{"items": [{"author": "Dustin", "source_link": "https://www.facebook.com/jefftk/posts/616303558396418?comment_id=616304291729678", "anchor": "fb-616304291729678", "service": "fb", "text": "I agree about the password requirements thing. Whenever I see them it helps me remember what stupid thing I used for that particular site.", "timestamp": "1362449515"}, {"author": "Hollis", "source_link": "https://www.facebook.com/jefftk/posts/616303558396418?comment_id=616306281729479", "anchor": "fb-616306281729479", "service": "fb", "text": "The one that drives me nuts is that So. Many. Things require the last four digits of one's Social Security Number as a crosscheck. As if that's hard to find out given that everything requires it and it's a password-surrogate that you are forbidden to change.", "timestamp": "1362449617"}, {"author": "David&nbsp;Chudzicki", "source_link": "https://www.facebook.com/jefftk/posts/616303558396418?comment_id=616310965062344", "anchor": "fb-616310965062344", "service": "fb", "text": "And turn on two factor auth.", "timestamp": "1362450332"}, {"author": "Jeff&nbsp;Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/616303558396418?comment_id=616314065062034", "anchor": "fb-616314065062034", "service": "fb", "text": "\"turn on two factor auth\"<br><br>http://support.google.com/accounts/bin/answer.py?hl=en...", "timestamp": "1362450774"}, {"author": "Arthur", "source_link": "https://www.facebook.com/jefftk/posts/616303558396418?comment_id=616319768394797", "anchor": "fb-616319768394797", "service": "fb", "text": "Don't share passwords between sites. It's that simple. Use a password manager like LastPass or 1Password or Keepass, whatever floats your boat.<br><br>I use LastPass because it's cheap and it's convenient; there's a tad less security using their cloud-based password management than there would be if I used Keepass and only transferred passwords across computers using a USB stick -- but literally any solution you use will be safer than the typical situation of people reusing the same password over and over again, thus making their entire online presence exactly as insecure as the weakest website they happen to entrust their password to.<br><br>I also support the idea of having a specific, separate \"recovery\" e-mail address that is never used for anything but security requests to reset passwords in the event of an emergency, making it extremely unlikely for it to ever get attacked, as opposed to your everyday e-mail that you use for everything else. (Google, AppleID, and a few other major services support the use of a dedicated, secret recovery e-mail address -- this is after the lack of a separate secret recovery e-mail for Google and AppleID was one of the critical weak links that famously allowed 4chan to destroy Wired reporter Mat Honan's entire online life.)", "timestamp": "1362451113"}, {"author": "Hollis", "source_link": "https://www.facebook.com/jefftk/posts/616303558396418?comment_id=616324888394285", "anchor": "fb-616324888394285", "service": "fb", "text": "The problem with part two is that most websites don't allow that level of granularity: I can't tell, e.g., Amazon or various other retailers that I want password-change requests to go to pwfix@valorous.com but I want all their other email (like order confirmations, problems, etc.) to come to scambait@valorous.com .", "timestamp": "1362452093"}, {"author": "David&nbsp;Chudzicki", "source_link": "https://www.facebook.com/jefftk/posts/616303558396418?comment_id=616333791726728", "anchor": "fb-616333791726728", "service": "fb", "text": "Yeah, LastPass is great. Note that they can't decrypt your passwords without the master password, which is great.", "timestamp": "1362453561"}, {"author": "Arthur", "source_link": "https://www.facebook.com/jefftk/posts/616303558396418?comment_id=616339725059468", "anchor": "fb-616339725059468", "service": "fb", "text": "Hollis Yeah but it's a great thing that two of the biggest, juiciest targets for hackers -- your Google account and your AppleID account -- have begun supporting a hidden recovery email. I have a hidden recovery email that I use for just those two services and as my recovery email for LastPass itself, because it puts one more layer between an identity thief and access to all my shit.", "timestamp": "1362454619"}, {"author": "Arthur", "source_link": "https://www.facebook.com/jefftk/posts/616303558396418?comment_id=616341095059331", "anchor": "fb-616341095059331", "service": "fb", "text": "And don't get me wrong, I'm not really that much of a security buff and I'm not paranoid about the NSA being out to get me. But after the fourth or fifth high-profile leak of a huge archive of stolen passwords from a high-profile website -- after LinkedIn let all their passwords out, after Twitter did it, after the second or third time Facebook did it -- it came to be pretty obvious to me that using a short list of passwords that I recycled for pretty much every site I registered for was idiotic in the extreme. I think I realized just how stupid I was being when I used my then-\"standard\" password to sign up for some crappy RPG forum that then suddenly vanished due to lack of funding to keep the server up, and I realized there was absolutely zero guarantee that the owner of said forum hadn't immediately sold all the passwords he'd gathered to a spammer/identity thief/con artist ring on the black market to cover his gambling debts.", "timestamp": "1362454837"}, {"author": "Ken", "source_link": "https://www.facebook.com/jefftk/posts/616303558396418?comment_id=616343671725740", "anchor": "fb-616343671725740", "service": "fb", "text": "Two-step authentication FTW!", "timestamp": "1362455305"}, {"author": "Daniel", "source_link": "https://www.facebook.com/jefftk/posts/616303558396418?comment_id=616366008390173", "anchor": "fb-616366008390173", "service": "fb", "text": "So, forgive my ignorance, but how exactly do password managers make your online presence more secure?  It allows you to use more different passwords because you don't have to remember them all, but someone still only has to gain access to one password before they can get into all your accounts.  I suppose it means it has to be the password manager account that has the leak, but are they necessarily that much more secure than any other place on the internet that ought to be secure, but ultimately turns out not to be?<br><br>I do reuse passwords -- if you have to remember them all it's basically impossible not to -- but I use a different password for higher security items like banks than for all those near-meaningless accounts I create to do one thing and rarely if ever need to access again.", "timestamp": "1362459369"}, {"author": "BDan", "source_link": "https://www.facebook.com/jefftk/posts/616303558396418?comment_id=616367101723397", "anchor": "fb-616367101723397", "service": "fb", "text": "Daniel: my password manager (1Password) is offline, meaning that they would have to first gain access to my computer to get to it. Something cloud-based is potentially less secure, but hopefully a company whose entire point is security will be more secure than most other sites.", "timestamp": "1362459676"}, {"author": "James", "source_link": "https://plus.google.com/106345404829653994850", "anchor": "gp-1362460194694", "service": "gp", "text": "The only reason for sharing passwords between sites is if you haven't set up a password manager, and not using a password manager is Emphatically Not Okay.\n<br>\n<br>\nThe importance of the email password in particular is worth emphasizing, though. Since email is important, it is bad to check your email on a computer that isn't yours, it is very-bad to give your email site to a third party that wants to copy your address book, and it is very-very-bad to log in to your email account on a public computer.", "timestamp": 1362460194}, {"author": "Daniel", "source_link": "https://www.facebook.com/jefftk/posts/616303558396418?comment_id=616573761702731", "anchor": "fb-616573761702731", "service": "fb", "text": "BDan, that's considerably more secure, but also much less flexible.  Sometimes I need to log in to my accounts from other computers, and it would be problematic if I didn't remember any of them and couldn't access the password manager.  I could partially get around that by putting it on my iPod as well, but my iPod is much more likely to get lost and picked up by someone else, or stolen, than my computer is since it's so small and portable.", "timestamp": "1362491523"}, {"author": "Jeff&nbsp;Kaufman", "source_link": "https://www.facebook.com/jefftk/posts/616303558396418?comment_id=616859378340836", "anchor": "fb-616859378340836", "service": "fb", "text": "@Daniel: \"I suppose it means it has to be the password manager account that has the leak, but are they necessarily that much more secure than any other place on the internet that ought to be secure, but ultimately turns out not to be?\"<br><br>I have chrome remember my passwords.  If someone gets into my google account they can already get into anything else because of password resets, and I do think google's password security is better than most places that want me to make a password from me.  Also google supports 2-factor auth (which I'd been meaning to turn on for a while but only got around to it after David reminded me upthread.)", "timestamp": "1362534715"}]}