In our last post on browser security, we talked about how developing a broader security mindset can help keep your website safe. By taking steps to secure your online accounts you can prevent hackers from gaining unauthorized access to your website. There are a number of ways that compromised accounts can leave you exposed to a website security incident – including but not limited to – your email, registrar, hosting company, repositories, and even social media accounts.
Many people understand the importance of using strong passwords, two-factor authentication, password managers, and logging out after a session. While best practices should always be implemented, we all get lazy or forget sometimes. Maybe we skip the initial process of activating 2FA when setting up an account and then don’t remember to do it later.
This post is the second in our series on personal security. We will go over best practices for securing your online accounts (reminders for most). If you haven’t done this in a while, make time to audit your accounts and strengthen your overall security posture.
1. Password Management
The best possible scenario is to use completely unique passwords across all of your accounts, especially for critical online services.
i. Strong Passwords
It’s generally recommended that making long and complex passwords is the most effective strategy. It doesn’t take much for malicious programs to attempt millions of passwords to crack your accounts.
ii. Password Strength Meters
Most password strength meters on signup pages are far too lenient for my taste, and some online accounts even restrict the length and characters you can use. This is something you should be wary of.
If anything, you should aim to use the longest password possible for any system. This is made much easier with a password manager, which we’ll cover shortly.
I also avoid using third-party password strength meters. Who knows if they are recording passwords and other information – it’s not worth that risk.
I generally use passwords that are 50+ characters long and include a random mix of lowercase, uppercase, numbers, and special characters.
iii. Password Manager Tools
The whole process of making passwords is tiresome. Fortunately, there is a solution. Password managers hold all of your passwords and auto-fill them into login windows. Many popular password managers also include a password generator. You just need a master password to log into your password vault. It goes without saying that your master password should be one of your strongest passwords.
When it comes to browser-based password managers, these should be avoided. I covered this in my last post, where we discussed how browsers often store passwords in plain text. The ideal password manager offers strong encryption of your stored passwords.
I used LastPass for a long time because I liked the convenience of having my passwords across all my devices. However, I experienced occasional connection issues and was unable to access it when that happened. This reminded me that password managers often rely on a third party server – one that isn’t under my control, and that I know few technical details about.
No matter how secure a piece of software is, there is always a chance of vulnerabilities being present. LastPass had its share of security issues in the past, although they were quickly addressed. While it’s not my current choice of password manager, it’s a user-friendly option for beginners and offers a handy security test to help you make sure all of your passwords are strong and unique.
KeePass and Yubikey
The only password manager I use now is KeePass. This allows me to control my own password database. I store my KeePass configuration file in an encrypted Veracrypt file container, including two separate backups of the Veracrypt file container on flash drives stored in separate safe remote locations.
To unlock my KeePass file I use a two-part system to enter my master password. First, I use a Yubikey static password that is 64 characters. After inserting my Yubikey USB stick (I keep mine on my physical keychain) I enter the rest of my master password manually. This second part of my password is over 30 characters long, and I have it memorized so it isn’t written down or stored anywhere. In case I lose my primary Yubikey, I also keep a backup Yubikey in a safe remote location. You can get a keyfile if you want, but with both of these options in play, along with my password being 94+ characters in total, I feel that is secure enough for me.
Yubikey is supported by some services for 2fA, and Authy is another alternative to look into.
iv. Login Timeout Considerations
Another thing to consider with password managers is login session timeouts. Most password managers offer a way for you to adjust the timeout settings. For example, you never want to check the option to “keep me logged in” for 30 days or whatever.
I use KeePassX on MacOS and under KeePassX > Preferences > Security I have the first (10 seconds), second (300 seconds), and fourth boxes checked. For General, I have the first 5 boxes checked. Once I’m done getting the login information I need, I close KeePassX so it’s only open for as long as I need it.
Two-Factor Authentication (2FA)
Enabling 2FA means adding a second line of defense after your password is entered. This secondary password is often time-limited and available inside a mobile app like Google Authenticator. This means an attacker would also need to have access to your mobile device in order to unlock your account.
i. 2FA via Apps
Many popular services use 2FA, and more are joining the bandwagon. There is even a website you can use to request 2FA for services that don’t have it yet.
To activate 2FA, log into your online accounts and look through your settings panels. If you can’t find an option to enable 2FA, you can contact the support team and let them know you want to see them implement 2FA.
ii) 2FA via SMS
Other forms of 2FA exist, but using text messages (SMS) to receive a code can be less secure when the attacker knows your phone number. For cases where 2FA is only available through SMS, I use the Sudo app and one of the available virtual phone numbers just for 2FA. This helps to reduce the risks associated with SMS-based 2FA. Google Voice is another option that you can use for the same purpose. I don’t use it due to the way Google collects information, but it’s an option you might want to consider.
4. Account Security Considerations
There are a number of additional things you can do to keep your online accounts locked down as secure as possible.
i. Inactive Accounts
Old unused accounts can be troublesome, especially when they contain personal information. If you don’t need an account anymore, delete it.
ii. Security Questions
For security questions, I always generate a random answer to the question and add it to my encrypted KeePass notes. This is a good option to ensure hackers can’t guess the answers to my security questions.
iii. Usernames and Email Addresses
The same thing goes for any service that requires a username. I generate a random username whenever I can. I also use a random Proton Mail email address with unique aliases for each service that I sign up for. I never give out the main email address associated with the Proton Mail account, nor do I use it to send any emails. This way no one knows the email address associated with the account. I use Proton Mail aliases for more important online accounts, but they do have a limit of 50 aliases currently. For less important accounts, I use Blur which offers free email aliases, which I have forwarded to a unique Proton Mail alias.
It’s also important to never use defaults for usernames or passwords, as these can often be easily guessed or compromised.
Smart hackers will use your login for one service to try to break into the same username on other accounts. There are services that make it easy to find out which accounts use the same username across other popular services. If you use the same password for these accounts, you’ve multiplied the risk associated with this.
iv. Changing Passwords
Just to be safe, I change my passwords every 6 months. If I expect a compromise or anything suspicious, I change all of my passwords across all critical services.
You have to balance your own scales of security and convenience. I personally get enjoyment out of attempting to maximize my security, but I realize it’s not that fun for everyone.
If you can learn to embrace the art and science of security, you will find that these extra steps are reassuring in a world where cyber security threats are becoming more complex and commonplace. Ultimately, what seems like paranoia to some is a harsh reality to people who see attacks happen every day as a result of poor account management.