CCATP #732 for June 11, 2022, and I’m your host, Allison Sheridan. This week our guest is Bart Busschots. This week we’re going to do something a little different; we’re doing an “Ask Me Anything (About Security)”. I sent out the request for questions to our Slack community (https://podfeet.com/slack), to Twitter, to a few user groups of which I am a member, and Steve posted it to our Facebook group.
With the exception of one question which I sent to him ahead of time, Bart answered all of these on the fly while we were recording. For that reason, only the questions are available. In order to know his answers, you’ll need to listen to the show. If you’re hearing-impaired, and one of the questions is of particular interest to you, send me an email at allison@podfeet.com and I’ll try to reproduce Bart’s answer for you.
Questions:
BJ from Pennsylvania asks:
Why is multi-factor authentication more secure than just using a password? Or, in other words, why would someone want to use multi-factor authentication protocols to make themselves more secure?
Steve in Los Angeles asked:
Is the new FIDO standard for passkeys actually more secure than a password with second-factor authentication from an app? If so, why?
Mr. Ed from the chatroom, also known as Ed Tobias asks:
I use Synology Quick Connect via the DS File app on my iPhone. I can see all the files on my NAS from anywhere. How does this work when I don’t have any port forwarding for this on my router and is it safe?”
James Carroll from THORLaser.com asks:
Can I share usernames and passwords with my wife or work colleague safely via Apple Messages (previously iMessage) with no risk of interception (unless the baddies somehow get their hands on our unlocked Apple devices or iCloud account)”. Assume we all have Apple devices logged into iCloud (not messaging via SMS)
Also, on that basis, are Apple Messages any more or less secure than What’s App, Telegram, Signal, or Teams for messaging? I have no urge to hide my location or anything else but I draw the line at giving away usernames and passwords
Lynda from Silicon Valley is concerned about doxxing – where trolls publish private information about you because of something you said online, say on Twitter. She asks:
Are there any ‘anti-doxxing’ tutorials or advice you can give to protect oneself, other than just keeping one’s mouth shut?
Allison Sheridan from Los Angeles asks in regards to FIDO and the new Passkey method of passwordless login:
If I have an existing password-based account on a website, and I switch to a passkey, will the website remember the old password? Because if so, it would then still be possible for a bad actor to log in using that old password. In the same vein, what happens if you click on “I forgot my password”? Will every website have to know you’ve switched to passkeys and know to securely erase just your password?
Happy Windows User asks:
Hello Allison and Bart. Thank you for your show and your enthusiasm.
As an exclusive Windows desktop user, I noticed within Internet Explorer’s History tab, it keeps logs of all my personal files I access on my PC. I realize Microsoft will end Internet Explorer this year, however, tracking my accessed files also shows up in the AppData folder, the file path is ThisPC/Windows (C:)/User/name/AppData/Local/Microsoft/Internet Explorer.
Dumb questions: Is this part of the telemetry Microsoft collects on its users? If so, how can I prevent it? Typically, I don’t use my PC with a Windows Account but as User Account. I haven’t upgraded to Windows 11 yet however I know Microsoft will require a Windows account for PC use, so how can I block Microsoft from knowing which files I access on my PC?
NASAnut asks:
I have some questions regarding a VPN. I have a Synology NAS which offers the ability to set up a VPN on it. Assuming my goals for using a VPN are more privacy-related, does setting up the VPN on my NAS provide any privacy/anonymity from my ISP, or, since my the NAS is on my network, and my ISP knows my IP, will my ISP still be able to see locations that I am connecting to? Are there any Pros/Cons regarding using a VPN on my NAS located within my home network?
Allison in Los Angeles asks another question (because she can):
Is it too soon to start telling our non-technical friends and family about our passwordless future? I’m not worried about getting them overly excited, I’m worried that they’ll hear about it and think it’s a scam so I was thinking of just starting to mention it so they get used to the idea. But maybe it’s not mainstream enough yet in the Muggle news?
Enjoyed the episode. Want to share what I think is a slightly stronger method of conveying a password. As you discussed, use an E2E encrypted messaging system, but with a twist: Leave off the last three or four characters. Then call the person and give them the remaining characters over the phone (“like a caveman”). Uses out-of-band communications that is (more or less) ethereal (as compared with a text message). The only way the bad guy gets the whole password is if both communications channels are compromised.
That said, I will have to experiment with the 1Password method you described.
f I have an existing password-based account on a website, and I switch to a passkey, will the website remember the old password?
Drift Boss – yes they will remember the password, and don’t think of it as “old”. It is still your CURRENT password. Before we reach the nirvana of a passwordless future, we’re going to live in a world where have passkeys for ease of logging in, and passwords just in case. That means your passwords must continue to be long and complex, and must be unique for every login.