{"id":930,"date":"2013-08-08T20:35:38","date_gmt":"2013-08-09T01:35:38","guid":{"rendered":"http:\/\/www.nathanhunstad.com\/blog\/?p=930"},"modified":"2013-08-08T20:39:24","modified_gmt":"2013-08-09T01:39:24","slug":"chrome-security-and-best-practices","status":"publish","type":"post","link":"https:\/\/www.nathanhunstad.com\/blog\/2013\/08\/chrome-security-and-best-practices\/","title":{"rendered":"Chrome security and best practices"},"content":{"rendered":"

Many in the security community are all atwitter about the Chrome browser not encrypting passwords. They call this bad security; a lot of people disagree<\/a>. I tend to agree with the latter group: putting a master password or otherwise putting some kind of encryption in Chrome\u2019s password store wouldn\u2019t materially increase security, and would give users false comfort. Many other software manufacturers feel the same way (see, for example, Pidgin<\/a>).<\/p>\n

<\/p>\n

If your browser auto-fills passwords for you without requiring a master password, then you can get at them, asterisks or not<\/a>. The simple answer is to not store passwords for sensitive accounts in your browser and assume that people can get to them. The longer answer is that you need multiple layers of security. Here are some of the few I use:<\/p>\n

1. Use a <\/strong>password manager<\/strong><\/a>. This is important, not necessarily because it gets your passwords out of the browser, but because it allows you to stop reusing passwords<\/strong>. This mainly matters if your password is stolen from the server side, but that\u2019s a constant threat. My Zappos password was breached but I didn\u2019t care<\/a> because I didn\u2019t reuse that password. Do you need to use a unique password for everything? Of course not: that web forum you go on that has no personal or financial data can use a silly little password, and you can even store it in your browser if you want. But for anything tied to money or your online identity, keep it safe.<\/p>\n

Let\u2019s be honest, though: just because I use a password manager doesn\u2019t mean my passwords are safe. Malware like keyloggers could grab information. So what else do I do? Lots.<\/p>\n

2. Monitor your accounts<\/strong>. My most sensitive accounts are my financial accounts, and I\u2019m sure that\u2019s the case for most people. Every day, I download all of my account data into Quicken (you can use Mint too). Why? First, because I\u2019m super-analytical and need to know the data. But in addition to my irrational desire to analyze, this lets me see if anything weird is going on in my accounts. Waiting a month to get your statement is too late.<\/p>\n

3. Don\u2019t use an account with Local Admin Rights for your day-to-day stuff<\/strong>. In Windows, it\u2019s a lot easier to set yourself up with LAR to go about your business. Don\u2019t do it. Set up a separate Admin account (and don\u2019t use the default Admin account, create your own) and use an account with limited rights for normal activities. Of course, put strong passwords on all your accounts.<\/p>\n

4. Use malware protection<\/strong>. Windows Defender<\/a> is good and free. So is Spybot<\/a>. So are a lot of others. Pick something and use it.<\/p>\n

5. Get Acrobat Reader off your computer<\/strong>. Seriously. There\u2019s no reason to have it: plenty of good alternatives<\/a> exist. It may not be the biggest vector for vulnerabilities, but it\u2019s bad enough.<\/p>\n

6. Update your software<\/strong>. Set Windows Update to automatic, and use something like Secunia<\/a> for your other applications. Java and Flash are particularly important.<\/p>\n

This may sound like a lot, but most of this stuff is 100% automated. You just have to spend a few minutes a day looking things over, maybe a bit more for updates. Spending too much time updating apps? Ask yourself if you really need them.<\/p>\n

Some people go overboard and claim that you should only access your bank site from a Linux Live CD, etc. Is this more secure? Sure it is. Is it as easy as what I do? Not at all, and I don\u2019t think the delta in terms of extra security is worth the hassle.<\/p>\n

Because here\u2019s the ugly truth: even if you do everything<\/em>, you are going to be compromised. One of my credit card numbers was stolen and used a few weeks ago. I have no idea how it happened. My guess is that it was captured in the recent outbreak of credit card skimmer use<\/a>. Short of not using cards at all, or inspecting every pump with a close eye before use, there is nothing I could have done to prevent this. Which leads to my last mitigating control:<\/p>\n

7. Document everything, and back it up<\/strong>. Document your credit cards, banking info, all of it. Know what accounts are used for what (I have created a handy Visio-like flowchart for mapping out my account flows). Keep phone numbers for customer service. When you are compromised, it will make the cleanup much easier.<\/p>\n

This is is a long list, true. But in our connected world, we honestly have no choice. Given everything that you need to keep on top of if you engage in interweb work, do you really think that a master password for your Chrome saved passwords is going to cut it?<\/p>\n","protected":false},"excerpt":{"rendered":"

Many in the security community are all atwitter about the Chrome browser not encrypting passwords. They call this bad security; a lot of people disagree. I tend to agree with the latter group: putting a master password or otherwise putting some kind of encryption in Chrome\u2019s password store wouldn\u2019t materially increase security, and would give… Continue reading Chrome security and best practices<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"om_disable_all_campaigns":false,"_monsterinsights_skip_tracking":false,"_monsterinsights_sitenote_active":false,"_monsterinsights_sitenote_note":"","_monsterinsights_sitenote_category":0,"footnotes":""},"categories":[127],"tags":[155,76],"class_list":["post-930","post","type-post","status-publish","format-standard","hentry","category-security","tag-encryption","tag-password","entry"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/930","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/comments?post=930"}],"version-history":[{"count":2,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/930\/revisions"}],"predecessor-version":[{"id":933,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/posts\/930\/revisions\/933"}],"wp:attachment":[{"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/media?parent=930"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/categories?post=930"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.nathanhunstad.com\/blog\/wp-json\/wp\/v2\/tags?post=930"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}