting cyberspace

[Ego]

Two factor authentication goes to my Android phone or my email. At this time, I could not opt out of the Android system if I wanted to. I used to dislike 2fa but now I accept the inconvenience as higher level of security for me.

In general authenticators are more secure than email or sms 2fa. You could use Authy, Google Authenticator or (better) Yubico Authenticator. The best option is a physical security key. Buy two.

My current username/password list is on paper. I may make a spreadsheet with website url - username - password information to print out, then delete the password column. I don't want a list of username/passwords in digital format, but writing them on paper is not as efficient as using a spreadsheet.

You might consider changing this asap. A keylogger is probably your biggest vulnerability, especially if you are not using antivirus/antimalware as you said above. If you are typing in your password you are vulnerable. One of the great things about password managers is the fact that key loggers are useless, except for the password to get into the manager. That's why you want a physical security key on it. Also, you can generate nonsensical answers to challenge questions (Mother's Maiden Name: vYaL89Q%4UFqWk1ya0E) for each account and save them as well.

Also good info on sim swapping here: https://youtu.be/SNpphMz-w5w

[sky]

Thanks

I don't know much about authenticators, I will study it a bit.

[Scott 2]

Looking at your setup, there's an aspect of resilience to change to consider.

1. Will you stay current with security updates?
2. What if product X is no longer supported. Are you prepared? Are you watching for it?
3. Will the complexity be sustainable as other demands on your time increase?
4. What about as your cognitive abilities decline with age or sickness?
5. What about a partner / spouse, if you are no longer around?

I use an encrypted online backup tool. For some reason the software stopped updating, which meant the automatic uploads had stopped working. I was thinking of it as a "set it and forget it" type thing. By the time I checked, my backups were 2 years out of date.

Similar, with the same vendor, I got a last minute notice. Less than a month before my annual bill was due, they unilaterally changed terms. Because I was fully counting on them, I had to scramble to get a secondary solution in place. They got enough customer pushback to reverse the terms change, but it highlighted fragility in my system.

Now I run the ongoing encrypted online backups. But I also check them at a recurring interval, taking a manual backup at that same time.

Accessibility in the event of cognitive decline or death is a strong consideration in all my strategies. It heavily favors accepting the risk of managed solutions.


Looking in the totally opposite direction - there are encrypted password vaults you can self-manage. I personally would hate the hassle, but it might be in the spirit of where you are heading.

[sky]

Good questions

I am using unattended-upgrades, so the raspberry pi system should be automatically up to date. If not, most of the time that I install something new I start with sudo apt update, sudo apt upgrade, as a check. I manually create backups, and have about 5 backup drives with duplicate data, some older than others. I don't zip my backups, so they are readily usable by anyone. Most of my data is not crucial, and to be honest, I should go through and delete the unneeded stuff to save Gb's. If I lost the combination to my safe, that would be a problem.

My goal is to have a backup sd card and usb drive which can be plugged into any raspberry pi, and will recreate my online presence. That and a paper copy of url's/usernames/passwords should allow someone access to my online activities. It is true that not everyone can run a linux system. If my VPN breaks, or I fail to pay the service, that could cause problems, but connecting to wifi would overcome the ethernet disconnection.

My spouse should be able to access important websites on her own computer, solely from the paper url/username/password document, if necessary. The two factor authentication protocol could cause problems, but I intend to use a physical Y key to reduce the need for an Android phone. That may be easier, or may cause problems if the key is lost, or someone does not know how to use it. I don't have one yet, so for now my spouse needs to be able to open my phone.

I don't like the idea of putting passwords in digital format online or in the hands of others. Probably old school thinking. To be honest, I don't like having my financial institutions open to the internet, I would rather deal face to face with cash and checks (despite the convenience of online banking). But those times are long gone.

I have not encrypted my drives but that is a consideration.

[Scott 2]

A good password vault will never transmit or store the raw password. The only place the decrypted value exists is on your personal device, when you are using the password. If you lose the master password, the data is gone forever. For me, these gains were worth accepting the risk:

1. Ease of using a different, complex password for every site
2. Confidence my password list is current and available should something happen to me

Paper gets out of date. Using unique passwords over dozens of sites is unrealistic. I have similar thinking in using an encrypted online backup solution.

From what I understand, it's possible for a loved one to get through the password wall with a death certificate. But, it is much harder. And it assumes they know where to go.


Personally, I trust a modern website far more than a bank teller or cashier. I've seen the work that goes into both securing data and auditing that security. While any company or person can be breached, I think protections are generally in proportion to the risk/impact of a breach.