[user49598]

Passwords: Don't try to remember them. Use a service like passpack to generate and store random ones for every account. Two pass authenticate into it.

Data: Back it up. Backup your backups. Stop fucking around. If you don't get hacked, your storage will fail.

Software: Don't install shit you don't trust. Don't trust shit you can't verify.

Passwords: Don't try to remember them!!

It's 2012, not following these simple rules is inexcusable.

[bigiain]

Unfortunately, my AppleID password is one I _do_ need to remember - I need to use it often, and in places that 1Password won't auto fill. At least: the iCloud website login, various iDevices when using app store, and iTunes on several machines (all on the home sharing network). The alternative seems to be to have all those devices "remember" my AppleID password, which seems like a security lose.

[nl]

Unfortunately, my AppleID password is one I _do_ need to remember - I need to use it often, and in places that 1Password won't auto fill.

Write it down on a piece of paper (or use a password manager that will show your password).

Back in the 1990's "writing down passwords" was considered a huge security hole.

Now day's attack vectors have changed and it is probably more safe than using a memorable password.

The alternative seems to be to have all those devices "remember" my AppleID password, which seems like a security lose.

If your devices are physically safe, and iCloud has remote log-out (does it?) then this may be more safe too.

[danso]

Not disagreeing with you but think of all the times you need your appleID on the go. Carrying around a piece of paper may not be feasible or ideal

[DanBC]

The strong password has value. Credit cards and cash have value.

Write the strong password on a credit card sized bit of paper, and keep it in your wallet.

People tend to keep their wallets safe.

Most people can learn complicated passwords after a few days or weeks of use, so you can keep the paper in a safe place at home once you've learnt it.

[ricardobeat]

Worst advice ever. Now you only need to lose your wallet and you're in the same situation as the article's. The old advice is still sound.

[nl]

A random string of characters in a wallet doesn't have a lot of value. Of course, don't write down what that string is for, and make sure you have another copy at home. If you are really concerned, leave off the first character of your password and remember that.

The truth is that 2-factor authentication is the real solution. But one has to make do with imperfect solutions

[DanBC]

No.

Writing your password / passphrase down allows you to chose a good, strong password. You do not give anything that links that password to a particular service.

Most people will only need to refer to the written password for a week or so, and then they will remember it.

You put the piece of paper in the wallet because you want people to treat it like a 50 dollar bill. People leave bits of paper anywhere, but they don't leave 50 dollar bills everywhere.

Not writing down the password? Yeah, we see how well that works. (https://www.google.co.uk/search?q=most+popular+passwords)

It is baffling to me that authenticating to computers, software, and services is still so weirdly broken. Especially since there is now billions of dollars involved in it.

[cheald]

If you label the passwords you're probably doing it wrong. If someone pulls out a piece of paper that says "QWhXnLv0qzi1h1m" out of my wallet, how are they going to use it?

If you're worried about someone stealing it, just shift the password over, so it's now "mQWhXnLv0qzi1h1 > 1" on paper.

[katbyte]

There are strong/long passwords that are easy to remember:

%Thisspasswordd1s1nhonor..ofmy246catSS!!

http://xkcd.com/936/

having a 20-30 character long password is fairly easy, it may not be 100% random, but (correct me if i'm wrong) a password that long with just a handful of random extra letters and numbers is going to be rather easy to remember and probably going to be just as had to brute-force.

[DanBC]

You have to be careful when adding some random characters, because most cracking software includes dictionary mangling options.

Thus, option 0ption opt1on etc all get mangled into a wordlist, while )*&HD@IHU don't. Yes, it still increases difficulty, and they are much easier to remember, but people need to be careful.

[EvilTerran]

Software: Don't install shit you don't trust. Don't trust shit you can't verify.

This one is pretty tricky. There's a lot of little tools out there that I find invaluable, and haven't screwed me over yet (as far as I know), but fall firmly in the "downloaded it off someone's little personal website" category.

I'd say we need better fine-grained permission systems for software, so people can install programs without needing to trust them, safe in the knowledge that they'll get the opportunity to deny any malicious behaviour before it actually happens.

[SoftwareMaven]

That's what the Mac App Store is starting to do, but unfortunately, it's "completely sandboxed in the store" or "not in the store". I'd like a model that started completely sandboxed but let me choose if I want to let it out of the sandbox in certain, well-monitored cases.

[EvilTerran]

let me choose if I want to let it out of the sandbox in certain, well-monitored cases

That's exactly what I mean. I envisage something kinda like Windows 7's UAC dialogs, but more specific than "this program wants root! [allow] [deny]" -- more along the lines of "this program wants to install a driver / write to such-and-such protected files (its own program folder/anywhere in Program Files/the Windows folder/...) / low-level disk access / to run at startup / etcetc [allow] [deny]".

Actually, I'd specifically forbid "all permissions" as an option; an enumeration of every permission a program wants would make the user more likely to notice unreasonable requests than a single item would, even if that single item's actually "everything". I get the impression, from seeing ordinary users dealing with UAC, that they don't usually appreciate quite how much power they're giving programs when they hit "allow".

I believe that's similer to what SELinux does, although I've never used it beyond observing its presence on university-owned computers.

[wlesieutre]

That's what Apple's shooting for with the App Store's sandboxing requirements, but I'm sure the typical HNer will continue to have a few programs that need to operate outside the limited entitlements that the App Store allows. Still, it'll be better to have a single digit count of those on your computer instead of anything being able to erase your home folder without asking.