Page 1 of 1

What if someone steals my computer?

Posted: Fri Jan 08, 2021 12:49 pm
by wtech_josh
I’d like to talk to you about this. My issue is that I’m trying to determine how to secure the data. Since I am running a lending company like a lot of your clients, and I am going to be taking on investors who are going to be investing an awful lot of money in my company, if they ask me about security I wanna have a good answer for them. Not just your software but the actual computer that it is housed on.

Because it’s currently housed on my personal computer, I’m worried that the security will be insufficient. Do you have any experience or thoughts about this? Is there a way that I can set this up for security that would satisfy most people while not creating a total headache on my own personal computer? I’m fine with buying a separate computer to run the software or using some kind of a virtual machine running windows like you were talking about. I just want to have a conversation about what the best solution might be in where there could potential he be security issues and how those could be alleviated.

Re: What if someone steals my computer?

Posted: Fri Jan 08, 2021 1:00 pm
by wtech_josh
Add a strong password to your portfolio – Portfolio > Configure Portfolio Users > add a user account for yourself and give it all the permissions and choose a really strong password > click Save.
ml3 create user.png
ml3 create user.png (95.13 KiB) Viewed 364 times
Now select yourself and click the Primary (star) button to mark your account as a file password. Then check the box to require a password when opening the portfolio. Close the Portfolio Users window.
ml3 require password.png
ml3 require password.png (65.61 KiB) Viewed 364 times
Now, every time you open Moneylender, you’ll need to enter the password. If you lose the password, the data is gone forever. The encryption on the portfolio file system is industrial-grade. An entire datacenter would take decades to break it – as long as your password is insanely strong. The file encryption itself is super strong, but the password encryption is also super strong. Various techniques for cracking password such as rainbow tables and brute force cracks on the password are ineffective because Moneylender uses an expensive salted hashing algorithm.

I had a “friend” that used to be something of a miscreant. He once told me how he saw a laptop that had been left alone briefly in person’s driveway. He stole the laptop and the owner turned out to be an accountant. My friend sold the laptop to people that used the information on the laptop to commit identity theft on all the accountant’s clients. This is a scenario that Moneylender’s file-level password protection completely abates.

Further, you could put your portfolio file directly into the hands of financial criminals and they would have no way to open it. The real proof is that even I would be utterly powerless to help recover the portfolio – even if I set my computer to run for years trying to crack its way in. It’s locked permanently. This means it’s entirely safe to have Moneylender auto-backup a password protected portfolio to Dropbox or OneDrive. Even if your Dropbox account is compromised and someone accesses your portfolio backups, they won’t be able to decrypt it without your strong password.

The network systems in Moneylender have a similar encryption and password treatment, so even the conversations between host and client computers are secured and can’t be spoofed if strong passwords have been chosen everywhere.

You can add more users and mark them primary, and that way if one person forgets their password, another person can log in, edit the forgotten password and you don’t lose everything because of a mental lapse. You can have up to ten primary users. Remember that the portfolio is only as secure as the weakest password, so don’t let anyone choose something stupid like “password” or the name of their cat or their favorite sports team+the championship year. If you’re protecting the identities of hundreds of people, take it seriously and use a 12+ character password with uppercase, lowercase, numbers and symbols. Most of the passwords I use for even trivial logins are random and around 20 characters long. If it’s something I have to remember, then I usually use a sentence that lends itself to putting symbols and numbers all over it.

Moneylender has sufficient cryptographic security to comply with government and industry best practices regardless of the physical security of the hardware. Run it on a potato in a den of thieves and it’ll still be secure enough for government secrets. 😉