How does my strategy compare to yours? Let me know in the comments. And be sure to take advantage of the 20% off DeleteMe to get more privacy online: www.joindeleteme.com/allthingssecured

@Gotjits0156

3 ай бұрын

Consider this: Should your biometrics data end up being compromised, you're F'ed. It's not something you can change, and once it's out in the data world, that's final. Probably not a wise decision to use biometrics for this reason.

@UCLAdisciple

9 күн бұрын

Hi, Josh. I really enjoy your channel!! I have a friend that followed your advice and purchased a Yubikey to secure her Google account. She created a google number and only uses it for financial institutions. She then created a new email address only to be used for her financial accounts. The problem is if my friend was sim swapped the google number would forward to the phone the fraudster took over and they could reset the bank passwords. If she doesn't have the google number forwarded to her regular number, she may not receive timely texts from her bank. Other than using Efani, is there any way to protect against this? Thank you for your response.....

I have a request/suggestion. When you mention another video in your videos, please leave a link in the description in addition to the popup within the video. This has happened to me several times while watching one of your videos. I am wanting to watch the content you refer to, but am not finished watching the current video. So I either have to write down the time stamp, or click the new link, save it to watch later, then go back and finish watching the first video. Leaving the link in the description is more efficient for your watchers. Thank you for all you do.

@AllThingsSecured

3 ай бұрын

Thanks for the suggestion! I’ll definitely try to do that.

@AnythingGodamnit

Ай бұрын

@@AllThingsSecured I'm not sure if you've since added them or if it's automatic, but I've always expanded the "more" section and scrolled to the bottom of it to see anything that was linked in a YT video. I can see all the videos you mentioned there (I want to watch the aliasing one)

@manny7886

5 күн бұрын

It's the reason why I never watch a suggested video because I haven't finished the video yet.

A law I'd add is to have a physical safe. Store recovery codes in here, or use it to store passwords you don't want in your password manager, such as the password to you're email where password reset requests get sent. And for people who find an online password manager too complicated, this is where you can store your passwords.

@AllThingsSecured

4 ай бұрын

That’s a great suggestion. It’s a threat model slightly higher than mine, but valid nonetheless.

@ionamygdalon2263

4 ай бұрын

This was a very valuable comment! I will keep it in mind should I ever need a higher safety model.

I appreciate this simple video format.

@AllThingsSecured

4 ай бұрын

Thank you!

I do it only slightly differently because I mostly focus on making iCloud and Google accounts maximally secure with security keys, passkeys and in iCloud E2EE almost all of it. Then less important accounts can (preferably) Sign in with Apple or the slightly less secure Google. Greetings from Sweden. 👋

Very interesting and very useful video. I always enjoy your videos.

@AllThingsSecured

3 ай бұрын

Thank you!

Great video! I have also stuck with passwords and 2FA rather than passkeys because I still feel that the added convenience of passkeys ultimately degrades security and I'm also waiting to be convinced.

@AllThingsSecured

4 ай бұрын

Thanks for sharing!

@kungfu5150

3 ай бұрын

Passkeys are still superior, overall. How convenient they are is up to you. If you store your private key on a physical security key (yubikey etc), and require biometrics to unlock, this is the strongest option out there. 1) Your private key is not stored in the cloud 2) It's passwordless, and as such cannot be stolen, or leaked in a password dump (another of which we just saw) and 3) It's phishing resistant. Example scenario: I want to login to my bank. I have to physically be present at a computer, with my yubikey which requires biometrics to unlock. My private key is stored locally on my yubikey and none of that ever leaves the device. Only then I can login. I cant have my password stolen. I cant have my password leaked. I cant be phished. I cant be SIM swapped.

@zetectic7968

3 ай бұрын

@@kungfu5150 I have a few credit card accounts that still use email or SMS to send a code. My main bank however I have a small keypad device to general OTP to logon and it also generates a code before a new payment is setup for either an individual or company online

Another awesome video josh! Thank you again! I’ve been following you religiously now for right at a year’s time as I’ve been navigating my way through a horrific stalking situation that is the makings of a PsyOps Horror Novel. lol 😂. Because of this channel, I’ve gone from knowing zero things about cyber security to feeling very knowledgeable and empowered about all of my online privacy and security. I’ve made massive shifts in 2023 towards extreme privacy and safety. Because my *literal* life has depended on it. Thank you so much!!

@AllThingsSecured

4 ай бұрын

Glad it’s been helpful!

Holy cow!! It’s Josh from the Xinjiang channel! I have your PDF book from way back when.

@AllThingsSecured

4 ай бұрын

Haha! Yup, that was me, back when I had hair 😂

@safdjqw0

4 ай бұрын

@@AllThingsSecuredcongrats on your success! Didn’t know our interests would cross. Easy sub

1 don’t keep all eggs in one basket 2 long passwords 3 always use 2FA (with Authenticator codes NOT SMS) 4 Security Key 6 separate Authenticator apps 7 except for common accounts like Pinterest Bonus: A) Email Alias B) Secure apps with biometrics C) Private number D) Passkey if security key not available

Is it a good idea to put the master password in the password manager itself ?

Thank you for the video. I still haven't started using e-mail alias and I couldn't find a decent way to implement that virtual phone strategy in my country (maybe I'm not doing a proper research), but one thing I use in addition to long passwords, password manager and 2FA is the double-blind method, where you only store part of the password in the password manager, but the other part is some special characters that only you know. So when you are signing into an app, you generate and store a password from password manager + your own password I do that for important accounts only, but that gives me more security that, in case my password manager ever got hacked, the hacker still won't have the full information to log into my accounts

@AllThingsSecured

3 ай бұрын

Yes! I didn't even talk about that here, but that's a big part of my own strategy as well.

@manny7886

3 ай бұрын

That's how I do it too. Also, I use physical security key as my 2FA to my password manager.

Thanks for the video! I will stick with physical hardware keys for now. Also, it's often said that the main security vulnerability is education, and I just can't understand Passkeys... And if someone as knowledgeable as you also struggling to see it's merits, then it is evidence that passkey proponents have a problem with the education part...

@AllThingsSecured

4 ай бұрын

Thanks. To be clear, I see its merits, especially for those who don’t want to spend money on a physical key, but since I value the offline key…I’m just not sure it’s as useful to a person like me.

@kaori-3882

4 ай бұрын

​@@AllThingsSecuredUnderstood :). On the different subject I would love you thoughts on this matter please!: There is a website I use which I rely on for many things. They allow 2FA hardware to be used. While logged in I tried to disable the hardware key and it allowed me to do so without asking for confirmation using the hardware key. As I understand this is how many KZread accounts got hacked by malware disabling the 2FA. I contacted the website to report this security vulnerability saying that if a malware attacked their website they might exploit this vulnerability. In the answer they said that they do not consider this as security issue and when malware is involved all bets are off... In short they completely ignored it. What do you think? Thank you

I really like your advice. I like that you don't go too extreme and still use gmail or facebook like normal people. However taking a few steps towards better security and privacy.

@AllThingsSecured

4 ай бұрын

Thanks so much, Eric! Glad it was helpful.

So your bonus law number 4. Only use physical keys and not use passkeys if both options are available. I was in this camp until recently. There is something going on with iOS and MacOS recently where Google does not recognize my Yubikeys via Safari anymore. I was able to bypass this by using an old out of date Mac, reregister one of my Yubikeys and then switched back to my modern hardware to reregister all of other keys. So it’s hard to tell if it is Google or Apple, but someone f’d up and almost locked me out of my Google accounts.

@KodakYarr

17 күн бұрын

Sounds like a Mac issue

Authy is planning to shut down its desktop authenticator app in August 2024. They still will have their mobile apps on iOS and Android

@AllThingsSecured

4 ай бұрын

Yes, I just read about that.

@jkbobful

4 ай бұрын

2fas is apparently working on a desktop app but as of right now all they have is a browser extension but it still requires a phone to confirm

Really appreciate your videos. You speak in a way anyone can understand and that is why I am able to send these to friends and family who unlike me are not in the IT world. Have a happy new year btw!

@AllThingsSecured

4 ай бұрын

I appreciate that! Thanks for sharing the video...and happy New Year to you as well :)

Do you recommend insurance?

There are 2 kinds of passkeys: device-bound and synced. Device-bound passkeys can't be replicated; they're like physical security keys in that way.

@AllThingsSecured

4 ай бұрын

Very interesting. I obviously still have a lot to learn about passkeys.

Interesting rules. I would like to know how fast it is to search for the backup Yubikey every time you want to register 2FA for a new account. What if you are away from home? Do you register and when you get home you look for the two keys and then activate 2FA? A video about the logistics of operation and day-to-day use would be interesting. Thank you.

@AllThingsSecured

4 ай бұрын

Thanks for the idea, Manel. Very helpful suggestion.

@champagnesupernova7534

2 ай бұрын

If you have 2 yubikeys, then you should always carry one on your keyring. Then you won't ever have to search for one, unless you lose your keys while away from home.

can you explain what you mean at 06:11 what each category is

How do you feel about storing 2fa codes in a PM that's only accessible via a hardware key? My password manager can only be accessed via someone that has one of my two hardware 2fa keys, and once it reached that point I started consolidating all of my 2fa codes into my password manager as I felt the hardware 2fa requirement was enough to warrant that level of confidence.

@Panicthescaredycat

13 күн бұрын

let me know if you get an answer to this question lol, cause that's how i have my PM too, only way to access it is if someone has my yubikeys.

Do you suggest logging out of certain apps on your iPhone to allow for entering credentials like the 2FA?

@AllThingsSecured

4 ай бұрын

That's up to you and your threat model. Some people set their internet browser to close all windows every time they close their computer or lock up their phone. Those kinds of settings depend on what and from whom you are protecting.

To use a new phone, they ask you for a Google account as the main account. Does this have to be created separately from the personal one? How do you handle that? what account do you put?

So I pretty much hew to these and similar privacy polices. BUT… today I opened Yelp and it asked me for a review of my experience at a medical specialist I’m setting up a procedure with. WTFFF? Can you do some videos focusing on how businesses (e.g., Yelp) get this kind of info? Otherwise I feel like I’ve built unscalable stone walls with a moat, but there’s a huge tunnel from beyond the moat that comes up in the scullery behind my back. I’ve noticed more of those instances where you have a conversation on an odd topic and start seeing ads or articles about it, but attention bias makes that impossible to really gauge. But the Yelp example is different. They have affirmative data showing that I’m dealing with this medical specialist, and I really want to track down where they got it, because I expect to find at least one tunnel in that way. I don’t use Alexa or have Siri turned on to listen, and stay as far from Google as I can, though I have Chrome and Maps installed for occasional use.

So, in terms of not having all your eggs in one basket or not trusting a company with all your info, would you suggest against subscribing into a companies ecosystem for example, proton or Nord

So you're saying you prefer the password/hardware key combo over using a Yubikey for passkeys? it seems the security level would be the same in this case.

@AllThingsSecured

4 ай бұрын

The way I see it, using a Yubikey as a passkey is exactly the same as simply using a 2FA key, right? My issue with with the software-based passkeys.

Is it dangerous to use passkey on Android device if this device encrypt synchronisation with a static key (instead of google account) ?

Can you talk about outlook firewall. (Security policies)

@AllThingsSecured

4 ай бұрын

Thanks for the suggestion.

Hello. Do bank accounts accept 2F physical keys?

@AllThingsSecured

4 ай бұрын

Some do. Many don't.

What’s your go to tax software turbo tax? Or free tax USA? I like how turbo tax is 100% accuracy guarantee and free tax USA isn’t

I use yours listed except (1) I do keep MFA codes separate from the Password Manager - no exceptions; (2) I did go back and change the user ID to unique ones (email aliases where possible) for every account I could; and (3) I won't upload my Beimetrics to any websites as I don't trust they won't get hacked and loose it. Segregation of activities between devices and VPN providers is what I aspire to and is a difficult habit to develop. I may just configure the firewall to route traffic to specific VPNs so I need not worry about it. That takes some thought and effort to implement. You didn't mention secure DNS or maybe even using a secondary ISP at the firewall to route the DNS call through a different carrier.

@AllThingsSecured

4 ай бұрын

Thanks for sharing! For what it’s worth, I don’t know of any websites where you “upload biometrics”. Biometric verification is done at the device level.

@InfoSecGuardian

4 ай бұрын

​@@AllThingsSecured - The irony! The posting of your videos UPLOADS your BIOMETRICS to the web! Biometric data captures physical attributes of a person such as fingerprints, face, or voice. Your video contains both face and voice. Banks are using voice authentication when you phone them. Avoidance can be a challenge. Cameras, such as Ring, use biometrics in the form of facial recognition. Even if YOU don't self identify your face to Ring, your friend with a Ring camera probably already has. The weakest link for security conscience people watching your videos is generally not themselves. It is the companies we have to give data to like Equifax's and Banks of the world. Hackers are now calling the bank via VoIP and tricking them to think it's you while using data from these breaches. To get through voice verification, the hackers call you to get your voice, and then use AI to trick the banks into thinking it is you. Obviously it's impossible to live life and also duck your biometrics from being captured. But, I'm certainly not going to help it along. Note: Even self checkout like at Walmart are capturing your biometrics. They use cameras to capture you scanning the items and then link it to your person through the Credit/Debit card used at checkout. This is done in the name of shoplifting prevention security.

@PaulNecsoiu

3 ай бұрын

I understand the use of email aliases for non important accounts, but for important accounts don't you think it presents a major risk?For example, if we create an account using a custom alias (with custom domain) and after a while we lose access to that alias (let's say we forgot to update the domain, etc.) don't we lose access to that account?

@InfoSecGuardian

3 ай бұрын

@@PaulNecsoiu ​ Great critical thinking skills. Actually, when web apps use the email address as a user id, you can still login using that ID even if the email address is no longer valid UNLESS you need the forgot your password function. If the website allows it, it would be best to change the user ID to your new email address (alias would be good). Optimally, you OWN the domain name for your email address and would know if you're going to no longer renew it. And, if you let that expire, you likely have a bunch of accounts (all known to your password manager of choice) to then go update your credentials to match your new plan.

@PaulNecsoiu

3 ай бұрын

@@InfoSecGuardian Thank you! You have totally right. I have made some testing and if the email is not valid you can still use that email as a login ID. More than that if the account allow other recovery methods (recovery codes, security keys,etc) I think that with a good management we can say it is pretty safe to use email aliases for all accounts.

I may have missed it but can you do a video on 2FA when you don't have a US phone number? As in if you are overseas and using a different sim card and need to access your 2FA codes if SMS is the only allowed method.

@AllThingsSecured

4 ай бұрын

You can purchase a US number from a provider like Hushed and use that for SMS codes. Same goes for IronVest or MySudo…they offer the same service.

@zeitgeist888

4 ай бұрын

@@AllThingsSecured Thanks.

I keep my 2FA codes in my PW manager, too. But, I lock my PW manager with a 2FA code that's NOT in the app.

How do you make a private vitual number (in the EU) ?

@AllThingsSecured

4 ай бұрын

Depends on the country. I think it’s easier for some than others. I’d check Hushed and other such providers to see which countries they offer. I can’t remember off the top of my head.

Is it worth using 2fa physical key for non sensitive things like tiktok or youtube?

@AllThingsSecured

4 ай бұрын

For me, yes. KZread is connected to a Google account, so it's worth having a 2FA key there. Honestly, it's up to you, but as I said in the video, my rule is this: "If a 2FA key option is offered, USE IT".

Should i use password manager or key chain ??

@AllThingsSecured

3 ай бұрын

You can. I prefer not to.

Facial recognition or fingerprints don't matter if there's an option to use a pin instead. It seems that a pass key is the wiser option.

@AllThingsSecured

4 ай бұрын

Any form of authentication is only as strong as the weakest form.

@MakeitZUPER

4 ай бұрын

@@AllThingsSecured That's true of any co-dependent scenario.

People keep misunderstanding what passkeys are for. They are not 2 factor, they are a replacement for passwords. It's understandable why people think this, since most websites are doing trials of them by treating them like 2 factor. Still, can't wait for them to actually start replacing passwords

Question thah I have never seen addressed amywhere, how many accounts can be protected by a single yubikey?

@AllThingsSecured

3 ай бұрын

As a 2FA key? Unlimited. One key works on all accounts. If you’re storing one time passcodes on a Series 5, though, it can only hold 32. Does that make sense?

@hinoto_

Ай бұрын

And 25 passwordless passkey.

Many services/accounts offer 2FA, but not all require it to be enabled. I would recommend enabling it on all your accounts

@AllThingsSecured

4 ай бұрын

Exactly what I said :)

My one issue with any security is the backdoor, the "forgotten password" button. How do you, stop this backdoor way into an account?

@AllThingsSecured

4 ай бұрын

In many cases you can't stop it, but if you use an email alias that points to an address other than your primary email account, that's one step you could take.

@Fatman305

4 ай бұрын

By removing phone on file whenever possible (use other 2fa), or using two numbers. One number, untraceable sim for sensitive accounts, and one known num for accounts nobody will sim swap you to steal...

Email alias are the best thing i ever found

@AllThingsSecured

2 ай бұрын

Yup

Why does a Spotify still not have any of these options

@AllThingsSecured

4 ай бұрын

Why do you need so much security for your music streaming service?

Sounds like you use things you don't trust...For me trust is very important in my security strategy. I have to have full trust in what I'm using and doing - no half-baked I don't really trust _this_ so I'm gonna mitigate it with _this_

SMS is the least secure of all the 2FA methods. Some people might not want to give out their cell phone number

@AllThingsSecured

4 ай бұрын

That is correct.

All thiings 😃

@AllThingsSecured

4 ай бұрын

Thanks for watching and commenting.

Answers to throw off security questions: Ex, Q:"Where were you born?" A: "Mercedes Benz"

@AllThingsSecured

4 ай бұрын

Yup, that’s a great way to do it.

Sad that most financial institutions don’t allow 2FA.

@AllThingsSecured

4 ай бұрын

I know, right?!

I would add another law.. don't use your phone as a passkey. Very easy for muggers to get you to empty out your bank accounts when you carry the keys to your kingdom with you at all times on your phone.

I wear wrinkled shirts too. 😜

@AllThingsSecured

4 ай бұрын

Ouch 😜

👍🏻

@AllThingsSecured

4 ай бұрын

🙏

The Back up codes is the biggest unnecessary thing that ever been made in history of security. it's lazy guy who just throw a suggestion and an idiot approves it. instead of backup codes (incase your physical key broke or lost) they should let you set a what we call it Recovery Location. a physical location where you can set it in the security setting by opening your GPS. you can choose to stand on a train station. set it as your recovery location. when your yubikey got broken and you need to recover your account.. go to your designated location. open you GPS and recover your account. it doesn't need to be EXACT GPS it can have margin of error like 5 meter radius.

@AllThingsSecured

4 ай бұрын

That sounds great, but I literally have a program on my computer that allows me to spoof the GPS location on my phone to be anywhere in the world. That's a huge security loophole there.