C:/
Member
- Apr 10, 2023
- 58
This is a comprehensive guide to online privacy in order to promote a safer internet while also protecting this site's users. This place is a OPSEC nightmare according to some posts. This is part one of a series of OPSEC strategies. On a second note, this is my first post here, so please be kind. Included in this post is the following topics:
As you know, the number one vulnerability of a system is the end-user. This means that YOU and only YOU are responsible for the security and privacy of your system. You could have the most secure system in the world and it will still be vulnerable because you are a fuck up. We can change that though with this comprehensible guide.
Your System
The first layer of security is common sense. This means don't click random links, download random files, or anything against your gut feeling. Being paranoid is a good thing (to an extent) and due-diligence is your friend, so use it to your advantage and use the vast amount of resources available. First, lets talk about passwords.
Stage 1: Passwords
You should treat your password like your car keys, as they should all be unique and impossible to crack. The minimum requirements of each password should be:
How long it will take for a Brute Force Attack to work:
As you can see, your password gets exponentially harder to brute force if you take the right precautions. Your password is stage 1.
Stage 2: 2FA
Stage 2 is Two-Factor Authentication, also known as 2FA. If you could get a single thing out of this guide, it is to USE 2FA. Most services have a basic level of 2FA requiring a code sent to the associated email to log in. If a service offers 2FA, turn it on, no questions asked. Below is the most widely available methods for 2FA:
- Phone number based is mostly secure, but you are vulnerable to attacks such as SIM Hijacking,
- Email based is the most insecure of the bunch and should be avoided at all costs.
2FAs also include backup codes in case you lose your 2FA method. You should secure these codes thoroughly and have backups. Use the 3-2-1-1 backup strategy!
Login Managers
I will not be including recommendations for specific password managers, but below are some tips for choosing the right one:
Don't always trust password managers backed by large companies, as they are not invincible. On December of 2022 LastPass, with more than 33 million users, was breached and their cloud based storage service. Read more here.
[End of part 1, more coming soon]
Definitions (In order of appearance)
OPSEC - Operations Security
Data Breach - An unauthorized or malicious user breaching a network and releasing the internal files. This can include source code, Username/Passwords, etc.
Paste - In the context of a data breach, a paste is info (usually login or personal) that is posted publicly in plain text and not encrypted
Brute Force Attack - A method of password cracking where a program will go through each possible character combination in order to crack said password.
Two-Factor Authentication or 2FA - an identity and access management security method that requires two forms of identification to access resources and data
3-2-1-1 backup strategy - Keep at least three (3) copies of your data. Store two (2) backup copies on different storage media. Store one (1) copy offsite
Sim Hijacking - when a hacker persuades your cell phone carrier to move your cell phone number over to their device instead of yours
- Passwords
- 2FA
- Other Tips
As you know, the number one vulnerability of a system is the end-user. This means that YOU and only YOU are responsible for the security and privacy of your system. You could have the most secure system in the world and it will still be vulnerable because you are a fuck up. We can change that though with this comprehensible guide.
Your System
The first layer of security is common sense. This means don't click random links, download random files, or anything against your gut feeling. Being paranoid is a good thing (to an extent) and due-diligence is your friend, so use it to your advantage and use the vast amount of resources available. First, lets talk about passwords.
Stage 1: Passwords
You should treat your password like your car keys, as they should all be unique and impossible to crack. The minimum requirements of each password should be:
- At least 16 characters
- Upper and Lowercase letters
- Multiple numbers
- Symbols
- A random string of numbers right after a string of letters (EX: fuhEIS12472)
- Any of the most common passwords
- Any passwords included in data breaches or pastes. Use this site to check if a password or email is in a breach
- Any existing passwords previously used or in use
- Any information that can be guessed like: site names, usernames, personal info, etc.
- Dictionary words (cheese, mouse, etc.)
- Common Substitutions (ch33se, m0use, etc.)
How long it will take for a Brute Force Attack to work:
| Number Of Characters | Numbers Only | Lowercase only | Upper and Lowercase | Numbers, Upper, and Lowercase | Numbers, Upper/ Lowercase, and symbols |
| 4 | Instantly | Instantly | Instantly | Instantly | Instantly |
| 6 | Instantly | Instantly | Instantly | 1 sec | 5 sec |
| 8 | Instantly | 5 sec | 22 min | 1 hr | 8 hrs |
| 10 | Instantly | 58 min | 1 month | 7 months | 5 years |
| 12 | 25 sec | 3 weeks | 300 years | 2k years | 34k years |
| 14 | 41 min | 51 years | 800k years | 100k years | 200m years |
| 16 | 2 days | 34k years | 2bn years | 37bn years | 1tn years |
As you can see, your password gets exponentially harder to brute force if you take the right precautions. Your password is stage 1.
Stage 2: 2FA
Stage 2 is Two-Factor Authentication, also known as 2FA. If you could get a single thing out of this guide, it is to USE 2FA. Most services have a basic level of 2FA requiring a code sent to the associated email to log in. If a service offers 2FA, turn it on, no questions asked. Below is the most widely available methods for 2FA:
- App Based - Very Secure
- Phone Number Based - Vaguely Secure
- Email Based - Extremely Insecure
- Phone number based is mostly secure, but you are vulnerable to attacks such as SIM Hijacking,
- Email based is the most insecure of the bunch and should be avoided at all costs.
2FAs also include backup codes in case you lose your 2FA method. You should secure these codes thoroughly and have backups. Use the 3-2-1-1 backup strategy!
Login Managers
I will not be including recommendations for specific password managers, but below are some tips for choosing the right one:
- Consider Open Source managers first
- Do your due-diligence, don't fall for marketing propaganda
- Avoid Browser Password Managers
- Consider pricing, some are meant for enterprise and some for personal use
- Memorize a extremely complex password, it's hard at first but after use it'll get easier and easier.
- USE 2FA!!!!!!!!!!11!!!!1!!1!
- Secure backup details using the 3-2-1-1 backup strategy
- Don't save your passwords in clear text or in a text file dumbass
Email & Login Manager -> 26 Character Password & 2FA
Banking/Sensitive Logins -> 20~ Characters & 2FA
Social Media/Service Provider Logins -> 20~ Characters & 2FA
Non-important Logins -> 16~ Characters & 2FA if available
Burner Logins -> 12-16~ Characters
Don't always trust password managers backed by large companies, as they are not invincible. On December of 2022 LastPass, with more than 33 million users, was breached and their cloud based storage service. Read more here.
[End of part 1, more coming soon]
Definitions (In order of appearance)
OPSEC - Operations Security
Data Breach - An unauthorized or malicious user breaching a network and releasing the internal files. This can include source code, Username/Passwords, etc.
Paste - In the context of a data breach, a paste is info (usually login or personal) that is posted publicly in plain text and not encrypted
Brute Force Attack - A method of password cracking where a program will go through each possible character combination in order to crack said password.
Two-Factor Authentication or 2FA - an identity and access management security method that requires two forms of identification to access resources and data
3-2-1-1 backup strategy - Keep at least three (3) copies of your data. Store two (2) backup copies on different storage media. Store one (1) copy offsite
Sim Hijacking - when a hacker persuades your cell phone carrier to move your cell phone number over to their device instead of yours
