Not saying don't use the new PRC web based software, but NO online account is perfectly safe. If the US Department of Defense can be hacked, so can you. As stated above, you have to be careful. It is very unlikely that your personal home computer will be directly hacked, hackers are much more likely to go after accounts on the cloud where they can hack 1,000's if not 100,000's of accounts at a time. And while information on you on the PRC cloud account may be minimal, it may contain pieces to your personal puzzle that hackers can put together with hacked information from other cloud based accounts you may have out there (credit cards, healthcare portals, you name it). I only conduct financial business on my personal desk top computer which has Kaspersky protection software, Acronis protection software, VPN, and my email service provider is Proton https://proton.me/mail
@pizzaman You're using Kaspersky, the Russian-owned company, for your computer security? I'd rethink that 🙂
@hines202 Thanks for your concern, it is on my mind. However, I have done my research and for right now I am confident in using Kaspersky. It is a private company not owned by the Russian government, its servers, and many of it's employees, are not located in Russia, and the company has passed several international audits. Besides, I would guess that about half of everything you own including electronics is made in China, a dictatorship that openly wants to control the world, including taking by force Taiwan, another place where a lot your electronics come from. Pick your poison.
@pizzaman To me the issue isn't Russian ownership, it's that such software is generally redundant and needless on a PC with WinSecurity. (You don't mention your OS, so if it's not a PC, then what follows is irrelevant.) All of the major players -- Bitwarden, Malwarebytes, Kaspersky, MacAfee, etc. -- have been independently tested and really don't improve on what MSFT built in to the OS, another classic Redmond anticompetitive move. If you're really worried about malicious activity, ditch Kaspersky and use Configure Defender to reduce your machine's attack surface considerably. Just be ready for lots of alerts.
@pizzaman Nobody says that something is "perfectly safe," let alone "online accounts," so let's use benchmarks with concrete applications. The term "hack" has become a euphemism for just about any illegal or malicious conduct in cyberspace so its use here doesn't clarify matters. The issue concerns probabilities, and the events you describe -- "put together with hacked information from other cloud based accounts you have out there" are infinitesimally small probabilities at the individual case level. Why even bother to engage in such puzzle solving for a single individual when more lucrative systems have a higher ROR via ransomware? "Hacking" is big business, and it aims at big businesses in order to meet its recurring costs. Practice safe computing and use the internet's remarkable resources properly and you're likely never to have a major incident.
We're giving serious consideration to use of 2FA and are investigating options now. I'll offer more information as we settle on our approach.
Stuart
@smatthews51 Passkey (physical security key [like Yubikey] or passcode) is the emerging MFA standard, but that might be too cumbersome and expensive to implement.
@smatthews51 It might not be too much effort to use an API for the user's preferred authenticator app for 2FA. That's my preferred method of 2FA, safer than throwing around codes to text/email and far less messy. Should be little code and a quick implement. Also if possible allow a spouse/partner login to the same account.
Definitely never store any user passwords in the database, only a secure one-way hash should be stored for comparison at login. Storing passwords creates liability if hacked, because amazingly people still use the same password for everything, including their banks.
@smatthews51 An authenticator app would be far better than sending a code as I acknowledge. Or a passkey option if not too difficult to implement.
Rather than sun-setting PRC Excel, might be great if the worksheets were released into the public domain (GitLab? or similar) with data tables such as tax rates, etc open for User edit. (Or at least unlock the Tax Tables etc for User future update...)
Not only a Thank-You! to the Pralana faithful, those that helped grow the current software through ongoing subscriptions and made the upcoming new offering possible, but perhaps a means to further promote the brand and webPRC to a new following.
Could also create a public User base for better understanding PRC Excel and foundation from which to create/grow documentation through collaborative efforts. Might even form a basis for migration of ideas & features into web based releases.
Just a thought...
2FA authenticator apps are readily available and free, and add that 2nd layer of protection. Been using one for many years. Bitwarden, Authy, Aegis and Google all offer good 2FA apps.
But everyone should try to remember that PRC doesn't have your financial account custodian names, account numbers, your passwords and certainly no 2FA codes. It could be anyone's data, and "made up" data at that. If you want even more anonymity, sign up with a second "dummy" email.
One should try to avoid 2FA that involves either texting or emailing codes - not secure. TOTP via an app like the ones above is much better.
And for God's sake if you're not already, start using a good Password Manager (I recommend Bitwarden; 1Password is good too). There's no excuse not to, nor for not using really long cryptic passwords or passphrases for important stuff.
@nc-cpl Password Safe (PWSafe) is an excellent, strong password manager that doesn't "live in the cloud". I think it was done by Steve Gibson, I used to love his InfoWorld security articles and recent work and security blogs. Data stays on your computer (so backups necessary). You could store the file on a cloud drive if you wanted to, and use the app to access your passwords from anywhere, if you want to make that leap security-wise.
Ultimately you have to trust someone. If a google/android based person, using their password manager means not having to remember passwords and also phishing protection as it will alert you if it's not the real site, and refuse to provide the password. Same with Apple's if you're an apple person. Hopefully we're close to passwords being obsolete.
Any password manager is better than nothing provided you 1) use only a very strong master password, 2) don't re-use crackable passwords over and over again like (Dogs name+2024). and 3) also use a 2FA tool like any authenticator app.
Password Safe looks a bit "1990's-era programming janky" to me (and definitely lacks the sophisticated safety features of a Bitwarden for only $10/yr.), but is better than nothing.
@nc-cpl It's old school for sure, but secure. I'm not using anything that puts my passwords "in the cloud." When these get hacked, it's game over pretty much. I let it generate highly complex, secure passwords for my financial and other important sites, and rely on the master password to open the file. Significantly less exposure that way.
LastPass got hacked twice in 2022. A few of them have, including 1Password. BitWarden might be "sophisticated" but read below:
Bitwarden was discovered to have cracks in its encryption that left sensitive information vulnerable to cyber attacks. In 2023, a cybersecurity firm, Flashpoint discovered a critical flaw in Bitwarden’s password security when using autofill.
@hines202 The only danger concerns access to your Master Password, which is never stored in the cloud anyway. I’ve got no problem with folks who keep ratcheting up their security practices, but there’s a law of diminishing returns here. With each layer of security the marginal increase in safety gets slimmer. I lock doors and windows, but I don’t hire 24-hr security guards, place cameras all around my place, and keep a few rottweilers on stand-by, although that all would probably increase the security of my home.
So sure, you can avoid cloud storage of passwords, but fear of hacked password managers is overblown. A criminal who gets in to a cloud storage vault still has to be able to do something with what he steals, and he definitely will not find Master Passwords there. At LastPass a malicious actor tricked a database manager into installing a keylogger on the latter’s home PC, giving away the keys to one of LP’s production databases, which the criminal then used to enter the user account vaults without any “hacking.” The criminals made off with encrypted account information that they still need to figure out how to decrypt. It’s not harmless and there still are bad things that the criminals can do with what they got (basically phishing and credential stuffing attacks on accounts, but not using stolen pwds to get into user bank accounts).
And I recommend that folks read what actually happened at Bitwarden (spoiler alert: it had nothing to do with the “cloud” or encryption. There isn’t a “hack” at work here, it’s a vulnerability to Bitwarden’s autofill function, which is local to the computer and is not on by default.) Bitwarden has known about this since 2018, but the autofill is so common and works with thousands of legit sites, that the engineers decided not to turn it off but to let users opt-in with a warning of the vulnerability. It's just not that big a deal.
All the major password managers use Zero Knowledge security that keeps the master password entirely local — it’s nowhere in the cloud unless the user puts it there. Dashlane (and probably some others) supports passkeys and Yubi keys. And if you use a password manager, be sure to set up backup codes so you can get in if your Master Password is lost or forgotten. And again, those are stored locally, not in the cloud.
The security industry has spawned a cottage industry of companies that have a material interest in making “hack” mountains out of small molehills. The issue here concerns probabilities, not certainties: take prudent steps to secure your data and back it up religiously. The odds are good that such best practices will avoid a serious breach.
@docfiddle @nc-cpl Thanks for that info, it's definitely more reassuring! I would add though, once a hacker holds any encrypted information, it's not a big leap to brute-force decrypt it. Yes, it takes time and computing power, but such individuals tend to have abundances of both.
@hines202 The first thing a hacker would have to accomplish is breaking into your vault (nearly impossible). Even then, once they get in it's all just gibberish because he wouldn't have the master password to decrypt it. And even then, if you enabled 2FA for important accounts he'd have to possess your second factor. And that's assuming a previously dropped cookie from the website doesn't recognize it as a "different device" and require yet another 2FA authentication (previously set up as a question and answer).
That's a LOT of hills to climb to get at something that might not even hold any value. If they're willing to try that hard and dedicate that kind of resources to it, they're going to target something like a bank, not an individual, where they could grab a lot of stuff.
Try out this Brute Force calculator to see how long it might take - it's a lot longer than you'd think. For example, my master password would require, at 1 billion attempts per second, 1303440 years, 5 months to crack
Brute Force Calculator - How long would it take to Brute Force your password? (proxynova.com)
I don't anticipate being around then, or the hacker either...;)
@nc-cpl Right! Criminals are very unlikely to target an individual unless he or she were very, very wealthy. The real money is elsewhere in institutions -- passwords and account info gotten from break-ins or network invasions through phishing, that can be sold on the dark web. If you're targeted, it's possible this would be something personal: someone bearing a grudge who just wants to do you harm.
I figure that my info has already been scraped from the web, so it's better to change passwords frequently, use a manager and generator, keep a credit freeze in place, etc.
@hines202 Actually that's not correct Bill. BW does not store unencrypted passwords, nor do they have your master password. See below. Even if a hacker got into their system, there's nothing of value they could use:
End-to-End Encryption: Bitwarden encrypts your data immediately as soon as you enter it in any Bitwarden client. Before storing the data on your device, it is encrypted. There is no unencrypted Vault data, except when you are viewing information in a Bitwarden client where you’ve entered your email address and Master Password. From there, all Vault data remains encrypted when sent to the Bitwarden Cloud or a self-hosted Bitwarden server.
Your Keys, Your Control: Only you retain the keys to your Vault. Bitwarden cannot see your passwords, websites, or anything else you put in your Vault. Your individual email and Master Password are used to encrypt and decrypt your data. Bitwarden never stores or has access to your Master Password.
Industry-Standard Encryption: Bitwarden uses AES 256-bit encryption for Vault data, an industry standard considered unbreakable. Your Master Password is used to derive the key that encrypts your Vault data.
For me, the risks of storing everything on a local machine (theft, fire, flood) far outweigh anything on a protected server off site. Add to the above using 2FA (like I do for all my financial and healthcare sites) and nobody's getting in. There are other benefits such as:
- If I have a fire, flood, theft or hard drive failure, all my stuff is as accessible as if nothing happened.
- If I die suddenly, BW has a secure protocol to grant my wife access.
- It now incorporates passkey creation for sites that are advanced enough to use them
- It notifies me if any of my passwords are weak or hacked (unlikely since I use the password generator to create crazy-long strings that would take thousands of years to brute force attack).
- Allows me to manage others accounts (I do this for my senior in-laws who used to write all their passwords on Post-its on their desk (EE-GADS!!!). That way I know they are safe.
- Syncs everything across devices regardless of platform.
So, IMO, storing everything locally based on fear seems akin to hiding your cash in your mattress. For me, I'm comfortable with Bitwarden, and for cloud storage of sensitive stuff, Cryptomator. If you wish to keep everything on a local machine, use Bitlocker to lock down your OS and Veracrypt to create a encrypted virtual drive for storing docs.
Just one man's opinion...;)
@nc-cpl Agreed. I use Dashlane, which offers similar features. Recently I tried Configure Defender to increase my PC's security against various threats:
The MAX Protection Level blocks anything suspicious via Attack Surface Reduction, Controlled Folder Access, SmartScreen (set to block), and Cloud Level (set to block). These settings are very restrictive and using them can produce many false positives even in the home environment. Such a setup is not recommended in the business environment.
Even at the medium level I was flooded with so many alerts and false negatives that I went back to the default WinSecurity settings. If you're a Windows person, Configure Defender is a pretty intense tool that definitely enhances the data guardrails, but like all such improvements, it's at a cost.
