TL;DR; - For normal people not in danger
If you’re not under imminent legal or physical threat then what you should do is the following:
- Generate a random set of 5-7 words.
- Hackers use what you post online to narrow guesses
- Must be random and meaningless to avoid making easier for attackers
- It’s okay to write it down, you just need to not put it somewhere for anyone to find it.
- You probably want to use something other than just spaces between the words.
- Sign up for 1Password and use the pass phrase you just made.
- Don’t use it anywhere else.
- Use 1Password for creating and storing passwords for all your services.
- As you login to a service try auto-filling it using 1Password and adding it if you haven’t already.
- Over time you should go back and change your passwords to ones 1Password makes for you.
- For things like computer accounts or accounts you need before you can install 1Password (Google for Android, Apple for iPhone) use a set of words like before since you’ll need to type them in instead of letting 1Password type them for you.
- (Bonus) Install Authy or Google Authenticator and setup 2FA
- Very easy step. Go to Google, Twitter, and Facebook and setup using a Mobile Device Authenticator and scan the QR code.
- Do not enable any “syncing” features.
- While 1Password supports this, do not use 1Password for this because 2FA only matters so only the person with the device can generate the code. 1Password syncs which means if someone were to ever get access to your 1Password they’d have the 2FA codes right there.
- Most services require printing “back up keys” which you’d use if you lost your phone. Print these and keep them somewhere safe and out of sight. Taped behind a random drawer is probably as paranoid as you need to get. Keeping these offline is WAY easier than keeping them secure on a computer, but if you can’t print them then storing them in some kind of AES encryption with a random passphrase in 1Password is a good option. (Obviously, this means if someone has 1Password and access to where the backup keys are then they can bypass 2FA).
- (Super Bonus) Get a YubiKey or another Hardware Security Key and use that for 2FA.
- If you have an iPhone like me this is hard to use because NFC APIs Apple allows are not able to talk to the Security Key in order to do more complicated authentication. Google recommends one which uses Bluetooth LTE to get around this for their high security account program.
What is being secure? To be perfectly secure is to simply not exist or simply not exist in any way with any kind of meaning. Everything is, at some point, based on faith and trust. First in your senses and grasp on reality then on those whom you think you know the most and finally in the large corporations which make the products we use today. It is, frankly, quite pointless to argue about threats which are not specific because very few people have the money or political power to meaningfully protect themselves against those threats and that those threats are often so unlikely that you’re likely wasting that resource which could be used for SO much more.
So what is being secure? Keeping important information which could be misused only in the hands which it should be. Most of the time the best number of people who should have information is 1, but 0 is even better. 2-5 is also okay and often needed, but it’s not the best it’s just practical because security doesn’t exist in a vaccum and is merely something which you must balance against your goals to hedge your weaknesses against something or someone who might wish to use some information or access you have in a way which harms or affects you.
Again, the above is very vague because I want to express the idea of this being a huge problem which you need to be very realistic about dealing with so that you, as
Secure your accounts
Password strength is simply an attempt to show users, without explaining everything here, that a longer password requires more “work” in order to “crack” than a shorter one. But, in reality, while making a longer password for most users is almost always better, the length isn’t as important as how random the password is and therefore it doesn’t fall prey to techniques to not guess passwords that no one would use.
When websites are hacked and passwords taken, passwords are often kept in
the database hashed. Sometimes it is also salted. What that means is the
password is taken through a math function, of which there are many (some
more secure than others), which makes it impossible to reverse the
operation and get the password. However, if you run the password again
through the function it will always match. If you change just a single
letter then the result is completely different. If you simply hash
"password" then when you steal a database you can easily recover the
password because you have what’s called a “rainbow table” with all the
passwords you’ve hashed ready to reveal the hashed passwords in the
database. So web sites add a “salt” which is just a highly random set of
letters which aren’t encrypted in the database, but simply make it so the
text hashed isn’t just
which requires the hacker to try every-single-password they’ve tried
before, but with this hash. All of that takes time even though comptuers
are getting faster and faster at hashing (this is related to crypto
currencies since as they hash faster that also means password hashing can
Since the database with stolen passwords is often just kept as a file there is nothing at that point to protect the passwords from being tried millions of times until a match is found.
For most services having a secure password is important. Services make sure to have enough servers to allow many users to login and use the service at once and often creating a system to detect repeatedly failed logins is not done until the service has been running for a while and only if someone realizes this is important. As a developer I know that most services likely do not use something to track that. Therefore, for most servies it may not allow to try passwords as quickly as you can “offline” it is still faster than only a few per hour.
Hardware Security Keys
Hardware Keys are nice because they help protect important things like certian kinds of private keys and secret values that protect your accounts and data online.
Yubico makes the most popular of these kinds of keys called the ‘YubiKey’. They have all kinds of versions which contain NFC, use USB A or C, and which go on your keychain or stay flush against the side of your computer’s USB ports.
While YubiKey is the most popular and most used, it is not entirely opensource or using open components. SoloKeys tries to solve that by having done a kickstarter to create an entirely opensource security key with all the features of YubiKey.
Hardware Security Keys were designed mainly for Laptops and Desktops which often do not have a Hardware Security Module (HSM) which can be used to generate truly random numbers for keys and securely store private keys. On the other hand, iPhones for instance do have an HSM built in and so do any of the new Macs featuring a T2 chip. I think that’s why Apple has not yet cooperated in making YubiKeys work nicely with iOS.
Because YubiKeys have a hard time working with iOS Google recommends a different security key which uses Bluetooth LTE instead of the usual NFC that Android devices can use with YubiKeys (iOS doesn’t allow “writing NFCs”, likely to secure Apple Pay, which is required for more advanced authentication methods YubiKey supports like using PGP keys).