In the first part of this two part series, I explained how to encrypt everything. Your emails, your messages, your internet browsing, and your drives. These all need to be encrypted to prevent prying eyes. But is this enough? Unfortunately, the answer is a resounding no.
While the above is a good first step, there are many websites and online services that have your personal information. You need to do your best to make sure that access to these websites and services is not compromised. Which leads us to the topic of this post: account security. From creating strong passwords, to using Yubikey hardware keys for two factor authentication, you need to secure your online accounts. This blog post will cover all the bases.
Passwords: they have to be harder than “open sesame”
Most people use very trivial and simple passwords to secure their accounts. Their names, the names of their spouses, the name of their pets or similarly easily to guess words. The problem is that there is already a wealth of information out there in the public domain that contains most of the above — and more. I can probably get your name, the name of your spouse and your pet just by searching on Facebook. This makes these words very poor choices for securing your online accounts.
Not only do most people use easy to guess passwords, but they also tend to reuse them accros services. I can understand why they do this, they don’t want to have to memorize long and difficult passwords for each of the services they need. Who wants to memorize ten or twenty complicated passwords when they can just remember a single easy to remember one for all accounts?
The problem with this is that when one account becomes compromised, and it eventually will no matter what you do, all your other accounts are also compromised.
So what is the solution?
The best way to solve this issue is to use software to automate the task of password generation and storage. If a software tool is used to generate passwords, you can specify the password’s length, whether or not it contains numbers and special characters and so on. The tool can then generate a totally random password using your specifications.
These random passwords would be much more difficult to crack than the easy passwords most people use. Another benefit is that you can use the tool to generate and save a different password for each of your accounts. This means you don’t have to memorize all those passwords, you can simply retrieve them from your password manager when you need them. Convenient and secure at the same time — a difficult combination to achieve! A tool that does this is called a password manager.
You are probably asking yourself, at this point, which password manager to use. I personally use 1Password. Mainly because my setup is Apple first — MacBook Pro, Mac Mini, iPad, iPhone, etc. There are many others (Bitwarden, DashLane), but I personally prefer 1Password. All of these password managers also offer browser extensions that can automatically fill in your username and password when you visit a website you have registered with them. Passwords managers are a first step in securing your online accounts.
There is one catch though. There is always a catch. All those passwords need to be secured, so you need to set a very strong password to protect them. That is the password to your vault, the vault that contains all your other passwords. It is the password you enter to unlock your password manager. You need it to be as strong as possible, otherwise all your accounts will be compromised. The next section explains how you can generate a strong password without using a computer or software.
How to create strong passwords without a computer
You need to break out the dice. You read that right, I wrote that you need to break out the dice. And don’t worry, we are not going to be playing a game of monopoly. You are going to need 5 dice if you want to do this in one go, or you can do it with one die sequentially.
First, you need a list of big complicated words. Words that most people wouldn’t use in their passwords. Fortunately, the Electronic Freedom Foundation has created just such a resource. I have downloaded a copy for my personal use, you can access it here.
If you open this text file, you will see each word preceded by five numbers. You should choose five words from the file to make up your password — passphrase is a more accurate term, but most people use password so I will go with that for now. The five words you choose will be selected randomly based on the throw of a die. Let us assume you have 5 dice. Pick them up, give them a shake and roll ‘em!
You will get five different numbers. Use them to identify the first word in your password. For example, if the 5 dice read the number 11152, the first word in your password is acclaim. Do this five times to get your five words. And there you have it ladies and gents, a strong password to protect all your other passwords. Consider this your one password, your precious — don’t give it to any
hobbit person you meet.
Two Factor Authentication
Strong passwords are just one part of the equation. Even if your password is strong enough to prevent brute forcing, you can still be a victim of a phishing attack. A phishing attack is when you are sent to a website masquerading as a legitimate service. It will ask you for your username and password for that service, and record whatever you enter.
To prevent you from being suspicious, a well designed scam can then either sign you in to your correct account or output an error message and then redirect you to the correct page. Your adversaries now have your username and password and hence access to all your data. If this is done well, you won’t even know what happened.
To prevent this, you need two factor authentication (2FA). This means that, in addition to your username and password, you also need to enter something else that only you know. This can be a code sent to you via SMS, or through an Authenticator app, or even a hardware key. Each of these offer varying degrees of security, but even the weakest of them is better than having no 2FA.
The better than nothing: SMS codes
SMS codes may be perhaps the easiest method of 2FA. When you attempt to sign into a service, the website asks for your username and password. If you enter the correct combination, the website sends you, via SMS, a one time password — typically a time sensitive numerical code that is only valid for a short period of time. You need to enter this code into the website to gain access.
This extra step makes phishing more difficult. There is no easy way for a scam website to guess the one time code. If they send you an SMS with a code, it will be different from the correct code since they are not the website you want to access — in any case, this is useless as you will give it back to them, they gain nothing new.
While it may seem like a very strong idea, SMS is the weak link. It is notoriously unsafe. It’s unencrypted, can be compromised if your SIM is compromised, and can be easily intercepted by someone with the appropriate equipment. In short, if someone wants your account badly enough, they can compromise this 2FA method.
The better: Authenticator apps
Just like Signal and WhatsApp are improvements on SMS, Authenticator apps are better than SMS 2FA. In this method, an app generates the code you enter into the website. You first need to set up the app on the website. Once it is correctly registered on the site, you can enter your username and password as usual on the site, and when it asks for a code, open your Authenticator app and copy the code you find for that specific website.
The codes generated are time sensitive, and change every few seconds. Since they are generated on device, they are more secure than SMS. But there is no Goldilocks, “just right”, solution. If your device is compromised, the app will be as well. Additionally, the app is a piece of software, subject to all the flaws of software that affect other code. It may be vulnerable to any number of exploits that make it insecure. Some examples of authenticator apps include Google Authenticator, Microsoft Authenticator, Authy, Duo Mobile, and, my favorite, 1Password.
The best: hardware keys
The last, and most secure, method of 2FA is the use of hardware keys. These are typically USB or NFC devices that you register with websites. After you do that, whenever you enter your username and password on a website, you will be asked to insert the key. The key will then authenticate you to the service and you are in.
Since the key is tied to a specific website, it will only authenticate if the website is genuine, this can easily help you identify phishing websites. To the best of my knowledge, hardware 2FA has yet to be compromised in real-life.
By far the best hardware keys to use with 2FA are produced by Yubico (they are called Yubikeys). I personally have two of them, one is with me at all times and the other is in a secure backup location. You can check out yubikey devices here: Yubikey.
It is very important to secure your online accounts. The first step you can do to accomplish this, is to generate random and different passwords for each service you use. The best way to do this is to use a password manager. I recommend 1Password. The second step you need to take is to turn on 2FA on all of your accounts that support this. Try to aim for 2FA using Authenticator apps or hardware keys. And remember that security is a team sport, encourage all your friends and family to secure their accounts. Be safe.