stumbled across this gem from a forgotten era of YouTube. I thought it would be fun to take the main idea of each point and critique the advice in this video, through the lens of somebody from 2023 with all the stuff I’ve learned over the past five years about security and add some more information or correct some things.
Use a spare phone for two-step verification.
SMS is completely unencrypted and shouldn’t be trusted for 2FA on anything important. In some cases hackers don’t even need access to your phone, The hackers can still request a code and if they know the size and character set of what the code could be they could brute force it. This isn’t the worst advice for the year of 2016, the Yubikey only came out 2 years prior and even today they aren’t supported by every service. But support for these devices has expanded dramatically and I can wholeheartedly recommend them these days. Get 2 and at the very least secure your Gmail account. keep one on your keys and The other one somewhere in your house hidden in case The primary one gets lost or damaged. Often you are able to use a Google account to sign in/sign up for services and if your email gets compromised attackers have a treasure trove of access to your accounts.
Credit where credit is due sim swapping and social engineering attacks against your phone provider are genuine threats and he is right they don’t have enough security checks to protect against someone who is determined. I would also add that if they know your name they could attempt to modify your account by finding the answers to your security questions. The street you grew up on, your favorite pets name, best friends name, first car and favorite sports team are all things that a hacker could potentially find out about you by Doing some open-source intelligence gathering, a.k.a. looking at your social media and googling you.
Password database leak
It’s true the password databases get leaked all the time. But just because your password is in that leak doesn’t necessarily mean that you’re done for. If the organization is Following proper procedures your password should be hashed and not stored in plain text. If the password is hashed then the hacker would have to take the hash and spend a lot of time and resources cracking that hash.
Password cracking
The same type of password cracker that was mentioned in the video is an off-line password cracker, A very commonly used one is John the Ripper. As mentioned previously a hacker would need the password hash. But there’s one other thing that’s even more important, a quality wordlist. Wordlists are a long list of known or potential passwords. The software will take the words from the list hash them and compare it against hashes that the hacker has collected.
You can test this for yourself, run command prompt as administrator and type a string like this And replace certain sections as needed.
echo HelloWorld | certutil -hashfile - SHA256 > hash.txt
Next create a text file with the plain text version of your password inside and the software will be able to crack it.
CPUs can be used to crack passwords but GPU’s are much more efficient. A proper cracking rig would have a handful of GPUs mounted in a rack.
Password managers
Everybody should have a separate password for every site. But I disagree with having a plaintext file with all your credentials. At the very least you should encrypt the file then it can just hide in plain sight. Veracrypt is one piece of encryption software I’ve used and I made a post about it. LastPass is good software and I’ve used it for a few years but, it is closed source and has data breaches all the time. Additionally you have to pay money for premium features For example you can’t access your vault on multiple devices at once. Recently I’ve been testing BitWarden. I appreciate that the premium features that I previously had to pay for our free.
Both LassPass and BitWarden are online password managers Which allow you to access your passwords from anywhere between multiple devices. But having your database online paints a massive target on you Because your credentials are pooled together with thousands of other users on a server you don’t control. There are options for local password managers like keepassxc Which is also good software but remember it’s purely a local database with no cloud functionality out-of-the-box. This means whatever devices you have the database on are the only devices that can access your credentials but that also means if you forget your password there’s no way to reset it. Whichever solution you choose is better than the plaintext document. Every service I’ve tested has allowed you to export your database to a file, make sure to keep secure backups that file and have a strong master password.
I hope this helps