Replies

Everyone visiting Perplexity.ai at the same time after reading my column may have brought the server to its knees. Perp isn’t yet a giant like Google or ChatGPT! DownDetector reports that the outage began around 10 a.m. and lasted about one hour. (See chart.)

Yes, it should have said, “Figure 2’s caption.”

The website is Perplexity.ai, it does not have a dot-com domain.

The button labeled “Send Brian a tip” is only for people to email me story ideas, not to tip me like a waiter. It’s a great idea, but unfortunately I don’t receive the money you send to AskWoody to get the premium edition!

The popular security blogs that I linked to often give anti-malware products high ratings for things like “user-friendly interface” and “quality of customer support.” The reviewers may also consider the drag on performance that an AV product places on Windows processes, but not all reviewers do so.

In my Oct. 21 follow-up column, all of the international testing organizations that I listed tend to ignore user-friendliness. They concentrate mainly on 100% malware detection, lack of false-positive warnings, performance drag, and other highly technical qualities. This makes those ratings quite valuable. I wish the two columns could have been in a single piece, but both articles were already rather long.

In the Security dialog, you need to enter virus in the search box. That is what reveals Virus & threat protection as a choice.

I’ve been using that photo since January 2021. The background is a wall of monitors from a booth at a computer show.

Photographers, of course, can always make me look better in a photo than I do in real life. Lucky me!

1 user thanked author for this post.

rc primak

Dashlane made significant changes to its pricing structure in November 2023. If the business plan you mentioned is no longer displayed on their website, it may have been eliminated. However, if you ask the company directly, you may find that the offer is still available, but only to those who remember it and specifically request it. It doesn’t hurt to ask, but I can’t guarantee anything. Good luck!

Part 1 of my series listed 12 major testing labs that ranked password managers. Those labs rated a total of 19 different apps favorably.

In a process of analysis, I narrowed the focus of my series to discuss the five apps that were the most highly ranked by the greatest number of test labs.

My series then narrowed the consideration to the two apps — Bitwarden and Dashlane — that were highly rated as well as offering both a free version and a paid verison with additional features. (Most password manager apps are paid-only with a short, free-trial period.)

Roboform was included in my list of the 19 apps that were ranked highly. However, I’m sorry to say that Pwsafe and some other apps were not top-rated by those reviewers. Please contact the test labs that are listed in Part 1 of my series to ask those reviewers to add your favorite password manager to their test suite (or to rate it more highly than they already did).

1 user thanked author for this post.

TechTango

Please see Part 1 of my series, which discusses the use of a browser to store passwords. Firefox is a secure way to do this, but I urge you to set a master password in the browser. This encrypts your password file, which otherwise is stored as plain text. If your device catches a silent Trojan horse, hackers will look for such a file and then transmit it to themselves. Watch out, bank account!

2 users thanked author for this post.

Andy M, PL1

> It’s about longevity and what will still be “available” and properly supported for the future.

No one can predict the future. But I believe that password managers with top ratings from several independent test labs have a greater chance of long life than apps with no top ratings.

A long life is especially likely for apps that have both a free version and a paid version. The free version ensures that many people will try the app. The paid version gives the developer a flow of revenue that encourages the continued development of the code. (The code could even be turned over to a third party for maintenance and support, if there’s sufficient annual revenue to justify a third party taking responsibility for the code.)

If a hacker is able to plant a Trojan horse on your device, it does not mean that the hacker would immediately have access to all the websites that you’ve established accounts with.

The Trojan would have be to able to run your device, open Web browsers on it, and so forth. Why would a hacker bother to do this on your one machine? He or she could easily sign in to websites using some of the 12 billion username/password combinations that are widely available for sale on the Dark Web.

Understandably, if someone breaks into your office or home and steals your computer, the thief can then do anything that your computer can do. (The thief can sign in to banking websites using passwords that you carelessly stored in your browser, etc.)

But no technology can help you if someone can break in and physically possess your device. Keep them locked up and secure.

1 user thanked author for this post.

J9438

Passkeys do not require biometric authentication.

The source you quoted says you can sign in to your device using a biometric sensor, PIN (e.g., a password), or a pattern (e.g., sliding your finger on your smartphone screen). Once you are signed in to your device, if it has a passkey set up, a Web server recognizes you without your having to enter another password.

This is effected using a public/private key challenge, which your device is capable of responding to correctly. No username or password is ever sent across the Net or stored by the server. The server stores only the public key that is used to form challenges.

Passkeys are a form of two-factor authentication. The first factor is that you were able to sign in to your device using a PIN, a fingerprint, your face, or whatever. The second factor is that the device contains a private key. This enables the device to correctly respond to a challenge sent by a server (which holds a public key). What passkeys don’t require is servers sending you 2FA codes via email or text message; both methods are vulnerable to hackers.

1 user thanked author for this post.

J9438

If a thief enters the wrong PIN 11 times — and you have anti-hammering technology in place, such as a TPM chip — your data is not erased. Such a rule would allow any malicious person to erase your data by simply entering random PINs 11 times. As someone else mentioned, TPM allows a certain number of wrong guesses, and then additional guesses cannot be made except 10 minutes apart. That interval allows legitimate people who really cannot remember their PIN to keep trying. But it makes brute-force guessing too slow for hackers (who can easily buy millions of credentials on the Dark Web).