Hey, My mother is a non-technical person, she's a sole trader. She has been using Google services for many years and is probably used to them. A few months ago, I was able to convince her to set up an online password manager and calendar (up until now, she had been saving all her passwords in a handy paper calendar).

Should I convince her to withdraw from Google services? If so, how should I do it so as not to put too much pressure on her?

Thanks for all the answers.

  • Boring@lemmy.ml
    link
    fedilink
    arrow-up
    58
    ·
    1 year ago

    Forcing the older generation to change from a service that works perfectly fine to another one that isn't as polished and isn't a houshould name is a loosing battle.

    I'd just bring up privacy concerns from time to time and suggest ways to increase their privacy when they ask for advice.

    • Doc Blaze@lemmy.world
      link
      fedilink
      arrow-up
      10
      ·
      edit-2
      1 year ago

      this scares me because the analogy for us we get older is I don't want to be sitting here still feeling great about my 256 bit AES when quantum computers had cracked rijndael for the nsa for years already and the rest of the world is on elliptic curve cryptography.

      edit: I mean lattice crypto, not elliptic curve

        • Doc Blaze@lemmy.world
          link
          fedilink
          arrow-up
          4
          ·
          edit-2
          1 year ago

          is it really? I was under the impression that there are are already quantum algorithms to break aes if the tech was there. also I meant to say lattice cryptography, not elliptic curve.

          edit: yes apparently 128 bit keyspaces are fucked, 192 isn't looking great either, but as for the attack algorithms out now 256 would still be safe.

          • Chobbes@lemmy.world
            link
            fedilink
            arrow-up
            2
            ·
            1 year ago

            Yeah. There’s an attack that roughly halves the effectiveness of AES, but symmetric encryption is thought to be safe overall. If it’s not we’re super fucked.

            Fair enough! I always get the ECC and lattice stuff mixed up too. ECC isn’t really all that different from RSA. The key sizes can be smaller for the same strength and it’s more efficient, though. This mostly benefits servers that will be handling a lot of encrypted connections AFAIK.

            • Doc Blaze@lemmy.world
              link
              fedilink
              arrow-up
              1
              ·
              1 year ago

              part of the issue is that just because something is secure now doesn't mean it will still be in 5 years. so with quantum algorithms no doubt going to improve once the tech matures, and moreso with companies hoarding everyone's data until that time, it's only a matter of time before all that stuff is entirely breakable. so even if we keep up with the times it feels like a losing battle.

              • Chobbes@lemmy.world
                link
                fedilink
                arrow-up
                1
                ·
                1 year ago

                I'm not sure I'd consider it a losing battle at all. It's certainly possible for there to be weaknesses in modern day cryptography, but in general it has stood up remarkably well over quite a long period of time so far. The possibility of quantum computers makes things like RSA and ECC a little dicey in the long term, but we're already working on post-quantum cryptography and are starting to deploy it. Assuming that those algorithms hold up there's a good chance that if quantum computing is ever practical we will be ready for it. There's a good chance that you are even using post-quantum cryptography now in certain situations (e.g., recent versions of SSH uses post-quantum cryptography for key exchange).

                Most people do not decide what cryptography they are using. I'm not really worried that in 50 years I'll be using something dated for most stuff as long as I'm using modern software. The most likely case where this could matter is for something like SSH or PGP where you are manually managing your own keys… When RSA and ECC keys are no longer considered secure that will be pretty big news, and you'll probably hear about it, but there's also a good chance that the software will be updated and provide warnings that you should generate new keys too?

                • Doc Blaze@lemmy.world
                  link
                  fedilink
                  arrow-up
                  1
                  ·
                  edit-2
                  1 year ago

                  what I mean is that, connections that are private and secure in the current day, may still be logged since everyone is so data hungry to train their AI, because even though it's not currently readable, those past messages will be tomorrow, even if the encryption of the day changes. it only protects the things under the current standard. that's sort of unsettling to me that nothing is truly guaranteed safe for even 5 years, despite how deep the key space goes.

  • Objects in Space@infosec.pub
    link
    fedilink
    English
    arrow-up
    36
    ·
    edit-2
    1 year ago

    Unless there are some circumstances that switching will protect her then no. My opinion of course. I learned a long time ago that nontechnical people, young or old, need to value and want to use the tools or it will only cause frustration and less trust in your opinion on other things that may be more critical.

    You can explain why something is better or worse but let them make their own choice without being pushed or they won't be invested in the change.

  • lud@lemm.ee
    link
    fedilink
    arrow-up
    16
    ·
    1 year ago

    Are you willing to support her on every single email related problem? There is a risk that everything that is not working will be your fault.

  • ooli@lemmy.world
    link
    fedilink
    arrow-up
    13
    arrow-down
    1
    ·
    edit-2
    1 year ago

    ProtonMail had a non removable signature ad at the end of every mail you write (could be a deal breaker), last time I checked.

    Good luck trying to have her abandon Google anyway

  • SitD@feddit.de
    link
    fedilink
    arrow-up
    7
    ·
    1 year ago

    i don't know if someone else mentioned it but another thing: probably all her friends use gmail and because an email always has a sender and a receiver, her privacy is out of the window regardless. I'd rather focus on getting her a browser with extensions to reduce how much she's being tracked

  • UrielMC@kbin.social
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    have you thought about skiff mail? its open source and pretty easy to use (you also get 10gb on skiff drive for the free plan)

  • cheese_greater@lemmy.world
    link
    fedilink
    arrow-up
    3
    ·
    1 year ago

    If you must, get her Fastmail. Anything else more complicated than that (it has an app like Proton) and you're going to be unpaid tech support for all time

  • currawong@lemmy.ml
    link
    fedilink
    arrow-up
    2
    ·
    edit-2
    1 year ago

    I think Infomaniak would give her a more similar experience to Gmail if you're in Europe. 20GB of mail storage + 15GB on KDrive, contact app, document editing, visio, file transfer, etc.

  • akilou@sh.itjust.works
    link
    fedilink
    arrow-up
    3
    arrow-down
    1
    ·
    1 year ago

    Are you going to pay for her account or do you also need to convince her to pay? It's gonna be a hard sell.

    Also, the Android app is not very polished. I think she's going to have a hard time moving over if 1) she's not a technical person and 2) isn't willing to give up creature comforts for the sake of privacy.

  • Dude_Dudley@iusearchlinux.fyi
    link
    fedilink
    Afaraf
    arrow-up
    2
    arrow-down
    1
    ·
    1 year ago

    I would say an online password manager is more of a risk than an IRL paper in a safe place. The best security is a locally stored password database with 2 factor.

  • K4sum1@lemmy.zip
    link
    fedilink
    English
    arrow-up
    3
    arrow-down
    6
    ·
    edit-2
    1 year ago

    I guess a honeypot is better than Google, but if it works for them you probably shouldn't touch it.

    Also you took her passwords from being fully offline to hackable good job.

  • glowie@infosec.pub
    link
    fedilink
    arrow-up
    3
    arrow-down
    15
    ·
    1 year ago

    Considering PM is basically a honeypot at this point (can't trust they're not monitoring with a gag order preventing warrant canary), I wouldn't recommend them even to my enemies.

    • QuazarOmega@lemy.lol
      link
      fedilink
      arrow-up
      14
      ·
      edit-2
      1 year ago

      Now that's an extreme statement. If your concern are the governments then you shouldn't even be using email in the first place, it wasn't built for private communication and all the attempts that were made to make it more private immediately fall apart when 90% of your contacts are sitting on Gmail.
      Proton is good for what it is, i.e. not Google.
      Who would you suggest otherwise?

      • glowie@infosec.pub
        link
        fedilink
        arrow-up
        4
        arrow-down
        1
        ·
        1 year ago

        Tutanota. Or any other e2ee email provider that still has a good reputation of not spying on behalf of a gov request.

        • QuazarOmega@lemy.lol
          link
          fedilink
          arrow-up
          2
          ·
          1 year ago

          That's a fair suggestion, but still, that's not "spying", that's just called "complying with the law", if any service didn't, they'd risk shutting down.
          The problem is at the root, it is that they have or can have the data passing through your address (unless you encrypt everything you can with PGP, but who uses that realistically? I wish it were more popular…). When they have the power to get relevant data on you in any way, you can't ever fully trust them.
          The only sure way to protect yourself from such threats is by using a whole different kind of platform where the provider couldn't ever get the data, not even if it wanted, all private instant messengers are what PGP wishes it could be and way way more and meets exactly that purpose

          • glowie@infosec.pub
            link
            fedilink
            arrow-up
            4
            arrow-down
            1
            ·
            1 year ago

            For sure, email is an insecure means of communication. But, that wasn't the request of the OP. They're not asking for an e2ee messenger recommendation, but thoughts on PM. And I provided an honest suggestion that they simply cannot be trusted, regardless of whether or not they complied because "it's the law".