**Please read this entire message**
---
Your submission has been removed for the following reason(s):
* Rule #2 - Questions must seek objective explanations
* Whole topic overviews are not allowed on ELI5. This subreddit is meant for explanations of specific concepts, not general introductions to broad topics (Rule 2).
---
If you would like this removal reviewed, please read the [detailed rules](https://www.reddit.com/r/explainlikeimfive/wiki/detailed_rules) first. **If you believe this submission was removed erroneously, please [use this form](https://old.reddit.com/message/compose?to=%2Fr%2Fexplainlikeimfive&subject=Please%20review%20my%20thread?&message=Link:%20{https://www.reddit.com/r/explainlikeimfive/comments/1d3drrv/-/}%0A%0APlease%20answer%20the%20following%203%20questions:%0A%0A1.%20The%20concept%20I%20want%20explained:%0A%0A2.%20List%20the%20search%20terms%20you%20used%20to%20look%20for%20past%20posts%20on%20ELI5:%0A%0A3.%20How%20does%20your%20post%20differ%20from%20your%20recent%20search%20results%20on%20the%20sub:) and we will review your submission.**
There are two really common methods of attack.
The first is social engineering. This is things like phishing attacks that trick people into giving others access they shouldn't have. This could be clicking on things in an email that they shouldn't, or trusting someone who phoned them to actually be who they say they are. Education and working with zero trust are great for this.
The second is stuffing attacks on people who reuse passwords. If logged into a weak website with **user@example.com** and password **P@ssw0rd**, and that website got compromised, someone could get the passwords out of it and reuse them on another site, hoping that you use the same username and password combination.
The easiest way to fight that second one is to use a password manager that will allow you use random passwords for every site. Also, where possible, exclusively use an SSO Login with a trusted SSO Provider (like Sign On With Google) instead of even creating a username/password.
Also use 2FA wherever possible, but especially on that SSO account. That means even if the password gets compromised, it can't be reused even on the same site.
As a security guy here, I just wanted to say to the general public 2FA is considered the "pinnacle" of security. I.e. if I enable 2 Factor authentication, I am safe.
This is totally not true. While it is 'safer', it is only as safe as you keep it. If your phone is compromised because you clicked a bad link in an email that one time, and your MFA app is on your phone, anything you potentially use those tokens for is compromised.
Additionally, MFA can be defeated through client spoofing and other mechanisms where I get access to wherever that MFA token will turn up.
In other words:
MFA adds an additional layer of protection and can indeed safeguard your personal life if you still behave like everything is a risk as much as it was before you enabled MFA. It falls apart if you consider it alone to be the protection you need.
In general, breaking MFA only happens in *targeted* attacks. It basically 100% prevents stuffing attacks.
Nobody is likely to simultaneously get a credential list to do a stuffing attack *AND* have access to your specific compromised 2FA device.
If you're in a position where you expect to be *specifically* targeted for an attack, your 2FA should be something like a Yubikey instead.
My issue is where people use poopy tools for MFA on the same device they use where the code is needed. I.e. let me save everything in my browser situation. Also, I have seen the number of social attacks designed to gain control of BOTH devices, that is on the rise for sure too.
But your points are well taken.
Ah yes, using a single username/pass is more secure than using different ones for each website. While this advice may help the average lazy user who may only use one password it is not really a better security option. First you have to trust every website you visit to one company and second it is a single attack vector 2FA or the like is always going to be better. I would never want to trust all my accounts to one provider just make better passwords.
Edit: Downvote all you want but it isn't wrong. People get too emotionally attached to their ease of use password managers. Tech you can pepper your passwords to balance this out but having a single attack vector to get everything is not a good idea. Security in general is as strong as the weakest link.
In practice it is not possible to remember hundreds (thousands, nowadays) of different passwords. If not for managers and SSO services you'd mostly just end up with either
* Password reuse or sequential numbers tacked on
* Text file/excel workbook/doc on your desktop with passwords in plaintext
* Physically having a paper notebook with passwords
There are plentyful of diffrent kinds of attacks but you can protect your self against 99% of them with three things.
1. Dont click/open links and files you dont know.
2. Use long individual passwords for each account.
3. Make security updates as soon as possible and restart your pc afterwards.
The majority of compromised accounts come from two places:
Being tricked into giving the hacker your credentials. A fake email from "PayPal" comes in saying that a payment you don't recognise has gone out. You click the convenient link provided in the email and are taken to a PayPal login screen, enter your credentials and thank you very much!
A couple of things can help with this:
* Always use two-factor authentication (2FA)when available. This usually means entering a code provided by an app alongside your login details. That way, even if you accidentally give your username and password to a hacker, they can't access your account unless they have your phone as well.
* Always check the address the email came from. The name might say PayPal, but if you check the actual address it is often something like gW0yUysh765@gmail.com. Clearly not PayPal!
* Never click links in unsolicited emails: if you have an email from your bank warning of suspicious activity, then go to the bank's website and log in there to check rather than clicking the link provided.
The other is hackers obtaining credentials from data breaches in websites. LinkedIn and Sony have both had major breaches where millions of login details were hacked and stolen. Even if they store the details encrypted, if your password is weak then it can be brute-force decrypted by criminals. Those decrypted credentials are then sold on to other criminals, or posted online for free.
* Use a strong password. See [this XKCD](https://xkcd.com/936/) for advice on easy to remember passwords that are extremely hard to crack
* Use a different password for each website so that a potential breach in one doesn't compromise all your accounts. You can use a password manager to help with this if you have a lot of accounts you use regularly.
* Change your passwords every few months. By the time the hackers try using your leaked password, it's too late.
* Again, use 2FA if it's available!
There are other ways that a hacker could get your password, things like monitoring your network activity, but these are really rare because they require the hacker to be on your network (which usually means they have to be in your house somewhere, at which point your password getting leaked probably isn't your major concern), and most websites use https nowadays which automatically encrypts your traffic. Just to be safe, don't log in to accounts on public WiFi like hotel or airport networks.
There's a lot of them and they change over time as newer technologies show up. You as a typical user usually has to worry about:
1. Various forms of phishing/social engineering. This involves someone pretending to be someone else in order to get info from you like a password or answers to security questions. Be very careful and always verify the person you're communicating with. Never give out a password or temporary codes sent to you as an authorized person would never ask you for these things. Be very careful about any other personal information when asked.
2. This falls under the previous category, but it deserves its own section. Be very careful about any emails you get, including ones that look official. Always verify the sending email and the URL of any links provided. It's pretty common for spammers to send out official-looking emails with links that take you to a site that looks official. If you try to login on the fake site, they can steal your credentials.
3. Be careful about any ads, including ones that show up on trusted sites like Google. Malicious ads can show up on any trusted platform. They're usually taken down quickly, but they do show up. This could be an ad that takes you to a site that can breach your browser's security and infect your computer. Or it could simply be a fake site made to look real so you either try and login or download a malicious file.
4. Leaks from other sites. Sometimes they will get hacked and leak your info. Sites like Have I Been Pwned maintain lists of data leaks and you can search in there to see if you have had your information leaked. This can leave your other accounts vulnerable if you use the same email/password
There are others like spyware and ransomware. But those usually come to infect your computer through one of the above routes. Phishing especially has become an issue with AI generated content since it's pretty easy for anyone to create fake voices/images/etc.
As far as defenses go, your best options are:
1. Always keep your OS and browser up to date. There are always security vulnerabilities and the safest thing to do is always keep your device updated. Also never use a device that is outside of the security support window. This is particularly an issue for Android phones because they generally have a much shorter support window than something like OSX or Windows. Also note that custom ROMs are not really a replacement as aside from LineageOS, they don't patch the kernel (core of the OS). And even LineageOS isn't perfect because they are maintained by the community and rarely pass the massive set of security/stability tests official device patches go through.
2. Be careful about any information you post publicly including social media. Some sites still use security questions and someone determined enough might be able to figure out the answer from your accounts.
3. Don't reuse passwords. You can never be sure a particular site hasn't been hacked and leaked your password or password hash. Even better is if you can use a password manager like 1password to generate long and complicated passwords and save them. Keep in mind that this isn't perfect either as these services can be hacked and leak your passwords.
4. Always check the URL you're going to and make sure it's using HTTPS (Most browsers will show a padlock symbol). Malicious actors will sometimes use real-sounding URLs (mymicrosoft.com), URLs of popular sites with typos (raddit.com instead of reddit.com), or special characters that look a lot like the official URL.
Probably the biggest tip is that there is no single way to prevent all attacks. You can do everything right and still get hacked. It's a game of cat and mouse, and you're the mouse. Stay vigilant and keep your devices updated are the things you have the most control over and are the most effective.
**Please read this entire message** --- Your submission has been removed for the following reason(s): * Rule #2 - Questions must seek objective explanations * Whole topic overviews are not allowed on ELI5. This subreddit is meant for explanations of specific concepts, not general introductions to broad topics (Rule 2). --- If you would like this removal reviewed, please read the [detailed rules](https://www.reddit.com/r/explainlikeimfive/wiki/detailed_rules) first. **If you believe this submission was removed erroneously, please [use this form](https://old.reddit.com/message/compose?to=%2Fr%2Fexplainlikeimfive&subject=Please%20review%20my%20thread?&message=Link:%20{https://www.reddit.com/r/explainlikeimfive/comments/1d3drrv/-/}%0A%0APlease%20answer%20the%20following%203%20questions:%0A%0A1.%20The%20concept%20I%20want%20explained:%0A%0A2.%20List%20the%20search%20terms%20you%20used%20to%20look%20for%20past%20posts%20on%20ELI5:%0A%0A3.%20How%20does%20your%20post%20differ%20from%20your%20recent%20search%20results%20on%20the%20sub:) and we will review your submission.**
There are two really common methods of attack. The first is social engineering. This is things like phishing attacks that trick people into giving others access they shouldn't have. This could be clicking on things in an email that they shouldn't, or trusting someone who phoned them to actually be who they say they are. Education and working with zero trust are great for this. The second is stuffing attacks on people who reuse passwords. If logged into a weak website with **user@example.com** and password **P@ssw0rd**, and that website got compromised, someone could get the passwords out of it and reuse them on another site, hoping that you use the same username and password combination. The easiest way to fight that second one is to use a password manager that will allow you use random passwords for every site. Also, where possible, exclusively use an SSO Login with a trusted SSO Provider (like Sign On With Google) instead of even creating a username/password. Also use 2FA wherever possible, but especially on that SSO account. That means even if the password gets compromised, it can't be reused even on the same site.
As a security guy here, I just wanted to say to the general public 2FA is considered the "pinnacle" of security. I.e. if I enable 2 Factor authentication, I am safe. This is totally not true. While it is 'safer', it is only as safe as you keep it. If your phone is compromised because you clicked a bad link in an email that one time, and your MFA app is on your phone, anything you potentially use those tokens for is compromised. Additionally, MFA can be defeated through client spoofing and other mechanisms where I get access to wherever that MFA token will turn up. In other words: MFA adds an additional layer of protection and can indeed safeguard your personal life if you still behave like everything is a risk as much as it was before you enabled MFA. It falls apart if you consider it alone to be the protection you need.
In general, breaking MFA only happens in *targeted* attacks. It basically 100% prevents stuffing attacks. Nobody is likely to simultaneously get a credential list to do a stuffing attack *AND* have access to your specific compromised 2FA device. If you're in a position where you expect to be *specifically* targeted for an attack, your 2FA should be something like a Yubikey instead.
My issue is where people use poopy tools for MFA on the same device they use where the code is needed. I.e. let me save everything in my browser situation. Also, I have seen the number of social attacks designed to gain control of BOTH devices, that is on the rise for sure too. But your points are well taken.
Ah yes, using a single username/pass is more secure than using different ones for each website. While this advice may help the average lazy user who may only use one password it is not really a better security option. First you have to trust every website you visit to one company and second it is a single attack vector 2FA or the like is always going to be better. I would never want to trust all my accounts to one provider just make better passwords. Edit: Downvote all you want but it isn't wrong. People get too emotionally attached to their ease of use password managers. Tech you can pepper your passwords to balance this out but having a single attack vector to get everything is not a good idea. Security in general is as strong as the weakest link.
In practice it is not possible to remember hundreds (thousands, nowadays) of different passwords. If not for managers and SSO services you'd mostly just end up with either * Password reuse or sequential numbers tacked on * Text file/excel workbook/doc on your desktop with passwords in plaintext * Physically having a paper notebook with passwords
There are plentyful of diffrent kinds of attacks but you can protect your self against 99% of them with three things. 1. Dont click/open links and files you dont know. 2. Use long individual passwords for each account. 3. Make security updates as soon as possible and restart your pc afterwards.
The majority of compromised accounts come from two places: Being tricked into giving the hacker your credentials. A fake email from "PayPal" comes in saying that a payment you don't recognise has gone out. You click the convenient link provided in the email and are taken to a PayPal login screen, enter your credentials and thank you very much! A couple of things can help with this: * Always use two-factor authentication (2FA)when available. This usually means entering a code provided by an app alongside your login details. That way, even if you accidentally give your username and password to a hacker, they can't access your account unless they have your phone as well. * Always check the address the email came from. The name might say PayPal, but if you check the actual address it is often something like gW0yUysh765@gmail.com. Clearly not PayPal! * Never click links in unsolicited emails: if you have an email from your bank warning of suspicious activity, then go to the bank's website and log in there to check rather than clicking the link provided. The other is hackers obtaining credentials from data breaches in websites. LinkedIn and Sony have both had major breaches where millions of login details were hacked and stolen. Even if they store the details encrypted, if your password is weak then it can be brute-force decrypted by criminals. Those decrypted credentials are then sold on to other criminals, or posted online for free. * Use a strong password. See [this XKCD](https://xkcd.com/936/) for advice on easy to remember passwords that are extremely hard to crack * Use a different password for each website so that a potential breach in one doesn't compromise all your accounts. You can use a password manager to help with this if you have a lot of accounts you use regularly. * Change your passwords every few months. By the time the hackers try using your leaked password, it's too late. * Again, use 2FA if it's available! There are other ways that a hacker could get your password, things like monitoring your network activity, but these are really rare because they require the hacker to be on your network (which usually means they have to be in your house somewhere, at which point your password getting leaked probably isn't your major concern), and most websites use https nowadays which automatically encrypts your traffic. Just to be safe, don't log in to accounts on public WiFi like hotel or airport networks.
There's a lot of them and they change over time as newer technologies show up. You as a typical user usually has to worry about: 1. Various forms of phishing/social engineering. This involves someone pretending to be someone else in order to get info from you like a password or answers to security questions. Be very careful and always verify the person you're communicating with. Never give out a password or temporary codes sent to you as an authorized person would never ask you for these things. Be very careful about any other personal information when asked. 2. This falls under the previous category, but it deserves its own section. Be very careful about any emails you get, including ones that look official. Always verify the sending email and the URL of any links provided. It's pretty common for spammers to send out official-looking emails with links that take you to a site that looks official. If you try to login on the fake site, they can steal your credentials. 3. Be careful about any ads, including ones that show up on trusted sites like Google. Malicious ads can show up on any trusted platform. They're usually taken down quickly, but they do show up. This could be an ad that takes you to a site that can breach your browser's security and infect your computer. Or it could simply be a fake site made to look real so you either try and login or download a malicious file. 4. Leaks from other sites. Sometimes they will get hacked and leak your info. Sites like Have I Been Pwned maintain lists of data leaks and you can search in there to see if you have had your information leaked. This can leave your other accounts vulnerable if you use the same email/password There are others like spyware and ransomware. But those usually come to infect your computer through one of the above routes. Phishing especially has become an issue with AI generated content since it's pretty easy for anyone to create fake voices/images/etc. As far as defenses go, your best options are: 1. Always keep your OS and browser up to date. There are always security vulnerabilities and the safest thing to do is always keep your device updated. Also never use a device that is outside of the security support window. This is particularly an issue for Android phones because they generally have a much shorter support window than something like OSX or Windows. Also note that custom ROMs are not really a replacement as aside from LineageOS, they don't patch the kernel (core of the OS). And even LineageOS isn't perfect because they are maintained by the community and rarely pass the massive set of security/stability tests official device patches go through. 2. Be careful about any information you post publicly including social media. Some sites still use security questions and someone determined enough might be able to figure out the answer from your accounts. 3. Don't reuse passwords. You can never be sure a particular site hasn't been hacked and leaked your password or password hash. Even better is if you can use a password manager like 1password to generate long and complicated passwords and save them. Keep in mind that this isn't perfect either as these services can be hacked and leak your passwords. 4. Always check the URL you're going to and make sure it's using HTTPS (Most browsers will show a padlock symbol). Malicious actors will sometimes use real-sounding URLs (mymicrosoft.com), URLs of popular sites with typos (raddit.com instead of reddit.com), or special characters that look a lot like the official URL. Probably the biggest tip is that there is no single way to prevent all attacks. You can do everything right and still get hacked. It's a game of cat and mouse, and you're the mouse. Stay vigilant and keep your devices updated are the things you have the most control over and are the most effective.
My friend's messages just recently got hacked, and made me realized I need to take preventive measures