Peppering Your Passwords

Podcast: Play in new window | Download (Duration: 58:02 — 40.8MB) | Embed

Subscribe: Google Podcasts | Spotify | Podcast Index | TuneIn | RSS | More

I preach about using password managers constantly – because they really are a fantastic tool for increasing your security. Humans suck at creating memorable passwords that are not also easy to guess. But the idea of putting all your juicy secrets into a digital vault that is controlled by a third party and synchronizing through the cloud may not sit well with you. And I totally get that. It’s a very valid concern. But what if there were a way to have your cake and eat it, too? (I never understood that expression… what good is having cake if you can’t eat it, right?) I’ll explain a simple technique using cryptographic “pepper” that will allow you to use a password manager, even if you don’t trust it.

In other news: US water utilities are woefully unprepared for cyberattacks; paper ballots are essential for secure elections, but not sufficient; PDFs are being used to cleverly hide keylogging malware; Chinese hackers have infiltrated many global telecom companies for years; Australia’s new “secure” digital driver’s license is anything but; the FBI manages to recover half of the Colonial Pipeline ransom; a new facial search engine is on the scene, with even less protections than Clearview AI; and the Tim Horton’s app stole a heck of a lot of user location data from its customers.

Article Links

1. U.S. Water Utilities Prime Cyberattack Target, Experts | Threatpost https://threatpost.com/water-cyberattack-target/179935/
2. Do Ballot Barcodes Threaten Election Security? https://cdt.org/insights/do-ballot-barcodes-threaten-election-security/
3. [BleepingComputer] PDF smuggles Microsoft Word doc to drop Snake Keylogger malware https://www.bleepingcomputer.com/news/security/pdf-smuggles-microsoft-word-doc-to-drop-snake-keylogger-malware/
4. [MIT Technology Review] Chinese hackers exploited years-old software flaws to break into telecom giants https://www.technologyreview.com/2022/06/08/1053375/chinese-hackers-exploited-years-old-software-flaws-to-break-into-telecom-giants/
5. [Ars Technica] “Tough to forge” digital driver’s license is… easy to forge https://arstechnica.com/information-technology/2022/05/digital-drivers-license-used-by-4m-australians-is-a-snap-to-forge/
6. FBI Recovers $2.3 Million of Colonial Pipeline Ransomware Payment; Some Que https://www.cpomagazine.com/cyber-security/fbi-recovers-2-3-million-of-colonial-pipeline-ransomware-payment-some-questions-about-the-attack-answered/
7. [The Mercury News] A face search engine anyone can use is alarmingly accurate https://www.mercurynews.com/2022/05/28/a-face-search-engine-anyone-can-use-is-alarmingly-accurate-2
8. [CTV News] Tim Hortons app collected vast amounts of sensitive data: privacy watchdogs https://www.ctvnews.ca/business/tim-hortons-app-collected-vast-amounts-of-sensitive-data-privacy-watchdogs-1.5927716
9. Pepper Your Passwords: https://firewallsdontstopdragons.com/password-manager-paranoia/ 

Further Info

• Only FIVE DAYS LEFT to get your dragon coin! https://firewallsdontstopdragons.com/return-of-the-dragon-coins/ 
• Techlore interview: https://youtu.be/-GubGbuWBfk 
• Exploits of a Mom (XKCD “Bobby Tables” cartoon): https://xkcd.com/327/
• Bobby Tables explanation: https://www.explainxkcd.com/wiki/index.php/Little_Bobby_Tables 
• Generate secure passphrases! https://d20key.com/#/
• Subscribe to the newsletter: https://firewallsdontstopdragons.com/newsletter/new-newsletter/
• Would you like me to speak to your group about security and/privacy? http://bit.ly/Firewalls-Speaker