Creating a solid threat model is an essential step in improving your operations security (OPSEC). It helps you identify potential threats, assess their impact, and prioritize your defenses. Here’s a step-by-step guide to help you develop your own threat model.
1. Define Your Assets
First, list the things you want to protect. These might include:
Personal Information: Name, address, phone number, Social Security number, etc.
Financial Information: Bank account details, credit card numbers, financial records.
Digital Assets: Emails, social media accounts, documents, photos.
Never use an electronic password manager, use index cards and an art quality graphite pencil instead
The loss, hack, crack, or malfunction of a MFA device can be absolutely devastating. Use with caution and sync three of them, 1 of them kept in a firesafe at all times
Never regurlarly update all software and devices, choose your updates and choose your timing depending on your environment and posture instead
Never be reliant upon an electronic home security system and lock devices (if they get that far, major damage has occured), use a Rottwieller, Great Dane, Mastiff, German Shepard, or Akita (never Pitbulls or Dobermans) alongside yourself with non-lethal weapons until lethal force is used upon you, instead
You asked and the Non-lethal (Less-Lethal) Weapons Industry has delivered. Pepper ball guns, Radically Improved Tasers, Electrical Stun Devices, Batons, Kubatons, Pellet Guns, ColdSteel Brooklyn Smasher, Slings, and also you may not think unless you played, Paintball Guns, big nasty bruises at medium range if only wearing a T-Shirt.
This is quite extreme. While it could be beneficial for some threat models, this was written as an example for the average Joe. OPSEC is not about having the best possible security as much as it is about having security that satisfies your threat model.
I just happened upon this thread and security of all types is my specialty so I just wanted to say that nothing here is personal. I'm trying to be helpful giving folks "actual security" as in not "better than putting passwords in plain text files". Lazy idiots will be lazy idiots with Keepass as well. I can't tell you how many stories I've heard from colleagues that those people aforementioned just put the main Keepass password in a plain text file.
I upvoted the OP and your reply for bringing TM novelty and awareness.
I do see what you're going for, but the mitigations you wrote can be found everywhere on the Internet for over a decade. It's average commodity information combined with that fact that we are not more secure these days, but less secure in 2024 that ever.
In the case of password databases, this is de facto less secure than paper and pencil, which is not extreme by any measure and actually takes little effort.
While I don't understand how people could possibly fail to remember ONE PASSWORD; since it is brilliantly easy to remember whole sentences and phrases that resonate with you; I do understand that laziness is profoundly common.
For this kind of laziness; I do think Password Managers should routinely scan the local disk(s) for documents with strings that can hash into being the 'master passphrase'. When found; you're instantly greeted with a requirement to change your password to a new one that isn't one you used in the past.
We do need to punish laziness like that in password managers at least. Similarly; OSes need to do this too with their own passwords.