topic Re: Any good security practices? in Personal Finance

Any good security practices?

FicoMike0 — Thu, 25 Apr 2024 18:40:59 GMT

I read a thread about a potential security breach attempt and wonder what ideas we can collect from the mythic brain trust. A few things I do are:

I use a dedicated eMail for bank, credit union and brokerage contact. E.g. Ficomiko@protonmail.com. Picked protonmail since they're reason for existing is security. I never give that address to anyone else for any reason. I don't even use it with myfico, creditkarma, etc.
I not only use a strong password for each account, I use a hard to guess username, including letters, numbers and special characters, when that's supported. E.g. Fast&99racecar!.

Anyone else have some ideas to contribute?

Re: Any good security practices?

Horseshoez — Thu, 25 Apr 2024 19:01:19 GMT

@FicoMike0 wrote:
I read a thread about a potential security breach attempt and wonder what ideas we can collect from the mythic brain trust. A few things I do are:
I use a dedicated eMail for bank, credit union and brokerage contact. E.g. Ficomiko@protonmail.com. Picked protonmail since they're reason for existing is security. I never give that address to anyone else for any reason. I don't even use it with myfico, creditkarma, etc.
I not only use a strong password for each account, I use a hard to guess username, including letters, numbers and special characters, when that's supported. E.g. Fast&99racecar!.
Anyone else have some ideas to contribute?

My thoughts are as follows:

Always enable 2FA where you can, and if a financial institution doesn't have that option, I'd be looking for a different one.
I avoid email services like Proton because many sites block then due to a high (and I mean REALLY HIGH) percentage of users are scammers, hackers, and ne'er-do-wells.

Re: Any good security practices?

Anonymalous — Thu, 25 Apr 2024 19:10:26 GMT

Your email should be your most secure account, followed by financials. That's because email can be used to unlock other accounts.

If a site still follows bad practices and asks you to enter security questions, lie. Don't tell them the first street you lived in, the city where you got married, or any of that. Too much of that can be culled from public sources. Instead, make something up.

Never, ever, under any circumstances, use a service that uses Plaid.

Re: Any good security practices?

FicoMike0 — Fri, 26 Apr 2024 02:47:36 GMT

I like the one about making up security questions, I do that. If they ask my mother's maiden name, it's not even a name, it's a color.

I've never had a problem with protonmail.

what's the problem with plaid? I have used it.

Re: Any good security practices?

Anonymalous — Fri, 26 Apr 2024 02:26:30 GMT

@FicoMike0 wrote:
what's the problem with plaid? I have used it.

The #1 security rule is don't share your password. Plaid violates that by requiring your userid/password to sign in as you, and as a result has full access to everything.

Re: Any good security practices?

FicoMike0 — Fri, 26 Apr 2024 02:46:26 GMT

Good point. I'll go back to routing and account numbers.

Re: Any good security practices?

TyrannicalDuncery3 — Wed, 01 May 2024 05:23:36 GMT

Great point, I didn't think of this. Now that I've Plaided a lot of stuff, is there a way to become safe again? If I change my credentials, am I good?

I assume that this may apply to other instant verification thingies as well. I had always (naively) assumed that Plaid didn't retain your credentials and maybe never even saw them, just got some digested version. Quick google suggests that I was wrong about that.

Re: Any good security practices?

Anonymalous — Wed, 01 May 2024 07:55:49 GMT

@TyrannicalDuncery3 wrote:
Great point, I didn't think of this. Now that I've Plaided a lot of stuff, is there a way to become safe again? If I change my credentials, am I good?

I assume that this may apply to other instant verification thingies as well. I had always (naively) assumed that Plaid didn't retain your credentials and maybe never even saw them, just got some digested version. Quick google suggests that I was wrong about that.

There are two issues, security and privacy. If you change your credentials and don't let Plaid know, you've taken care of the first. Privacy is a bit trickier, because while they claim to be good custodians, there are reports they basically scrape everything they can from your account. They do supposedly have a portal where you can delete the information they have on you, though like all good companies that treat you as a product not a customer, they may have shared it with the ecosystem of information trackers. There isn't a lot you can do about that.

Re: Any good security practices?

TyrannicalDuncery3 — Wed, 01 May 2024 08:29:44 GMT

Thanks @Anonymalous! Makes sense. I assume the deletion is a lost cause. I'll try that portal once I've "de-Plaided" everything.

You said "If you change you credentials and don't let Plaid know." Is there anything special that you think I need to do in order to not let Plaid know?

Or is it sufficient to just not explicitly type anything else into Plaid? Is it okay if it's still linked in Plaid when I change the credentials?

Seems like yes but IDK.

Re: Any good security practices?

Anonymalous — Wed, 01 May 2024 08:33:14 GMT

Changing the password for each linked institution may be sufficient, but I left it a little vague because I don't know if Plaid is doing anything tricky behind the scenes like automatically updating passwords once an account is linked. Googling suggests it's possible to revoke access to specific accounts within the Plaid portal, so it's probably a good idea to do that, and then change passwords after.

Re: Any good security practices?

TyrannicalDuncery3 — Wed, 01 May 2024 10:08:18 GMT

Thanks!

I went and deleted stuff in the Plaid portal. In order to find everything, I had to add some accounts. In doing that, I added a few accounts that didn't have anything. So I guess now Plaid has that information too

But they did say that they were deleting the data associated with those accounts. If that means they are deleting my credentials from their side and not tracking my password updates anymore, then great. But I don't really believe a word they say so....

Re: Any good security practices?

kremonis — Fri, 03 May 2024 18:22:59 GMT

On thing I do is when offered security questions, I use ones that don't apply to me. For example, if single I would answer the question "Where did you spend your honeymoon". It cannot be guested or found in public records because it does not apply to me. Then make the answer an long, random, alphanumeric string.

Re: Any good security practices?

Anonymalous — Fri, 03 May 2024 19:55:19 GMT

@kremonis wrote:
On thing I do is when offered security questions, I use ones that don't apply to me. For example, if single I would answer the question "Where did you spend your honeymoon". It cannot be guested or found in public records because it does not apply to me. Then make the answer an long, random, alphanumeric string.

That brings up an interesting issue, which is there's been a seismic change in the last few years in the thinking about passwords. The National Institute of Standards and Technology (NIST) did a lot of research on human behavior, and it turns out requiring complexity (upper/lowercase, symbols, numbers) makes passwords easier to crack. One reason is people follow very predictable patterns when forced to add a number and a symbol to their passwords. Hackers already have dictionaries of all the common passwords, and it requires relatively small additional amount of effort and computing power to account for simple variants like adding a 1 and a ! at the end. Complexity also means people write down their passwords, which is another giant security vulnerability.

And it turns out the additional complexity of a random string of all possible letters, numbers, symbols, and cases isn't really that important, because you can reach equivalent password strength just by making the password a few characters longer. That's because each additional character geometrically increases the time required to guess the password.

That's why the NIST recommended increasing the length of passwords, and getting rid of complexity requirements (among other things, like strongly pushing toward multi-factor authentication). If you don't know, the NIST guidelines are the gold standard. They're not just required for a government systems, but widely adopted in the private sector. Here's the full document:

https://pages.nist.gov/800-63-3/sp800-63b.html

The old XKCD comic has one technique for picking a long but easily memorable password:

https://xkcd.com/936/

Just don't pick anything that's searchable. Every line of text and lyric has probably been scanned, so even the refrain from an obscure song is a bad idea.

Re: Any good security practices?

Horseshoez — Fri, 03 May 2024 20:01:13 GMT

@Anonymalous wrote:
@kremonis wrote:
On thing I do is when offered security questions, I use ones that don't apply to me. For example, if single I would answer the question "Where did you spend your honeymoon". It cannot be guested or found in public records because it does not apply to me. Then make the answer an long, random, alphanumeric string.
That brings up an interesting issue, which is there's been a seismic change in the last few years in the thinking about passwords. The National Institute of Standards and Technology (NIST) did a lot of research on human behavior, and it turns out requiring complexity (upper/lowercase, symbols, numbers) makes passwords easier to crack. One reason is people follow very predictable patterns when forced to add a number and a symbol to their passwords. Hackers already have dictionaries of all the common passwords, and it requires relatively small additional amount of effort and computing power to account for simple variants like adding a 1 and a ! at the end. Complexity also means people write down their passwords, which is another giant security vulnerability.

And it turns out the additional complexity of a random string of all possible letters, numbers, symbols, and cases isn't really that important, because you can reach equivalent password strength just by making the password a few characters longer. That's because each additional character geometrically increases the time required to guess the password.

That's why the NIST recommended increasing the length of passwords, and getting rid of complexity requirements (among other things, like strongly pushing toward multi-factor authentication). If you don't know, the NIST guidelines are the gold standard. They're not just required for a government systems, but widely adopted in the private sector. Here's the full document:
https://pages.nist.gov/800-63-3/sp800-63b.html

The old XKCD comic has one technique for picking a long but easily memorable password:
https://xkcd.com/936/
Just don't pick anything that's searchable. Every line of text and lyric has probably been scanned, so even the refrain from an obscure song is a bad idea.

I agree with everything you wrote except one small hair to split; you wrote, "That's because each additional character geometrically increases the time required to guess the password."

I would argue the sentence should have said, "That's because each additional character exponentially increases the time required to guess the password."

Re: Any good security practices?

Anonymalous — Fri, 03 May 2024 21:10:35 GMT

@Horseshoez wrote:
I agree with everything you wrote except one small hair to split; you wrote, "That's because each additional character geometrically increases the time required to guess the password."

I would argue the sentence should have said, "That's because each additional character exponentially increases the time required to guess the password."

Geometric is correct. A geometric series is one where values are multipled by a fixed amount at discrete intervals, which is how password strength works. You can't increase the number of characters in a password by 0.25 or 3.71, after all.

You could use exponential, because a geometric series is just a exponential function sampled at periodic intervals. But geometric is a more precise term.

Re: Any good security practices?

FicoMike0 — Fri, 03 May 2024 23:30:02 GMT

I agree, it is geometric. Each additional character increases the number of combinations by a factor equal to the total number of possible characters. Uppercase + lowercase+numbers = 26+26+10=62. Special characters tend to be harder to count, do you include ~, |, <, >, ^,? Some don't even allow blank.

I remember back in pre- pc times we used dumb terminals. An associate came up with trick passwords. They looked simple, like his name, but there was a space at the end. The real trick was, the space wasn't a blank, it was a different non-printable character.

Re: Any good security practices?

Snook_on_the_Line — Mon, 06 May 2024 18:46:03 GMT

@Anonymalous wrote:
Your email should be your most secure account, followed by financials. That's because email can be used to unlock other accounts.

If a site still follows bad practices and asks you to enter security questions, lie. Don't tell them the first street you lived in, the city where you got married, or any of that. Too much of that can be culled from public sources. Instead, make something up.

Never, ever, under any circumstances, use a service that uses Plaid.

This^^^^^^^
i had an email hacked and they had a field day spending up my suntrust checking and savings thru PayPal.
the was this you? , password recently changed, And 2fa emails were going to the crook because they had access to the email.

and yea the time I used plaid for verification I immediately changed my login info because it just left me feeling dirty providing it to plaid. I don't understand why ANY bank uses it. EWS will give them all the info they need with just name and DOB

Re: Any good security practices?

Snook_on_the_Line — Mon, 06 May 2024 18:55:06 GMT

I also use a private browser for everything financially related.

current FOTM is DuckDuckGo

it deletes all cookies, downloaded email attachments, browsing history, open tabs, ect. every time I close the app.
Also have it set up so if I put my phone down for a few minutes with it open or in the background it auto clears everything.
Or you just click the little 🔥 button at the bottom and *poof* everything gone.

in the settings you can set it up to Never remember passwords or autofill data.

working pretty good for me so far