Fixing C's Biggest Mistake

Don Allen donaldcallen at gmail.com
Wed Jan 11 13:35:39 UTC 2023 

On Wednesday, 11 January 2023 at 04:32:41 UTC, Don Allen wrote:
> On Wednesday, 11 January 2023 at 04:03:02 UTC, Walter Bright 
> wrote:
>> On 1/10/2023 7:39 PM, Don Allen wrote:
>>> I'm not looking for zero risk, which is impossible. I'm 
>>> looking for the most reasonable operating point. Again, 
>>> cost/risk vs. benefit.
>>
>> I don't know your situation, but losing all my passwords would 
>> be a disaster for me. I've had my checking account 
>> compromised, credit cards compromised several times. Multiply 
>> that by a hundred.
>>
>> I've seen sob stories on HackerNews were some victim had has 
>> Mac compromised, and the hacker then took over all his 
>> accounts, changed the passwords, and started impersonating the 
>> victim.
>
> I think it's a pretty safe bet that the "victim" did something 
> dumb. If you use your wife's maiden name as the password of 
> your Google account, don't enable 2FA, and your account gets 
> hacked, are you a victim? I don't think so. Information for how 
> to protect yourself online is everywhere. People ignore it, 
> just as they ignore warnings about smoking.
>
>>
>> Apple won't fix it for you, Google won't fix it for you, 
>> Amazon won't fix it for you.
>>
>> You're borked.
>>
>> No thanks.
>
> Well, you and I just have a different set of weighting factors.
>
> Do you carry a cellphone? There are risks, as I'm sure you well 
> know. I have friends at MIT who won't use them who, I'm quite 
> sure, would agree with you about password managers. Use credit 
> cards? See what Richard Stallman has to say about that. Write 
> checks? Risks.
>
> I think this is just like getting on an airplane or driving a 
> car. Most of us accept the risks in return for the benefits. 
> But not all.

I forgot to mention a couple of things about password managers. I 
won't convince you, but for the benefit of anyone reading this 
who may be considering their use:

1. Any password manager worth using provides 2FA for the main 
password. So in the very unlikely event that a hacker got your 
password (key logger or whatever), they are not going to get past 
the need for a time-dependent code. 1Password has this, of 
course, and requires codes generated by a phone-based 
authenticator.

2. 1Password gives you a long "secret key", which you must 
produce to set up 1Password on a new device. They provide that 
key in a .pdf file, which you can store offline, or encrypted (I 
encrypt sensitive files with AES256 using a 32-character key that 
is stored offline).

So for someone to get into your 1Password account from a device 
other than yours, they need to

1. Steal your password
2. Produce the "secret key", which they won't be able to
3. Get past 2FA, which they won't be able to

More information about the Digitalmars-d mailing list