Tips For Securing Your Account

[Mathematical]

Introduction
Hey there, CF.

As you know, we've recently had an outage. But don't worry, it was just @Master Yoda in the process of doing some changes to the infrastructure(More changes will be done in the next few days, so expect to have issues accessing the site again). Although, one user was recently worried about their account, as they had to reset the password. As a result, I am making this thread to give some tips to help secure your account on CF and help keep you safe as possible while browsing.

Also, feel free to chime in with other security-tips that I may not have covered and I'll add them to this post, along with whoever shared that tip. I welcome all contributions.

If at any point during your stay here on CF, you encounter content or even a technical-issue that may threaten the security or privacy of others, please immediately report it to CF staff so we can get it fixed.

1. Don't Share Personal-Information
You've been taught it many times before and I'll teach you it again: Don't share your personal-information with others, regardless of how well you know them(Unless of course, they're your friend). What counts as personal-information is:

• Real name
• Age/Date of Birth
• Location/Nationality
• Any ID cards you have(Passport, driver's license, etc.)
• Phone number
• Personal email-address(More on email-addresses later)
• IP Address(This can be traced back to your real location)

This is a list of what you really shouldn't share. Here at CF, we actually recommend you do not share any of the information listed above, but you're free to do so, provided you take precautions to ensure the safety of this information when you share it.

The only time that is really suitable to give out personal-information, is when you've been offered a job or if somebody wants to contact you later about something, outside of CF.

2. Watch What You Click
Nowadays on the web, just one wrong click can land you into trouble. The site you enter may be full of ads which contain a plethora of trackers or it may contain some kind of illegal content which can land you into trouble with the authorities in your country. So, watch what you click on, please.

To see what website you are just about head to, look down at either the bottom-left or bottom-right corner of your screen. You should see the link there. If the URL kind of looks off(E.g. freecoolmoviesite.net), then ignore it, and then report the post containing the link to CF so that we can remove it and either warn or ban the user who shared that link. If it's a link to a site such as The Verge or Wikipedia, then you know it's safe.
3. Use A Burner-Email
There is a good reason to use a burner-email and that is to ensure that in the case that CF gets hacked, that your real email does not get involved in that breach. A burner-email will essentially be your email for CF until you delete it. I have two tips for managing your burner-email:

1. Only use the burner-email for CF.
2. Delete the burner-email immediately as soon as CF has notified users of a security-breach.

By the following the tips above, you ensure in minimizing the risk of your CF account from getting hacked and even minimize the risk of the email itself getting hacked. Do not use an email-alias, as this is just a name that disguises the original address of your personal-email. If a hacker gets a hold of the email-alias belonging to your original email and the password to it too, they'll still be able to break into the account.

Go with any provider you want for this burner-email: Gmail, Outlook, Yahoo! Mail, Tutanota, Protonmail, anyone. It doesn't matter whatever one you use, just make sure you follow the tips for managing the burner-email that I gave above.

4. Enable 2FA(Two-Factor-Authentication)
2FA is a way to make it harder for people to break into your account. What will happen, is you will connect your account to either an email, phone-number, or an app. Once you login, you will either be asked for a code(If you're using either an email or a phone-number), or you will have to scan a QR code using the device linked to your account - This is to ensure it really is you logging in.

As long as nobody has access to your phone, email, or phone-number, it is nearly impossible to break into your account. CF has support for both apps and an email account for verifying that you're the one logging into the account. To be on the safer-side of life, set-up 2FA for your email too(If you're using an email for 2FA that is) - This will make it near impossible to break in now. CF also allows you to have back-up codes, in the case you lose access to your device or email - Save these in a safe place as these will come in handy at some point.

For any accounts linked to your CF account(Email, Discord, Facebook, etc.), please do not use a phone-number for 2FA via SMS. Yes, it's quite easy to use a number and get a text-message for verifying yourself, but your phone-number is tied to your smartphone, which has it's own set of security issues. Plus, it's possible for phone-numbers to be hijacked and it is possible for an SMS message to be intercepted(Refer to this CNet article, which also offers a bunch of other tips: Google signs up 150 million people for two-factor authentication: What it is, how it works).

If you did follow my advice for using a burner-email for your CF account and you're using that email as a way to verify yourself via 2FA, please do not delete that burner-email. If you do delete that burner-email, it will become impossible to verify yourself unless you have stored your back-up codes somewhere(Side-Note: Do not store these back-ups on any cloud-services either, as these services are quite vulnerable to attacks). And if you did not save the back-up codes offered, then you've essentially lost access to your CF account. At that point, you can contact the staff-team to see if it's possible to recover the account, or you can just start over with a new account and have the old one deleted.

5. Use A Good Password
This is pretty self-explanatory. If you don't use a good password, other measures such as 2FA practically become useless. Here's a good idea of what should be in your password:

• Between 16-25+ characters and contain a bunch of different numbers, symbols, and letters - This can be done using a generator in your password-manager.
• Contain about one or two special-characters - This includes underscores, hyphens, ampersands, etc.
• Contain random words that do not tie-in together - Use a dictionary for some good words that will be hard to guess and make sure the words do not relate to one another. (Contribution by @Tealk): Using a dictionary and a special tool to crack passwords, a "dictionary-attack" can be performed if you use this method. This method can still be freely used but it's advised that you don't do this as these kinds of passwords can easily be cracked.
• Must not contain any words or phrases that relate to any part of your personal-life - Please refer to the previous point about dictionary-attacks.
• (Contribution by @Tealk): Use a password-manager to generate and manage passwords for your accounts. You are able to generate extremely random passwords using a manager, which will take an extremely long time to crack - Of course, you won't remember these random passwords, which is why you have a manager for them in the first place. Take advantage of the generator in your manager and make sure you generate the most random and complicated password that you can for every account.

By following the above list of rules for a password, you will be making your account(s) much harder to password-guess, and if the password is encrypted in the site's database using a secure algorithm - Much harder to decrypt.

And of course, do not share these passwords with anyone, including friends and family. By sharing these passwords, you are asking to lose access to your accounts and all content associated with those accounts. Never share your passwords with anyone.

Again as well, use a password-manager. Although, do not use a cloud-based manager or the manager built-into your browser, as these are vulnerable to attacks - Use a manager that stays only on your computer instead(If you have an encrypted hard-drive, then that's a big plus. If it's not, make sure you do encrypt your hard-drive the next time you install your OS. The only issue is that if you lose the hard-drive, you lose your passwords with it).

Note: Don't forget to share your tips. Some other sections that I need to write, will be written later. Keep an eye out.

 

[Tealk]

• Contain random words that do not tie-in together - Use a dictionary for some good words that will be hard to guess and make sure the words do not relate to one another
• Must not contain any words or phrases that relate to any part of your personal-life

No! You must never make up a good password yourself.

We humans are not able to create secure passwords. Every password we think up would not be random - we always associate something with it in our minds. For example, let's take the password "Coneyisland9/," from a leak and test its "strength" on one of the various pages: How Secure Is My Password?. The result:

The password consists of a total of 14 characters, includes special characters and also numbers. Based on the length of the password alone, most people would assume that the password is secure - the Password Checker also confirms this assumption. Unfortunately this is a fallacy. Armed with dictionaries and a tool like Hashcat, such passwords can be cracked. The problem: It is not random. Coney+island consists of a total of 11 characters, which in principle cannot withstand a dictionary attack. Character strings from cracking tools are combined by permutations and then supplemented by brute force attacks. This leaves the three characters "9/," which a computer must crack by brute force - an easy task.

Secure passwords are one thing above all: random. For humans, however, this is a problem. We can't remember random passwords that are 16 or more characters long - especially not if they are made up. But we don't have to, because that's what password managers were invented for. They do two important things for us:

• They are able to generate secure and random passwords
• and unlike us, they can also remember them

 

[Mathematical]

Hey, @Tealk.

Thank you for your contribution - I have credited you for it, so give yourself a pat on the back. I have added a notice to my statements for using a dictionary to make a password, now discouraging the user from doing so. I have also added the recommendation of using a password-manager, that stores the passwords on the user's device and not the cloud.

Regarding the passwords, I actually forgot about dictionary-attacks when writing this. Hell, I've actually forgotten about them for quite a while until today when I seen your post, so I thank you for reminding me about their existence. Your example was also pretty good too, so good job on that for showing why these kinds of passwords that I accidentally recommended are bad.

About password-managers, I do actually have KeepassXC - But I don't use it. The reason for that is, I actually don't seem to trust password-managers - Local to the device or not, I just don't trust them. I did install BitWarden for a relative of mine the other day, hours before you made your reply, but that was because this relative used the same password for nearly, nearly all of their accounts(Except for accounts such as their bank), but they would have trouble remembering too many different passwords. Sure, I may have trust issues with managers, but I still downloaded it for them anyway.

After reading your post though, I might actually give generating extremely long and random passwords and using KeepassXC to keep these passwords stored. So @Tealk, give yourself another pat in the back as you might have actually made me do something greatly beneficial to myself and any other relative I download a manager for. I'll look into ways I can keep my manager secure too, so if you have anything on that, feel free to share it and I might add it in.

And again, thanks for your contribution. I greatly welcome it, especially since I was so wrong.

Update: I've now begun the process of randomizing the passwords for all of my accounts and it's going well so far. I've still got a couple left to do but after that, that should be me. But one question I have is about the master password. Should I keep a copy of it on my computer or keep a copy of it on a piece of paper? Thanks.

 

[Tealk]

Let's start with the updates:

Between 50-85+ characters and contain a bunch of different numbers, symbols, and letters - This can be done using a generator in your password-manager.

Totally exaggerated 15+ is currently enough, I myself currently use 30 because it is a nice number I think. The problem with such long passwords is that the error potential is extremely high. Some websites have a cap in the database and only there. This means that you get an error when logging in because there are more characters than are stored in the database.

If you have an encrypted hard-drive, then that's a big plus

Irrelevant, I don't know any password manager who doesn't encrypt his file himself and this is more than enough if you choose a strong password.

Sure, I may have trust issues with managers, but I still downloaded it for them anyway.

I also installed a cloud-based password manager for my mother, of course it's a question of trust but better than these crap passwords.


KeePassXC is a convenient tool for managing passwords, PINs and other sensitive information. However, some users lack a function to synchronize the stored data between multiple systems. Solutions such as NextCloud, WebDAV, Syncthing and comparable applications or service providers can help here. However, if you absolutely want to synchronize your password database between different devices, you should use a key file for more security.

Such a keyfile can be created either when creating a new password database or later in KeePassXC. This keyfile remains locally on those devices that are allowed to open the password database and is not stored in a "cloud". If an attacker should somehow get to your password database, he not only needs to know the correct master password to view all your passwords, but he would also need to get hold of the key file. Only the combination of the correct master password and the matching key file will ultimately allow him to access your passwords.

You can store this file e.g. on a USB stick, if you like even in a safe deposit box.
And you have to remember the password, it is similar to the 2FA. Password = Remember, Keyfile = Own


Whoever chooses a master password should be aware of the following: The encryption is only as good as the password used. The same applies to the use of the password manager where you have stored your passwords. A password manager is usually unlocked with a master password - afterwards all other passwords can be viewed. Again, the encryption or protection is only as good as the password you use.
We are therefore faced with the following challenge: For our online accounts we now use secure passwords. But these 32-digit, randomly generated character strings have a catch: They are impossible to remember. So they are not very practical for unlocking an encrypted computer or the password manager.

With the Diceware process there is a solution for the problem just described. For the password manager or the hard disk encryption we need a password that meets the following criteria:

• Coincidentally
• Easy to remember
• Long enough to withstand brute force or Combinator attacks

Strictly speaking, it is no longer a password but a passphrase - a password that consists of several words. This is also crucial for the Diceware method: The password MUST be random. You are not allowed to choose the words yourself or to re-roll the dice if you don't like parts of the passphrase.

The EFF has also published a Diceware word list, which also consists of 7776 English words. However, the list has the following advantages:

The words in our list are longer (7.0 characters) on average, than Reinhold’s Diceware list (4.3 characters). This is a result of banning words under 3 characters as well as prioritizing familiar words over short but unusual words.

 

[Tealk]

Just in time, BlueKai, a subsidiary of Oracle, had a data leak in June 2020; it's a German site, but I think it shows quite nicely where often and which data gets lost.

At the bottom is a nice list of prices (it's German but I think that's understandable):

Datensammler wie Acxiom, Oracle, BlueKai, Match Group, u.a.

Datenhändler wie Acxiom oder BlueKai sammeln und kaufen die Daten von Facebook, Amazon, Twitter u.a., bereiten sie auf und stellen sie den Endkunden (Marketingabteilungen) zu Verfügung.

www.privacy-handbuch.de

 

[Mathematical]

Totally exaggerated 15+ is currently enough, I myself currently use 30 because it is a nice number I think. The problem with such long passwords is that the error potential is extremely high. Some websites have a cap in the database and only there. This means that you get an error when logging in because there are more characters than are stored in the database.

Damn it. I'm making too many mistakes at this point, that I believe I might have to pass control of the thread over to you. But again, I welcome your contribution. I've lowered it back down, to nearly what it was(It's 16-25+) now, which should be more than enough for most people.

I never actually thought about the password-cap, but I do know it exists and I hate it. As with the relative that I installed BitWarden for, some of the sites they use have a cap of around 16 or somewhere near that amount. Some sites also don't allow special-characters, unfortunately, which in my opinion does not set a good standard for security. I understand you want people to have simple passwords that can easily be remembered, but what about people like you and me who value security greatly?

Irrelevant, I don't know any password manager who doesn't encrypt his file himself and this is more than enough if you choose a strong password.

Could you re-phrase that for me please? I didn't quite understand it.

Whoever chooses a master password should be aware of the following: The encryption is only as good as the password used. The same applies to the use of the password manager where you have stored your passwords. A password manager is usually unlocked with a master password - afterwards all other passwords can be viewed

Regarding that, going back to the relative that I installed BitWarden for again, they use the basic 1-2-3-4 pin on their iPhone, along with TouchID. That pin is extremely common nowadays that one could easily put it in as the first guess, alongside 0-0-0-0. But if somebody does get into their phone, there is a possibility for them to get into the manager too, albeit they'll need the master-password to get into it of course. Unfortunately, this relative does not like trying to remember a billion different passwords, so I unfortunately had to make their master-password the same as their AppleID password - So if somebody guesses that, they can get into the manager too or vice-versa.

With the Diceware process there is a solution for the problem just described. For the password manager or the hard disk encryption we need a password that meets the following criteria:

• Coincidentally
• Easy to remember
• Long enough to withstand brute force or Combinator attacks

Strictly speaking, it is no longer a password but a passphrase - a password that consists of several words. This is also crucial for the Diceware method: The password MUST be random. You are not allowed to choose the words yourself or to re-roll the dice if you don't like parts of the passphrase.

I've never actually heard of Diceware before. I have heard of a passphrase but never for Diceware. But it does seem like an interesting method of generating a passphrase.

Unfortunately for passphrases though, they have spaces in them, which if I'm correct, a lot of sites do not allow. So you need to insert underscores into them instead, which if you forget to insert, could cause a headache with the passphrase. And again, the character-cap on some sites can also prevent a good, long passphrase from being used.

Just in time, BlueKai, a subsidiary of Oracle, had a data leak in June 2020; it's a German site, but I think it shows quite nicely where often and which data gets lost.

At the bottom is a nice list of prices (it's German but I think that's understandable):

Datensammler wie Acxiom, Oracle, BlueKai, Match Group, u.a.

Datenhändler wie Acxiom oder BlueKai sammeln und kaufen die Daten von Facebook, Amazon, Twitter u.a., bereiten sie auf und stellen sie den Endkunden (Marketingabteilungen) zu Verfügung.

www.privacy-handbuch.de

I managed to translate some of those words myself(I think at least - Correct me if I'm wrong or anything), in particular:

• realen Namen - Real Name
• E-Mail Adressen - E-Mail Address
• Telefonnummern - Telephone-Number
• Kreditkarten - Credit-Card numbers
• Hisorie - Browsing-History

Looking at some of the other data-breaches on that list(Particularly for Match Group), it's quite shocking to see just how much data can be leaked, all because both the users/customers and even the corporations themselves aren't taking proper safety-measures to ensure that things like these don't happen. They will happen of course, even if precautions are taken and I'm sure BlueKai themselves do routine check-ups on their security to make sure everything that they're storing is safe.

On an un-related note: Do you know any good translation-services that respect user-privacy? Or is there no such thing as a privacy-respecting translation-service? I'm asking as some of the articles you share are interesting, but it does bother me that I can't read the whole article due it being in German, and the fact that I can only translate certain words due to those words being near-identical to their English counter-parts. Thanks.

 

[Tealk]

I never actually thought about the password-cap, but I do know it exists and I hate it.

So the bank Consorsbank only allows 5 characters, pay and letter, this is simply laziness of developers. On my request that the passwords are so insecure, I got the answer that it is more than enough. They did not want to listen at all.

Could you re-phrase that for me please? I didn't quite understand it.

Password managers encrypt their file in which they store the passwords. So it makes no difference if the disk is encrypted or if you put the file in the cloud (provided the unlock has a secure password and preferably a keyfile)

Regarding that, going back to the relative that I installed BitWarden for again...

but that is the laziness of the users, the programs and the system can't help that.
I have a 10 digit pin(numbers letters special characters) + faceid(yes, it's questionable but I am sometimes lazy) on my iPhone

Unfortunately for passphrases though, they have spaces in them, which if I'm correct, a lot of sites do not allow.

the diceware procedure is also only intended for the master password, not for each individual website that's what the password manager is for. you don't have the problem with spaces

They will happen of course, even if precautions are taken and I'm sure BlueKai themselves do routine check-ups on their security to make sure everything that they're storing is safe.

do not overestimate the companies, many only do what is necessary because it is cheaper
the advantage is, if you are already a clean user, the hackers can't do so much with your data, at least not with your email and password.
I use a separate email and password for each website, so I make it very difficult for hackers

I use https://www.deepl.com it has also been rated by many as the best translation tool
As you can see it is very clean https://webbkoll.dataskydd.net/en/results?url=http://www.deepl.com

 

[Mathematical]

So the bank Consorsbank only allows 5 characters, pay and letter, this is simply laziness of developers. On my request that the passwords are so insecure, I got the answer that it is more than enough. They did not want to listen at all.

My bank also has a limit and that it must be between 16 and 20 characters(I can't actually recall if there was a limit and that was a recommendation, but I do believe it was a limit); that the password contain a capital; and that there must be no special-characters. So, they have some idea of a somewhat okay password, but when you limit how many characters there are and don't allow for special-characters, you prevent even more secure passwords from being used.

It just kills me when there is both a character-cap and that you're not allowed to use special-characters. It's like websites have no idea on what a good password is or there is something in their system that prevents them from having long passwords with special-characters in them. In the case of Consorsbank, it's the former; in the case of my bank and many other websites and services, it's the latter.

Password managers encrypt their file in which they store the passwords. So it makes no difference if the disk is encrypted or if you put the file in the cloud (provided the unlock has a secure password and preferably a keyfile)

Right, I believe I get it now. Thanks.

but that is the laziness of the users, the programs and the system can't help that.
I have a 10 digit pin(numbers letters special characters) + faceid(yes, it's questionable but I am sometimes lazy) on my iPhone

You are right. But this is a relative who's still a got a long time to go before retirement-age(I should actually mention this is my mother that we're talking about) and of course, as you'd expect, she isn't so good with technology. I encourage her to use good passwords and even a good pin to prevent somebody from gaining access to her phone, but she just says that she doesn't want something so complicated to remember. For some people, it can be hard to argue with that assessment, especially when their relative is getting older by the minute, and of course, as the body gets older, the mind gets frailer for many. But the reason I installed the manager in the first place was for you to keep track of more complicated passwords and you really don't want to use it that way? Fine by me, but just remember to change your passwords every so often, and update them in the manager.

On my 3a, I currently just use a 6-digit pin(Numbers only) - I did use the fingerprint-scanner on it before but I swear recalling that I read somewhere that it's not a good idea to use any biometric-technology. Of course, I cannot remember as that was a while ago. And yeah, I know, my 6-digit pin consisting of only numbers isn't a good security set-up and as of writing, I am actually considering changing it to a password instead, consisting of, of course: numbers, letters, and special-characters.

the diceware procedure is also only intended for the master password, not for each individual website that's what the password manager is for. you don't have the problem with spaces

Ah, I wasn't aware of that. Thanks for clearing that up for me.

do not overestimate the companies, many only do what is necessary because it is cheaper
the advantage is, if you are already a clean user, the hackers can't do so much with your data, at least not with your email and password.

You are right in saying that. Considering that when running a business, you need to be very strategic with your money, and there is no doubt in saying that a lot of that will go into marketing your product and also development/manufacturing of the product itself. Then there are other sectors, which the company will spend less on.

This really shouldn't be the case for any tech-company, regardless of what kind of service they're providing(Cloud or local). A lot of security-breaches are happening nowadays and while the conglomerates can throw as much money as they want at security, the smaller ones have to the pay the price unfortunately.

You are right as well about the hackers. If you keep an extremely low-profile on the Internet and don't share too much data with the companies themselves either, then you wouldn't have to worry about too much data being lost(Unless it's a cloud-service hosting your personal-files or it's a social-media site that's already harvesting too much about you). As you said, you really only have the email, password, and perhaps a couple of other pieces to worry about too, but aren't too significant.

I use a separate email and password for each website, so I make it very difficult for hackers

I'm kind of different in my approach, which I've been doing for way too long unfortunately. Any personal-services are registered under a personal-email of mine. Then I do what you and many others do for different sites, like CF for example, and that is using a different email and password for each one.

Unfortunately for my personal-email, that's also tied to gaming-services that I use too, such as PlayStation and even Minecraft - So I need to look into getting them changed.

I use https://www.deepl.com it has also been rated by many as the best translation tool
As you can see it is very clean https://webbkoll.dataskydd.net/en/results?url=http://www.deepl.com

Thanks for sharing that with me. I've bookmarked it now so now I don't need to go off wondering into some sketchy translation-site run by a sketchy conglomerate.

Also, I quite liked that site that you used to prove that it's a safe site. Do you use it often for any new site/service you come across? I might bookmark that too as it could come in handy at some point for me. Thanks.

 

[Tealk]

Fine by me, but just remember to change your passwords every so often, and update them in the manager.

Changing passwords regularly does not improve security. It only makes sense after I know it's leaked.

did use the fingerprint-scanner on it before but I swear recalling that I read somewhere that it's not a good idea to use any biometric-technology. Of course, I cannot remember as that was a while ago.

as far as i know it is possible in the usa to force the user to unlock biometric locks, pins/passwords may not be required

Do you use it often for any new site/service you come across?

Not just this one, there's a whole series.
Look at this addon: https://addons.mozilla.org/en-US/firefox/addon/qualys-ssl-server-test/

 

[Mathematical]

Changing passwords regularly does not improve security. It only makes sense after I know it's leaked.

You are right on that one. I also don't change my passwords, unless it's necessary in the case of a security-breach or I happen to forget them.

It makes me curious as to why this is even recommended when you don't need to do it unless something like a breach happens.

as far as i know it is possible in the usa to force the user to unlock biometric locks, pins/passwords may not be required

Yeah, I think I did read up on that somewhere(Might've been Reddit). I'm not sure how it is in other countries though. Aside from the USA, I do believe it's possible to do so in other countries that are a part of the Five-Eyes alliance(Nine-Eys and Fourteen-Eyes alliances included).

Not just this one, there's a whole series.
Look at this addon: https://addons.mozilla.org/en-US/firefox/addon/qualys-ssl-server-test/

Thank you. I might actually start using these tools, as again, they might come in handy for any new site I come across, and also to do check-ups on existing sites that I know of.

 

[Tealk]

It makes me curious as to why this is even recommended when you don't need to do it unless something like a breach happens.

I don't know of any organization that still recommends it.

I do believe it's possible to do so in other countries

I only knew it from the usa, so I did not want to name another country; surely there are several

 

[Mathematical]

I don't know of any organization that still recommends it.

Neither do I, although I'm sure there probably is like one or two out there that recommend doing such a thing. Although, if there is anyone who recommends this approach rather than changing the password periodically, even if it doesn't provide any benefits, then I have no clue on why they're recommending it. The only reason I can see an organization/company recommending to change it only after a breach or if you've forgotten is simply because they don't want people complaining about forgetting or losing their passwords. That is the only reason I see fit.

I only knew it from the usa, so I did not want to name another country; surely there are several

Unfortunately, I haven't found anything out so far about the laws in other countries after a couple of quick-searches. I've really only found out about the USA and not any other country. I might continue looking into it later.