Loose Leaf Security Weekly, Issue 13

Good morning, and happy Thanksgiving to our US readers! Often, security and privacy news can be disappointing, worrying, and even dystopian, so we thought we'd use this Thanksgiving newsletter to take a moment to cover some security and privacy advances we're grateful for.

If someone forwarded this to you, you can sign up yourself at https://looseleafsecurity.com/newsletter.

What we're thankful for

Password manager extensions

We can't say we're thankful for passwords and especially complex password policies, like "three special characters, two numbers, no repeated letters." That's the sort of security feature that reinforces the popular impression that security and convenience have to be at odds with each other. Fortunately, password managers not only spare us the inconvenience of remembering complicated passwords but also make using the web a little more convenient in their own way. We're thankful for how password managers make it easier to deal with changing passwords and how password manager extensions protect against phishing attacks.

Password managers make it easy to have unique passwords for every website, which helps limit the impact of one of the websites you use getting breached. If a site stores its passwords insecurely and they get stolen, it's a lot easier to just change your password for that one site than to change it on every other website where you might have used the same one. Even if you're not yet using unique and randomly-generated passwords on each site, a password manager browser extension will offer to save your existing passwords, and you can generally go back and ask it which accounts have the same passwords and focus on changing those first.

Installing the browser extension for your password manager also has one other huge security benefit: it protects you against "phishing" attacks, where someone tries to get you to visit a fake login page. Password manager extensions keep track of which website you saved a password on, and if someone sets up a site with a similar-looking URL - maybe with a lowercase l instead of a capital I - while your eye might be fooled, the extension won't be: it will refuse to fill in the password on the impostor site. Even better, you can use the password manager extension to open the login page, which effectively turns your password manager into a secure bookmark manager that's synchronized across your browsers.

Our reference page about password managers links to all our episodes about password managers and includes a comparison of popular password managers. By the way, for us, we find that the holidays are a great time to help our families stay secure and get them set up with a password manager!

Security keys

Hardware security keys are both the strongest form of two-factor authentication and extremely convenient. They're the only second factor that provides you with phishing protection: your browser communicates the website's name to your security key, and the security key responds with an answer specific to that website. If you're accidentally visiting a phishing website, your security key won't be able to compute the right answer, which means the phishing site can't pass it along to log into the real site. In fact, research shows that security keys are 100% effective against both bulk and targeted phishing attacks!

Security keys aren't just secure - they're also incredibly convenient. A study of Google's employees showed that authenticating with a security key is significantly faster than typing in codes generated by an authenticator app or from (insecure) SMS messages. It also showed the authentication failure rate of security keys was zero, which is lower than the 3% failure rate with authenticator apps (either the code expired by the time it's entered or a typo was entered).

We're really grateful that many of our accounts benefit from both the increased protection against phishing and additional convenience of security keys. To learn more about security keys, check out our two-factor authentication reference page.

Browser sandboxing

Downloading apps, especially from unknown publishers, is always a little bit risky. Even in Apple's and Google's app stores, which do put effort into vetting all submissions, it's not uncommon to hear of new malware apps that have found a way to get to the information on your phone. Meanwhile, traditional desktop applications have no real separation of permissions between them by design: any app can access files from any other app. In contrast, the web started out in the other direction: very few permissions were given to web pages. It's been remarkable how much functionality web pages have grown without really increasing the amount of access they have - certainly without giving them direct access to your local files or to each other, like desktop applications have. We talk more about these two different models in our episode "The history of the Web and an introduction to browser security."

We're thankful that so much online functionality is available through the web so that we don't have to give downloaded programs nearly unlimited access to our computers, and we're also thankful that web browsers' sandboxes have held up quite well in practice. (Of course, since bugs do slip through occasionally, we're also thankful for automatic updates!)

Disk encryption

Not too long ago, if you wanted to encrypt your files, your best option was specialized full-disk encryption software - either a commercial option, or something from anonymous people on the internet. Today, encryption is built into just about every major OS, including mobile OSes. Windows has Bitlocker, macOS has FileVault, and Chrome OS even has it on by default. Both iOS and Android will also automatically encrypt your files if you have a passcode (on Android, you need a recent OS and a manufacturer who hasn't removed the feature). These systems let you use your regular login password or passcode as your encryption key, so you don't even need to do anything special once you have it enabled.

The real value of file encryption is in peace of mind if your phone or laptop gets stolen: while having to pay to replace it isn't fun, you don't have to worry about a thief stealing your identity, reading your private files, or emptying out your bank account. Without your password, all they can do is wipe the disk and sell it at cost. Unusually paranoid users (the same crowd who would have installed third-party full-disk encryption) might still worry that it doesn't always save you from tampering: if someone takes your device away and gives it back, full-disk encryption won't necessarily save you. For most of us, though, having disk encryption as a free and built-in feature is enough to protect us from the common threats, and we're happy that it's now available on most devices.

By the way, it's also important to encrypt your backups - encrypting only your computer or phone won't keep prying eyes off your files if they can get their hands on your unencrypted backup instead.


If you lose your laptop or your phone, you'll also want to make sure you don't lose access to your files. Backups ensure we can get back to a working state quickly in the event we have to replace a device or even if we think an attacker has successfully placed malware on one of our devices. (As a reminder, if an attacker gets into your system, you can't assume you'll track down everything that's been affected.) We're grateful for the regular, versioned backups of our devices that allow us to confidently wipe a compromised device or get set up on a new device quickly. To learn more about backups, including the pros and cons of local and cloud backups, check out our episode "Backups."

People like you who care about security and privacy!

Security and privacy can often be complicated and daunting or feel like a steep uphill climb, and we're really grateful for people like you who care about security and privacy! (We're eternally grateful that you subscribe to our newsletter, by the way.) It's been really encouraging to see these issues highlighted more and more by major non-tech news outlets and to increasingly see people outside of the tech community push back on everything from mishandled data to unnecessary surveillance.

What we're watching

Nintendo's recent video game Super Mario Maker 2, like its predecessor, allows you to create your own Super Mario-style levels and share them with your friends and the world. Unlike the original Super Mario Maker, though, other people can't edit your levels and see how they're built; they can only play through them. That got some level creators wondering if they could build a level that nobody else could beat. The level couldn't be impossible - you have to beat a level in order to upload it - so you can't just put an impassable obstacle before the end. It also can't rely on a hidden cheap trick, since Mario players are good at figuring out tricks. What it would need is a secret value, like a combination lock or passcode, and if that secret value is long enough, it will be cryptographically strong - statistically too long to successfully guess.

A few users discovered a way to build locks using a careful arrangement of items and enemies. They work much like real-world locks and keys: you have to line up parts sight-unseen so something can make it all the way through to the end. However, "locks" in Mario Maker can be a lot more secure because the limits on size are a lot larger than real-world locks, so a bit of a quest to build the most secure level arose. We enjoyed watching Ceave Gaming's video of making a "mathematically impossible" level, even though the level presented in the video isn't close to the most complicated possible lock. Ceave Gaming's video also includes a good explanation of how to calculate the cryptographic strength of secret combinations or passwords, and in particular, how having a longer password is significantly more helpful than having one with more special symbols. Another player, Veedrac, created an even more cryptographically secure combination lock level - this video has less math but more weird Mario tricks.

We'll be back with our usual newsletter next week! If there's a story you'd like us to cover, send us an email at looseleafsecurity@looseleafsecurity.com.

-Liz & Geoffrey