I’d like to present here a couple of simple internet security improvements that won’t slow you down too much and will improve your personal security posture dramatically.
Use a password manager. It’s easy - as easy as using your browser’s “Remember this login” feature, and far more secure. You’ve got a few options depending on what features you want.
- Seamless, browser-based, hosted: LastPass, Dashlane, Bitwarden
Personally, I use Lastpass to store my passwords. It’s got a good password generator and good UI, browser addons for Chrome, Firefox, Safari, and Opera, and several mobile applications including those for Android and iPhone. All this is available to you for the low, low price of free. It took me a couple of days to migrate my logins from Chrome’s cache into it (since I was regenerating all of my passwords as I was importing them), but now it’s just as easy to use it as it was to use Chrome’s cache. Easier, now, because I can switch browsers & use my logins in various mobile apps on my Android phone. Their security evaluation compares you to other LastPass users on things like password variety, average password randomness, and time since last changed, which is what caused me to go through and change up all my passwords on import. I pay for LastPass (at $2/mo) in order to get support for my YubiKey, though I’m tempted to downgrade because they support TOTP (Google Authenticator-style) two-factor for free. They produce a TOTP application as well, which backs up your 2FA keys into your LastPass database in case you lose your device & have to replace it (as far as I can tell this does not defeat 2FA since you have to enable 2FA on your account in order to use the cloud backup functionality). They claim to have the ability to automatically change some passwords, but I find this to be too finicky and it rarely works for me. Overall, it’s been a solid password manager for me.
Your other options are Dashlane, which I have not used, and Bitwarden. Dashlane looks like they prioritize good UI above anything else. They’re a bit more expensive than LastPass - at $3.33/mo - and they say that cross-device syncing is a paid feature, so I skipped it when I was comparing my options for password managers. Bitwarden on the other hand is free, like LastPass, and has more supported browsers (including Brave & Vivaldi). However, they only have mobile apps for Android & iPhone. Their product is also free, and it’s possible to host your own instance if you’re particularly security-conscious. Notably their browser addon was updated for Firefox 57 (Quantum) about a month before LastPass’s was, which is why I was considering moving to their service.
- Local file based, not auto-filling: 1password, KeePass
KeePass is the leading open source file-based password manager. There are many clients available that work with KeePass databases, for all operating systems, and it’s free. I make heavy use of KeePass for passwords I need to bring to places where I won’t have an internet connection, would prefer to not sync up to the cloud, or want to make sure to have in case of a network failure. Just like you want to make sure to have your infrastructure documented outside of the applications you support (e.g. Confluence), you want to make sure you can access your infrastructure devices without your application layer as well. The only downside I’ve found is that it’s one file, and syncing it between multiple users must be done from within the application to ensure changes aren’t lost. Even then, if a record has conflicting modifications, KeePass will choose a winner silently (though it does store the loser in the history of the record). This would be an ideal backup format for passwords if you’re currently storing yours in the application layer.
1password is one of the more popular local storage based password managers. It only has Mac & Windows desktop clients and Android & iOS mobile clients, so it’s not a match for me - I use Linux everywhere. They do support syncing your passwords over their cloud service, but you can opt into using local files & syncing them over your method of choice - whether that’s Dropbox, iCloud, or rsync. At $3/mo I’d expect more from them - I’d say LastPass is better at cloud stored passwords, KeePass is better at locally stored passwords, and both are cheaper. Your mileage may vary though - I have a coworker who swears by 1password.
Two-factor authentication mechanism
2FA is being supported in more places every day. There’s surprisingly little overhead with using modern hardware or app-based 2FA (at least, no more than using an RSA SecurID). Make sure when you set this up that you note the backup login codes somewhere safe - perhaps printed and in a physical safe. Also, don’t use SMS for two-factor if you can avoid it. If someone can get a SIM card issued for your account or move your number to a different phone, a matter of social engineering that doesn’t necessarily involve you, they can receive your text messages and phone calls. Some websites will have you set up SMS as a last resort 2FA, meaning they’ll fall back to it if you claim you’ve lost your 2FA device. This is just as bad as using SMS exclusively since your real 2FA device can be completely ignored by an attacker. See Bruce Schneier’s article on how NIST is deprecating the use of SMS for 2FA.
Here are your options for good 2FA:
- Hardware: YubiKey
YubiKey is, as far as I can tell, the only real player in the consumer hardware-based 2FA market. I suspect this comes down to trust. Since YubiKey has been around for so long, it’s got a brand to protect, so people continue to trust it and keep it around for longer. It’s hard for a new player to enter this market because of this feedback loop. I definitely wouldn’t buy a discount hardware 2FA device.
Overall, I’ve found my YubiKey to be less useful than I anticipated. Most of the applications I use don’t support FIDO U2F or either of the challenge-response mechanisms available with the YubiKey (Yubico OTP or HMAC-SHA1). Shout out to the ones that do, though: Nextcloud (FIDO), Gitlab (FIDO), GitHub (FIDO), Google (FIDO), LastPass (Yubico OTP), Windows login (HMAC-SHA1), Linux PAM (pretty much whatever you want). It does have the ability to store HOTP (HMAC-based one-time-pad) or TOTP (time-based one-time-pad) credentials, but it’s a somewhat less than ideal setup since every service has its own credential. This limits you to one or two HOTP configurations per YubiKey, and requires you to use an external application for TOTP since the YubiKey does not have a clock in it. Note also that all of the services I mentioned above also support TOTP, meaning you can use an authenticator app with them rather than a YubiKey.
- Software: Google Authenticator, LastPass Authenticator, Authy
Time-based one-time-pad (TOTP) is a simple method of 2FA that allows you to use an app on your phone to generate six digit codes. Google Authenticator was the first of these apps but there have been several others which have varying feature sets (though all of them support the basic TOTP 2FA). Note that you can use any of these apps on sites that say they support Google Authenticator.
I use LastPass Authenticator since it backs up to my LastPass database. It also has integrations with a few websites that allow the LastPass browser addon to send a push notification to my device, meaning I only need to push the “Allow” button on the device to send the six digit TOTP code back to my browser rather than retyping it. Your main other option is Authy, which supports cloud synchronization and desktop applications.
Definitely move to a password manager - the overhead is much like using your browser’s login cache, and you can usually import from your browser when you start using one. There are some good free options. Start using a TOTP 2FA application like Google Authenticator if you can handle the small amount of overhead (but use Authy or LastPass if you’re worried about losing/breaking your device). Don’t use the telephone network for 2FA (SMS or phone calls).
Do you use something else? Have you been considering improving your internet security for a while? Have you tried it & found it too cumbersome? Let me know in the comments.