Online Security 201: Credentials

Introduction

In this part 2 of our Online Security guides, we’ll talk about how best to manage your online credentials. 

As we all know, the internet can be a dangerous place. There are hackers and scammers waiting to take advantage of any opportunity to steal our personal information. That's why it is important to be diligent about managing our online credentials.

‍

Password managers

‍

One of the best ways to protect our credentials is to use a password manager. This is a software program that helps us to create and manage strong, unique passwords for all of our online accounts. It's important to use a different password for each account, and a password manager can help us to keep track of them all.

Beyond simply generating passwords, most password managers will offer a variety of security features to help keep your passwords safe. Here are some of the most common security features you'll find: 

• Two-factor authentication (2FA): This adds an extra layer of security by requiring you to enter a second code (usually generated by an app on your phone) in addition to your password. This makes it much harder for hackers to gain access to our accounts. Some services offer this for free, for others, it's available at an additional cost.
• Local Encryption: This ensures that your passwords are stored in an encrypted format so that even if someone gains access to the password manager servers, they won't be able to read your passwords. 
• Password strength checker: This checks the strength of your passwords and will flag any passwords that are too weak. This is important because weak passwords are much easier for hackers to guess. Some services also download “cracked” lists of passwords and cross-reference them with your existing passwords, to make sure to alert you when it’s compromised.
• Automatic logout: This logs you out of your password manager after a period of inactivity. This ensures that even if someone does gain access to your device, they won't be able to access your password manager unless they have your master password. 
• Password Sharing: Many password managers also have a family or team plan, that way you can share your Netflix password amongst friends, not that anyone ever does that right?

‍

Site specific 2FA

‍

Since not everyone is currently using password managers, many sites have taken it upon themselves to implement 2FA on their sites. If you are provided with a list of options to choose from, be aware that some methods are safer than others, here’s a rough list of increasing levels of security:

• Text/SMS: Despite this being the default method for many large financial institutions, this is actually one of the least safe 2FA methods. This is because hackers can port numbers by pretending to be a customer and take control of a phone number without user authorization. Only recently have carriers beefed up their security in this area. But why leave your security up to them? Use one of the other options below if available!
• Email: If you have a google email account, it employs fairly sophisticated security measures to make sure that the person signing in is indeed the rightful owner of the account. Some of the methods are not even published publicly to further protect users. If you have gone through a google security check and enabled 2FA on your email + linked a phone for verification, then you are pretty well protected.
• Authenticator App: Google Authenticator or Authy will generate a one-time passcode specifically for the site you are login in on. This makes it more secure since it’s not used for anything else, further reducing collateral damage in case of compromise.
• Security Keys: These are almost the same as Authenticator Apps, but the authentication comes from a physical device. This is better because Authenticator Apps information must live both on the phone you are using, as well as the site that is requesting it. If the site is hacked, it renders the 2FA useless. On the other hand, security keys that follow the U2F standard are designed to use asymmetric encryption such that sites can verify you have authorization without being able to gain access to your key. This means you can use the key on multiple sites without fear of it being compromised.

‍

Redundancy

Do you have a backup email to recover in case you lose your phone and access to your primary email? Now that you have an impregnable setup for security, make sure you don’t lose access yourself!  This is where redundancy comes in. Think about it in terms of different “mediums”.  If all your information is stored digitally, then it may be worth it to have backup recovery codes of the 2FA services stored offline. If you are using security keys, maybe you want to set up 2 security keys with authorized access, and have one stored in a safe place.

‍

Conclusion

By taking these steps, we can keep our online credentials safe and secure. While nothing is foolproof, we can make it significantly more difficult for hackers to compromise our online credentials. Even in case of compromise, these steps will minimize the collateral damage and allow us a fighting chance to regain control.