Yubikey.Support for 2-Factor Verification | Yubikey Support

Check out YubiKey's strong support for 2-factor verification. Use hardware-based authentication to increase your online security. YubiKey Support offers dependable setup and troubleshooting support. Your route to better online safety. With YubiKey's capability for 2-factor verification, security is enhanced. Use this reliable hardware-based solution to protect your internet presence. Get timely support for installation and troubleshooting to guarantee a secure digital experience. Your ideal ally in security.

How To Wipe Out All The Data On An YubiKey In One Gesture

What happens when I touch my YubiKey?

When you touch your YubiKey, it sends a very weak 5v signal to your computer. The signal is only strong enough to trigger a response from the YubiKey. You can think of this like an electric doorbell: A doorbell sends out a short burst of high-voltage AC power when it's pressed; when the low-voltage AC voltage hits the contacts of the receiver (which may be an electromagnet), it causes them to momentarily close and send out DC power that pushes through wires back to your house's main circuit breaker box which then turns on an LED lamp as part of an interlock system that prevents any power from coming through unless someone presses the doorbell button first.

Does YubiKey work without the Internet?

Yes, YubiKey Support can be used without any internet connection. The YubiKey has all the data that you need to be stored on the device in an encrypted manner. Only when you want to login into a site or service will it ask for the data from your key and then it decrypts it using a password or PIN which you entered earlier.

What is the difference between YubiKey and the security key?

YubiKey does not use public-key cryptography. Instead, it creates a challenge-response code that is unique to the device and thus cannot be spoofed. YubiKey is more effective than standard passwords and PINs at mitigating phishing, man-in-the-middle attacks, replay attacks, and other situations where a thief can intercept or steal your credentials.

How many passwords can YubiKey hold?

Yubico's YubiKey can hold up to 32 unique credentials, in addition to a single PIN. If you use Yubico apps and services that require more than 32 credentials, your master password can be used as an override to let you switch between them.

How do I use YubiKey for personal use?

YubiKey for personal use is designed for the everyday user that wants to protect and secure their online accounts. YubiKey can be used to replace passwords, 2FA codes, or other secrets to help prevent unauthorized access. YubiKey is a security key that protects you against phishing and hijacking. With FIDO standards-based strong authentication, it can be used to securely login to your favorite websites, computers, and applications.

[Media] ​​YubiKey

​​YubiKey The Yubico Security Key is a heavy-duty, tamper-resistant USB and NFC security key designed to protect online accounts against unauthorized access. It supports FIDO2, FIDO U2F, and other protocols, works with a wide range of online services, and is water and shock-resistant. With touch-based authentication, it provides an easy and secure way to protect your online accounts from phishing and account takeovers. Buy online: 🛒 https://amzn.to/3L0xdJL 🛒 https://ali.ski/qAF720 #security #key #usb

Multi-factor authentication (MFA)

Multi-factor authentication (MFA) must be enabled on each University member's account.

An additional layer of security for online accounts is multi-factor authentication (MFA).

Also Read:Click here

MFA aids in safeguarding your financial and personal data. Using MFA lowers the chance that someone will access your account even if they learn your login and password, for instance through a scam or cyberattack.

According to Microsoft research, MFA can cut down on these assaults by up to 99.9%.

MFA is a requirement of the rules you accepted when you signed your student agreement (if you are a student) or your work contract, generally speaking (staff).

Set up MFA using an authenticator app (recommended)

We advise you to utilise the Microsoft Authenticator app for the best results. Even if you transfer SIM cards or do not have data roaming enabled, you can use the Microsoft Authenticator app when travelling.

You are free to use another authenticator software if you'd prefer, but be aware that IT Services might not be able to support it.

You will need: 

Your smartphone (connected to a strong data signal, wifi, or eduoram if you're on campus), a computer or tablet with internet access. You must use the laptop or computer provided by the university if you are a staff member or postgraduate research student. A single smartphone with a wifi or data connection can be used to set up MFA if you are an undergraduate or postgraduate taught student.

Set up MFA without a smartphone

computer or tablet. Please log out first if your Microsoft account with the university is not your default account. Make sure to link it to your university username and password on your Microsoft account at the University of Bristol. Use the syntax [email protected] to access your University of Bristol account. your password, too. The security information page for "my sign ins" will now appear. After logging in, select "add method." Pick "phone" from the drop-down menu, then click "add." Enter your phone number after choosing your country code. Choose either "call me" or "text me a code." Please don't input your phone number with the beginning "0" (for example, enter 7912345678 for a UK number). To confirm your MFA setup, enter the code that was texted to your phone number. You can then choose to make a phone call or send a text as the default authentication method on the security page (SMS). You will now be required to validate your login across a number of University services during the next 24 hours. During this time, you ought should still be able to sign in. You may see an example of MS MFA enrollment in action in this Microsoft video: Video: Configure Microsoft's multi-factor authentication with a mobile device

Set up MFA without a mobile phone

A USB security key can be used to configure MFA and authenticate if you are unable to do so using a mobile device (YubiKey).

The Arts and Social Sciences Library's IT Services Counter is where students can pick up their USB security keys. From Monday through Friday, from 9 am to 11.30 am and 2 pm to 3.30 pm, the counter is open. To obtain a security key, you must present your student identification card. If you require a security key after these hours and are unable to access your university account, please call IT Services at (available 24 hours a day at) 0117 428 2100 or submit a ticket through the IT self-service site (requires log-in).

You can also purchase a USB security key on your own. This FIDO2 YubiKey security key must be blue.

Employees can request a security key by getting in touch with IT Services.

Note:We suggest you to set up a backup authentication mechanism in case you misplace your security key if you use one as your primary login method.

By doing this, you'll be able to keep working while a new key is being ordered.

Set up a second MFA method

Some University services could be temporarily unavailable to you if you:

Never use your MFA phone or device again. You misplace or damage your phone or other gadget. Purchase a new phone (or other device) and improperly configure MFA on the new device Have SMS or phone call authentication configured as your primary authentication method before leaving the UK. Text messages are often unreliable, especially when you're on the go.

Never use your MFA phone or device again. You misplace or damage your phone or other gadget. Purchase a new phone (or other device) and improperly configure MFA on the new device Have SMS or phone call authentication configured as your primary authentication method before leaving the UK. Text messages are often unreliable, especially when you're on the go.

If you have more than one device

We advise you to install the Microsoft Authenticator software on your second device if you have more than one (for instance, a smartphone and a tablet or laptop). To set up the second device, log into the Microsoft Security Information page on your primary device, click "Add sign-in method," and then follow the on-screen instructions.

If you do not have a second device

We advise adding a second authentication method even if you don't have a second device. Click "Add sign-in method" after logging in to the Microsoft Security Information page, then follow the on-screen instructions.

If you need to travel

Please utilise an authenticator app as your default sign-in method if you need to access University services while travelling. Make sure the authenticator app is selected as the "Default sign-in method" when accessing the Microsoft Security Information page.

You can get a one-time code in the app if you don't have data while travelling. To view the one-time code, simply open the app and select "University of Bristol."

Help and support

Multi-factor authentication (MFA) tips are available, including how to sign in with MFA and set up MFA on a new phone.

Please call IT Services at 0117 428 2100 (available 24 hours a day), or submit a ticket through the IT self-service site, if you require additional assistance (requires log-in).

On weekdays from 8 am to 5 pm, more technical questions, such as how to reset MFA if you've misplaced your phone or authentication device, can be addressed (apart from on University closure days).

Please use the IT self-service website to raise a ticket if it occurs after business hours.

Updates for firefox for mac

UPDATES FOR FIREFOX FOR MAC UPDATE

UPDATES FOR FIREFOX FOR MAC FOR ANDROID

UPDATES FOR FIREFOX FOR MAC PASSWORD

Navigations between XML documents may have led to a use-after-free and potentially exploitable crash.ĬVE-2022-34468: CSP sandbox header without 'allow-scripts' can be bypassed via retargeted javascript: URI. If after freeing a memory location, a program does not clear the pointer to that memory, an attacker can use the error to manipulate the program. Use after free (UAF) is a vulnerability caused by incorrect use of dynamic memory during a program's operation. It does not apply to other operating systems.ĬVE-2022-34470: Use-after-free in nsSHistory. These are the CVEs we think you should know: HighĬVE-2022-34479: A malicious website that could create a popup could have resized the popup to overlay the address bar with its own content, resulting in potential user confusion or spoofing attacks. Its goal is to make it easier to share data across separate vulnerability capabilities (tools, databases, and services). Publicly disclosed computer security flaws are listed in the Common Vulnerabilities and Exposures (CVE) database. The new version also comes with a new privacy feature that strips parameters from URLs that track you around the web. The new version fixes 20 security vulnerabilities, five of which are classified as “High”. On Twitter, Facebook, Google News, and Instagram.Mozilla released version 102.0 of the Firefox browser to Release channel users on June 28, 2022. Users can access this menu from the Firefox browser by tapping on the lock icon.įollow HT Tech for the latest tech news and reviews, also keep up with us Users who care about their privacy will also benefit from improvements to the Enhanced Tracking Protection (ETP) menu, which will now show more details about the security of websites that are visited. It also adds a new Home button to the toolbar, for quick home page access. The app will also give you a Clean Start if you haven't used the browser for four hours or longer, by showing you the home page instead of your old tabs.

UPDATES FOR FIREFOX FOR MAC PASSWORD

Users of Firefox for iOS will now be able to add new accounts to the password manager manually, after updating to the latest version 37. Apart from various security fixes, users will also gain accessibility improvements. Similarly, the JavaScript engine has been improved for better performance. Mozilla has also updated the bookmark toolbar menu on macOS and redesigned certificate error pages. Full-range colour levels are also supported while playing videos and ICC v4 colour profiles for images on macOS is now enabled. Meanwhile, macOS users can use the native sharing menu from the Firefox File menu. This improves the security of the browser while navigating the web.

UPDATES FOR FIREFOX FOR MAC UPDATE

The update also includes several security fixes for Firefox for Android.įirefox for desktops is now getting more powerful HTTPS features to protect users while browsing, with the version 92 update. Users will also benefit from fixes for crashes when a user disconnects from their Mozilla account, and when navigating to the settings after disabling “Mozilla Studies”. Other browsers like Chrome have supported this for a while now, but it is good to see the browser add support for this feature.

UPDATES FOR FIREFOX FOR MAC FOR ANDROID

If you use security keys like YubiKeys or other USB/Bluetooth based security tokens for your smartphone, the Firefox browser for Android will now support these thanks to newly added support for the WebAuthentication API.

Keepassxc browser chrome

#Keepassxc browser chrome for android#

#Keepassxc browser chrome Offline#

#Keepassxc browser chrome free#

There are 2 new light and dark themes, new compact mode, and new icons throughout the application along with new monochrome tray icons, and more. The latest KeePassXC 2.6.0 comes with an overhaul of the user interface. KeePassXC 2.6.0 dark theme and compact mode There's also a command line interface available.

#Keepassxc browser chrome for android#

There's no KeePassXC mobile client either, but there are various applications compatible with the KeePass 2.x (.kdbx) password database format, with KeePass2Android for Android and Strongbox for iOS being recommended by the KeePassXC developers.īesides basic features like a password generator, the ability to auto-type passwords into applications, and so on, KeePassXC also comes with some advanced features like database export to CSV and HTML formats, TOTP storage and generation, entry history and data restoration, YubiKey/OnlyKey challenge-response support, SSH Agent, and more. This can still be easily achieved though, using a third-party cloud storage and synchronization service like Nextcloud, Dropbox, Google Drive, OneDrive, and so on, by simply storing the KeePassXC database in the shared cloud folder. One feature that's missing is build-in password cloud synchronization. kbdx file as a one-way process.įor easily entering passwords in a web browser, KeePassXC comes with browser extensions for Mozilla Firefox and Chrome-based web browsers (Google Chrome, Chromium, Vivaldi). The application uses the KeePass 2.x (.kdbx) password database format as its native file format in versions 3.1 and 4 using AES encryption with a 256 bit key version 2 of the database can be opened, but it's upgraded to a newer format when opened, while KeePass 1.x (.kdb) databases can be imported into a. The application is built using Qt and runs on Linux, Windows and macOS.

#Keepassxc browser chrome free#

KeePassXC is a free and open-source password manager started as a community fork of KeePassX (which itself is a fork of KeePass), which is not actively maintained.

#Keepassxc browser chrome Offline#

The new release can be downloaded from the downloads page, Ubuntu PPA, and Snapcraft.KeePassXC 2.6.0 was released recently with improvements like an overhauled user interface with new light and dark themes, new offline password health check, check passwords against the Have I Been Pwned online service, and more.

Additional encryption choices: Twofish and ChaCha20.

Secret Service (replace Gnome keyring, etc.).

KeeShare shared databases (import, export, and synchronize).

YubiKey/OnlyKey challenge-response support.

Database export to CSV and HTML formats.

Database reports (password health, HIBP, and statistics).

Import databases from CSV, 1Password, and KeePass1 formats.

Browser integration with Google Chrome, Mozilla Firefox, Microsoft Edge, Chromium, Vivaldi, Brave, and Tor-Browser.

Store sensitive information in entries that are organized by groups.

Create, open, and save databases in the KDBX format (KeePass compatible to KDBX4 and KDBX3).

Our goal is to create an application that can be used by anyone while still offering advanced features to those that need them. KeePassXC has numerous features for novice and power users alike.

Gunbot Permanent Tournaments - Gate.io added in August

Gunbot Permanent Tournaments - Gate.io added in August 2022

Are you ready for the Gunbot Permanent Tournaments? Find out how you can trade to win on Gate.io Ei yo wazzup?. This month for our gunthy tournaments we add Gate.io one of the best exchanges to find that special gem that it's not yet a known coin but could do a 4000% in the next months.

About Gate.io

Founded in 2013, Gate.io is a worldwide digital asset platform that supports 1400+ cryptocurrencies and 2500+ trading pairs. It offers a variety of trading, lending, and staking features such as spot, NFTs, margin, copy trading, leverage, derivatives, API trading, and more. Additionally, Gate.io provides trading incentives and discounts through its native exchange token GateToken. Gate.io's mission is 'to serve the blockchain industry by providing secure and reliable products & services to consumers and companies around the world.' In 2020, its reserves were audited by Armanino LLP, proving 100% margin verification for its users. Gate.io has integrated fiat on-ramp services such as MoonPay, Simplex, BANXA, coinify, mercury, and advcash. The platform provides 24/7 online customer support and engages directly with its community through social platforms such as Telegram and Discord. Gate.io takes a multi-layered approach to account security implemented through multi-factor authentication, withdrawal whitelists, UKey/Yubikey support, anti-phishing codes, suspicious activity monitoring, and security logs that protect user accounts from unauthorized access. Platform funds are secured by institutional-level online and offline security measures and protected behind physical and encrypted safeguards, eliminating single points of failure. Source: coinmarketcap.com The tournament will start on 15 August 2022, so get your weapons ready. Gunbot Permanent Tournaments are the most fantastic opportunity to improve yourself as a trader, share profitable strategies with the biggest traders in our community, and earn some great money if you can beat the best traders.

Gate.io Trading Competition Rules

– This month, Gunbot users can join any of the sponsored exchanges or all of them and grab from the jackpot of 10,000 USD and a massive 100,000 GUNTHY tokens pot. - The tournament for the Gate.io will start at midnight on 15 August 2022. - Each participant must complete 5000 USD on spot markets (Gate.io). - The total prize is 10,000 USD and 100,0000 GUNTHY distributed as follows: - From 50 to 100 qualified participants at any market: the unlocked prize is 1000$ and 10,000 GUNTHY. - From 101 to 150 qualified participants: the unlocked prize is 3,000$ and 30,000 GUNTHY. - From 151 to 200 qualified participants: the unlocked prize is 5,000$ and 50,000 GUNTHY. - Over 200 qualified participants: the unlocked prize is 10,000$ and 100,0000 GUNTHY. The unlocked prize will be distributed to qualified users that will reach the highest PNL % at spot markets, as follows: - From 1st to 10th highest PNL%: share equal percentual of 50% of the unlocked prize. - From 11th to 50th highest pnl%: share equal percentual of 30% of the unlocked prize. - From 51th to 100th highest pnl%: share equal percentual of 20% of the unlocked prize.

How to join the Gate.io Trading Competition in August 2022

  - You must be an active gate.io spot user, if you're not already a user create a gate.io account here. - Open a chart and click on the dashboard - PNL button. - Select a pair from a participating exchange in the tournament, and stay on the page for 60 seconds. - After you can check in our tournament portal if your nickname has been added and the classification. TIP: Do this from time to time in order to refresh your stats.

Gunbot Permanent Tournaments Updated

- Gate.io. - Binance.com exchange. - Gunthy Mex exchange and Gunthy futures. - Huobi Global exchange. - Mexc Global exchange. - okgunbot.com exchange. - FTX exchange.  

How to opt-in for the Gunbot Permanent Tournaments Crypto Trading Competition – Configuring your Gunbot

- Click the Profile icon. - Click on the Tournament Tab. - Toggle on Tournament Opt-in. - Set your nickname, and click apply at the bottom of the page. - Click on the top Menu  - Save Changes button.

“Make sure to give your bot a unique nickname, which will be shown on the tournament leader board.” If you run multiple bot instances and want all of them to participate in a tournament, number your instance nicknames like this: TraderNickname_1, TraderNickname_2, TraderNickname_3. They will automatically get aggregated to a single leaderboard entry at the end of the tournament. Don’t forget to Grab your Gunbot License if you don’t have one. That’s all folks, happy bot tradin' Read the full article

6 Best Free Password Managers: A blog on the best free password managers available.

Working remotely has become regular for many of us, which means that it's more necessary than ever to safeguard your online accounts with strong passwords. But it may be challenging to learn dozens and dozens of passwords, and it's plain hazardous to use the same old password over and over. Suppose you find yourself regularly getting locked out of one online account or another because you're drawing a blank when you try to log in. In that case, it's time to consider a password manager, which can help you effortlessly supervise and handle all your login credentials. They're also helpful for auto-filling forms and synchronizing your data across Windows PCs and Macs, iPhones, iPads, Android phones and more. A password manager is simply an encrypted digital vault that saves safe password login information. You need to access applications and accounts on your mobile device, websites and other services. In addition to keeping your identity, credentials and sensitive data safe, the best password manager also features a password generator to create strong, unique passwords and guarantee you aren't using the same password in numerous locations. With all the recent security breaches and identity theft headlines, having a unique password for each place can go a long way to ensure that if one site is hacked, your stolen password can't be used on other sites. You're constructing your security feature. Plus, you don't have to remember the numerous bits of login information with a manager, such as shipping addresses and payment card information. With just one master password, or in certain circumstances a PIN or your fingerprint, you may autofill a form or password field. Some additionally include online storage and a secured vault for keeping data. All our top password manager selections come in free editions, which generally enable you securely save credentials for one device — but we can presently use our pick for the best free manager for syncing across many devices — and all support hardware authentication using YubiKey. Our top password manager selections also include subscription options that enable you to sync your safe password login information across devices, exchange credentials with trusted family and friends, and receive access to secure online storage. And if transparency is essential to you, some of our selections are open-source projects. We also look at what a password manager is and the basics of how to use one. Note that our editors separately pick these password management services. We'll be updating this story frequently as more choices become available. In light of our preferred choice's recent pricing adjustment, we may be rethinking the order soon and will update this post appropriately.

Bitwarden: Best free password manager

- Open-source, secure and transparent - Bitwarden may use the free version across unlimited devices. - Premium memberships start at $10 per year. - Works with: Windows, macOS, Linux, Android, iPhone and iPad. Browser extensions for Chrome, Firefox, Safari, Edge, Opera, Vivaldi, Brave and Tor. Bitwarden leads the list of the best password managers for 2021 owing to its open-source roots and its unmatched — and limitless — free version. This lean encryption program can generate, save and automatically fill your passwords across all of your devices and popular browsers — including Brave and Tor — with comparative security strength. Its free version lacks some of the bells and whistles of our other selections, but its premium editions are just as feature-rich. Like its closest rivals, a Bitwarden premium subscription lets you exchange passwords, logins, memberships, and other stuff with trusted family and friends, utilize multifactor authentication with YubiKey and get 1 GB of encrypted storage. Although it has fewer capabilities than the premium version, Bitwarden's free edition also provides a one-to-one messaging function called Bitwarden Send, allowing you to securely communicate login credentials with another person. Suppose you're searching for a user-friendly free service with a good security record. In that case, it's hard to pass up Bitwarden, which made it into CNET's Cheapskate Hall of Fame as the best free password manager. Plus, it includes a password-sharing option so you may share all your login details with another individual. For $10 a year, you may add 1GB of secured file storage. And for $12 a year, five family members or friends may share login information. Both membership packages come with a 30-day money-back guarantee.

LastPass: Best paid password manager

- Offers free version - Base pricing beyond free: $36 per year - Works with: Windows, macOS, Linux, Android, iPhone and iPad. Browser extensions for Chrome, Firefox, Safari, Internet Explorer, Edge and Opera. The free version of LastPass once made it stand out as the most exemplary password manager in this category by offering you the opportunity to save passwords, user login details and credentials and sync all of it anywhere you want across both your mobile devices or your browsers. And although you can now see and manage passwords across mobile and desktop devices, starting on March 16, you'll have to choose to utilize the free version for either mobile or desktop. That means if you pick mobile, you'll be able to access your LastPass account across your phones, tablets or smartwatches, but not on your laptop — until you upgrade to Premium, for $36 a year, or Families, for $48 a year. The Premium Edition of the password manager also allows you to share passwords, logins, memberships and other stuff with trusted family and friends, employ multifactor authentication with YubiKey and get 1 GB of secured storage. Meanwhile, the Families plan provides you with six individual accounts, shared folders and a dashboard for managing the family accounts and keeping an eye on your account's security. No, LastPass isn't flawless: A vulnerability privately revealed in September 2019 was a frightening issue that might expose credentials. But the business corrected it before it was found to be exploited in the wild. It was one of the numerous vulnerabilities that have been identified in LastPass over the years. More recently, though, privacy issues surfaced regarding LastPass's Android app when a privacy advocacy organization identified seven web trackers within the mobile app. In light of these privacy issues and LastPass's new limits on its free-tier service, we're now in the process of reevaluating LastPass's rating in our list of best password managers.

1Password: Best paid password manager for multiple platforms

Offers trial version Base price: $35.88 per year Works with: Windows, macOS, Linux, Chrome OS, Android, iPhone and iPad. Browser extensions for Chrome, Firefox, Safari, Edge and Opera. Suppose you're searching for a reliable password manager tool to keep your login information private and safe. In that case, 1Password is the most exemplary password manager for the purpose, enabling you to access your accounts and services with one master password. It's accessible for all leading gadget platforms. This attractively designed password manager lacks a free version, but you may check it out for 14 days before joining up. (Alas, that's down from the initial 30-day trial term.) Individual membership is $36 a year. It comes with 1GB of document storage and optional two-factor authentication using Yubikey for added protection. A trip mode allows you to remove your 1Password sensitive data from your device when you travel and then restore it with one easy click when you return. Hence, it's not subject to border inspections. On Macs, you can use Touch ID to unlock 1Password, and on iOS devices, you can use Face ID. For $60 a year, you can cover a family of five, sharing passwords, credit cards and everything else among the group using a single password management app. Each individual gets their vault, and it's easy to manage who you share information with and what they can do with it. You may also establish separate guest accounts for password sharing to exchange Wi-Fi connection credentials, for example, or home alarm codes with guests.

Other free and paid alternatives worth considering

Bitwarden, LastPass and 1Password are excellent, cheap (or free) password managers. In a straw poll of CNET employees, they were about neck-and-neck in usage. But suppose you discover none of our three suggested password managers works precisely as you desire. In that case, several additional applications are worth trying. These all have free versions available.

Dashlane

- Offers limited free version (50 passwords on one device) (50 passwords on one machine) - Base pricing beyond free: $59.88 per year - Works with: Windows, macOS, Android, iPhone and iPad.  - Browser extensions for Chrome, Firefox, Safari, Internet Explorer, Edge and Opera. Dashlane offers an easy and safe method to manage your passwords and keep other login information saved. Just for organizing passwords, we like it as much as our choices. However, the free Dashlane app restricts you to one device and 50 passwords. The $60 Premium membership is comparable to options from 1Password and LastPass. The $120 Premium Plus yearly membership includes credit and ID-theft monitoring.

Keeper

- Offers limited free version (unlimited passwords on one device) (unlimited passwords on one machine) - Base pricing beyond free: $35 - Works with: Windows, macOS, Linux, Android, iPhone and iPad.  - Browser extensions for Chrome, Firefox, Safari, Internet Explorer, Edge and Opera. Keeper is another safe password organizer that lets you manage login data on Windows, macOS, Android and iOS devices. A free version offers you unlimited password storage on one device. The step-up version costs $35 a year and allows you to sync passwords across numerous device choices. For about $45 a year, you can obtain 10GB of safe file storage.

KeePassXC

- It's free  - Donations welcomed - Works with: Windows, macOS, Linux, Chrome OS, Android, iPhone & iPad, BlackBerry, Windows Phone and Palm OS.  Access through the web plus standard browser addons. (Except for the official Windows version, KeePass for other platforms are unofficial versions.) KeePass, another open-source software password organizer, began on Windows and has been adapted using the same code base to various platforms, including macOS, Android and iOS. On the positive side, it's completely free and supported by the Electronic Frontier Foundation. On the other hand, it's valid for sophisticated users only: Its user interface requires a little tweaking to make all the separately developed versions of KeePass function together.

Password manager fundamentals

Still, need more knowledge on what password managers are and why they're better than the alternatives? Read on.

How does a password manager work?

To begin started, a password manager will record the login and password you use when you first check in to a website or service. Then the next time you visit the website, it will autofill forms with your stored password login information. For those websites and services that don't enable automated filling, a password manager allows you to copy the password to paste into the password box. Suppose you're difficulty choosing a decent password. In that case, a manager may create a strong password for you and monitor that you aren't repeating it across different sites. And suppose you use more than one device. In that case, you want a manager that is accessible across all your devices and browsers so that you can access your passwords and login information — including credit card and shipping information — from anywhere via the manager app or its browser extension. Some offer safe storage so that you may keep other things too, such as papers or an electronic copy of your passport or will. Take note: Many password managers store the master password. It would help if you opened the manager locally and not on a distant server. Or, if it's on a server, it's encrypted and not readable by the business. This guarantees your account remains safe in case of a data breach. It also implies that if you forget your master password, there may not be a method to retrieve your account via the business. Because of it, a few password managers provide DIY kits to let you restore your account on your own. Worst-case scenario, you start over with a new password manager account and then reset and store passwords for all your accounts and applications.

What makes for a safe password?

When attempting to prevent a weak password, a decent password should be a lengthy string of capital and lowercase letters, numbers, punctuation and other nonalphanumeric characters — something that's tough for others to guess but a breeze for a password manager to keep track of. And to what you may have heard, if you choose a solid password or passphrase, you don't need to update it regularly. Can I use a web browser to handle my passwords and login information? You may use Chrome, Safari or Firefox to manage your passwords, addresses and other login info. You can even set up a master password to access your credentials inside a browser. And although utilizing an internet browser's password tool is better than not using a password keeper at all, you can't quickly access your passwords and other login data outside of the browser or share login knowledge with people you trust.

What about iCloud Keychain?

Through iCloud Keychain, you can access your Safari website usernames and passwords, credit card details and Wi-Fi network information from your Mac and iOS devices. It's lovely if you live in Apple's universe. But if you go outdoors and use a Windows or Android device or use the Google Chrome or Firefox browser, iCloud Keychain comes up short. Read the full article

Why is it that the less important the service, the more likely it is to support strong security and vice versa. Like, I can use a Yubikey to protect my fucking Reddit account, but not my bank or 401(k). PayPal didn’t even support 2FA over TOTP until relatively recently; you had to get a text message.

Yubikey.Support for 2-Factor Verification | Yubikey Support

Experience heightened security with YubiKey's 2-factor verification support. Safeguard your online presence using this robust hardware-based solution. Receive prompt assistance for setup and troubleshooting, ensuring a secure digital journey. Your ultimate security companion.

Discover the power of YubiKey support for seamless 2-factor verification. Enhance your online security with this hardware-based authentication solution. Get quick and reliable assistance for setup and troubleshooting. Your key to a safer digital experience.

Why You Should Sign In With Google, Facebook, or Apple Nopparat Khokthong/Shutterstock.com Are you still creating user accounts everywhere? Maybe you should stop and sign in with your Google, Facebook, or Apple account instead. It might just be more secure—and it’s definitely more secure if you’re not currently using a password manager. One Strong Password With No Password Reuse If you’re creating user accounts for each service you use, there’s a good chance you’re reusing passwords or using simpler passwords that are easy to remember. Then, when a website is breached and leaks your password, an attacker could use those email and password combinations to get access to your accounts. DoorDash losing 5 million logins was just the most recent example, but such breaches happen frequently. That’s why we recommend using a password manager: You can create strong, unique passwords for each service you use and store them in your password manager’s secure vault. But, unfortunately, most people don’t use password managers. If you sign in with Google, Facebook, or Apple, you can create a strong, unique password and remember it. You just have to remember that one password for your main account. It’s kind of like using a password manager, but it’s a little easier for the average person to get started with. There’s another significant advantage to signing in with Google, Facebook, or Apple, too: Two-factory security. Physical Security Keys and Other Two-Factor Tricks Cameron Summerson You have many more options for locking down your Google, Facebook, and Apple accounts. For example, you can require a YubiKey or a Google Titan Security Key when signing into your Google or Facebook account. Other options like a code-generator app, app-based authentication, and SMS-based authentication are also available. If you sign into other services with a Google or Facebook account, your two-factor authentication method is effectively securing that other account, too. Other services don’t generally have such a wide variety of two-factor options and support for hardware security keys—in fact, they may not offer two-factor authentication options at all. Apple doesn’t offer support for physical security keys like this. But, when you use Sign in With Apple and sign in on another device, you’ll be prompted to enter a verification code sent to your trusted Apple device or phone number. Your Apple account and its two-factor authentication becomes the security key to your other accounts. What About Privacy? You might be concerned about this because of privacy. Do you really want Facebook or Google knowing about every other site you have an account with? And do you really want every app you’re using seeing all your Facebook information? Read the remaining 9 paragraphs https://buff.ly/2oyL9me

Staying Safe Online

With all the data breaches in the news lately one thing is clear, staying safe online isn’t easy! It’s probably good practice to assume you will be the subject of a data breach at one point in your life, so how can you stay protected even if the worst happens? This guide was written to help users of Kinmunity stay safe online, but the guide applies to everyone and can be shared and reproduced under a Creative Commons BY-SA licence.

1. Use a different password on every site / app.

This tip is now given out in almost every online security guide I’ve seen, and it’s often the tip that is most ignored by users because it is difficult to do. The more sites and apps you’re on, the more passwords you have to remember, right? Password reuse is AWFUL for security’s sake. Let’s say you use the same password on Kinmunity as another website you use, say an online game. Let’s say you also use that password for your PayPal. The game site gets compromised and your password leaks, guess where else the attackers can login -- your PayPal and Kinmunity accounts. But how can you use a different password everywhere safely? That brings us to the next point...

2. Use a secure password manager.

We at Kinmunity recommend Bitwarden. A password manager allows you to remember one (hopefully secure!) password, which is used to decrypt a database containing your other passwords. Bitwarden allows you to generate a secure and random password for each site or application you use, and then stores it for you so you don’t have to remember it either. It supports syncing across multiple devices, and is open source. If you’re a nerd, even the server is open source so that you know your passwords are secure!

3. Use two-factor authentication where it is available.

Two-factor authentication combines something you know (your password) with something you have (your mobile phone, or hardware security token) before granting access to a service. This makes it much harder for an attacker to gain access to your accounts, even if they have your password. The most secure form of 2FA is the hardware token - we recommend the Yubikey Security Key for this purpose. You can also use your phone to generate time-based tokens - we recommend the Authy App for this!

4. Look before you type.

Never enter your username and password anywhere without verifying that you’re where you are supposed to be. Most modern services use SSL (you’ll notice the lock icon on your browser) - ensure the lock is there. Then, check the URL itself as it appears in the address bar of your browser to ensure you’re on the correct site. https://www.kinmunity.com/login is our site, for example. https://www.kinmunity.com.fr/login, http://kinmunity.com.login.us, and https://login.kinmunity.com.nz aren’t.

5. Change your passwords frequently.

We recommend that you change your passwords on the various sites you are on once every three months. You can use your Password Manager to help you! This helps so that if there is a breach, the time that they can use the passwords they’ve stolen is limited.

6. Never share passwords, for any reason, ever.

That customer service person on the phone does not need your password. Your boss at work does not need your password. Site administrators do not need your password. Your friends and significant other do not need your password. Period. Sharing passwords is a bad habit to get into, and it strongly increases the chance of you getting compromised. You cannot control information and who receives it once you give it to another person -- and it’s all too easy to become a victim of phishing. 

A good example from an administrative side; I do not need somebody’s password to login to their Kinmunity account (nor their 2FA token if they use two-factor). I simply need their permission and I can do it from the admin panel. Most sites and services are setup like this. DO NOT SHARE YOUR PASSWORD.

7. Put security first, your identity depends on it.

No, it really does. Identity theft is the fastest growing crime in America, as I’m sure you’ve heard quoted over and over again by various news stations. A lot of reasons the general public does not implement basic security measures that would strongly reduce the chances of them becoming victims is because it is convenient not to. Reusing the same password over and over is simple, and it means you don’t have to download a password manager and remember a master password, for example. However, it also means that it is convenient and simple for an attacker to steal your identity. Security is a digital lifestyle, and it’s time for a lifestyle change if you’re not living it!

8. Evaluate the sites and services you use.

Do you care about your identity and privacy? Great - the message is sinking in! Unfortunately, many services do not. In 2019, there are still websites and apps that are storing user passwords on their servers in plain text, fully in view to anyone who manages to gain access to that server. If you use a site listed on https://plaintextoffenders.com, you may wish to discontinue its use. Google around about a site for its reputation, and the reputation of those operating it. You might save yourself a headache later if you don’t sign up for that popular virtual pet game being ran by sketchy operators.

9. Protect your devices.

A lot of application developers and service operators DO put a lot of thought in security. This makes it more attractive to malicious actors to create spyware & malware for home computers and mobile phones. Use a reputable anti-virus solution -- Yes, Mac & Linux users, that includes you too! You -CAN- get viruses.

10. Seriously, follow the guide.

Don’t read this guide and follow the three easiest tips to implement. Don’t read this guide and follow all but one tip. Follow each and every one, because the moment you pick and choose what you feel is important, is the moment you open yourself up to needless vulnerability. Kinmunity is one of the most secure communities on the internet, and it didn’t become that from carelessness. The moment you become complacent is the moment you become wide open.

Authorship

This guide was developed by Naia Ōkami. She is a reputable security consultant specializing in offensive operations and penetration testing. The purpose of this guide is to give Kinmunity users simple tips to better help them protect their digital identity, but the majority of the document could apply to all internet users in general. For this reason, it is available under a Creative Commons BY-SA license for all to reproduce and use!

TrickBot’s new tricks. Poisoning the ad supply chain. Clouds get schooled. Novel phishing tackle, but stale bait. Cyberwar powers. Election interference. FaceApp fears. Bad macro suspect arrested.

TrickBot gets some new tricks, and they’re being called Trickbooster. Poisoning the advertising supply chain. Hessian schools will shy away from American cloud services. A novel phishing campaign is technically savvy but gives itself away with broken English phishbait. Congress would like to see Presidential cyberwar instructions. Microsoft warns of foreign attacks on elections. FaceApp looks suspicious. And a suspect is collared in a malicious macro case. Jonathan Katz from UMD on random number issues in YubiKeys. Carole Theriault speaks with Michael Madon from MimeCast on email imposter scams.

For links to all of today's stories check our our CyberWire daily news brief:

https://thecyberwire.com/issues/issues2019/July/CyberWire_2019_07_18.html 

<a href="https://www.patreon.com/thecyberwire" rel="payment">Support our show</a>

Check out this episode!

Avoid the dangerous conclusions of Google's basic account hygiene study

Google recently published the results of a study to get actual data on how to keep accounts secure. They conclude that phone number verification (e.g.: SMS 2FA) works and is effective in a large number of cases. 

Our research shows that simply adding a recovery phone number to your Google Account can block up to 100% of automated bots, 99% of bulk phishing attacks, and 66% of targeted attacks that occurred during our investigation.

While it’s true that this will stop _most_ attacks, the important thing is the ones that it doesn’t. If you’re specifically targeted, and specifically if you’re targeted by SIM hijacking, SMS 2FA will not only do nothing to protect you, it may even provide an easier attack surface for someone to compromise your accounts. Every day seems to bring another story of someone who was targeted for a crypto wallet or their instagram or twitter account, and their SMS 2FA was bypassed by SIM hijacking.

The conclusions of this study are interesting, but primarily in an academic way. If you’re _only_ at risk for automated compromise, SMS 2FA will help you. But if you’re at any risk of targeted account compromise which is getting easier every day and who knows what you have that’s valuable to someone, SMS 2FA will do you more harm than good. The only excuse for using SMS 2FA is that it’s convenient. We should deprecate it entirely in favor of TOTP with site verification (which 1Password does with their browser extensions) or hardware keys (yubikeys are the most common, but until they’re wirelessly supported on iOS, this is a non-starter for a lot of folks). Apple should stop making it easy for users to use by populating codes from Messages, and support TOTP seeds in keychain. Web application creators should stop pushing SMS verification on people and switch to TOTP. If you have that option instead of SMS 2FA, use it. If you don’t have that option, ask for it. Companies won’t know they should change unless you tell them. I’ve had several services I use switch after I expressed concern.

If you’re forced to use SMS 2FA, and probably even if you don’t, you should have a transfer PIN on your wireless account. Here’s a guide to get started with the common wireless carriers: https://clark.com/scams-rip-offs/sim-hijacking-how-to-add-pin-mobile-phone/