Security 101: In a world that is more and more connected, where our personal data and identity are stored in many places, it’s our duty to focus on security and do our best to protect our own data – and our privacy – with the tools that are available to us. The audience for this post is mainly non-technical people such as family and friends. I assume that any of the content below is common knowledge to IT professionals. Please consider that I am not an Information Security expert.
Sanity Check – Have I Been Pwned?
If you’ve been « pwned », you’ve essentially been « owned » i.e. your account was compromised (that’s a term deriving from « 133t5p34k » or leetspeak, the way hackers used to write in e-zines like Phrack or on IRC). Security researcher Troy Hunt runs a free service called Have I Been Pwned where you can check if any of your accounts/passwords were part of a disclosed security breach. You may have been victim of a breach that might’ve taken place even a few years ago. It makes sense to register to the service, you will get an alert if your email address appears in a future breach, which will allow you to act proactively upon it.
Some believe in password managers, some do not. The fact is that if you are using many accounts / websites, either you have a single password (or a variation on a password) used all around the place, or you’re a genius who can remember multiple complex passwords. If you are the latter, I salute you. Otherwise, if you’re like me a mere mortal with the memory of a red fish, I recommend that you use a password manager. I’m personally a fan of Dashlane because although they store the encrypted vault with all your passwords, they do not store the master password that is used to encrypt the data (which also means that you better remember it or write it down and store it safely). Another feature that I like with Dashlane is the ability to work with a U2F security key but more on that later. Finally, with a premium subscription passwords can be synchronized between multiple devices.
The use of a password manager makes sense if you adopt the strategy of using a different password for each site. Even if you use the same account name or email address to register to a service, the use of separate passwords will make it harder for an ill-intentioned individual or organisation to leverage a breach to get into all your other accounts. Disclaimer: if you use this link to get Dashlane, I get 6 months of premium subscription for free.
Password or passphrase
What makes a password secure? Should we say password or passphrase? Is there a difference? We’ve been told for nearly two decades to use complex passwords with at least 8 characters and a mix of small letters, capital letters, numbers and special characters. Does the rule still makes sense? I am NOT an expert in password security, all I can say is that the shorter the password (regardless of the complexity), the easier it is to guess for a machine. I recommend to secure your most important digital assets (email account, private key, master password etc. – your mileage may vary) with a passphrase that has a sufficient enough entropy (i.e. above 128 bits). The image below from the always brilliant XKCD sums it up very nicely.
Two Factor Authentication
This is an added security mechanism that requires not only your password, but an external source of authentication (a token, if you will) that only you are supposed to know. 2FA (Two Factor Authentication) can rely on various technical methods such as physical tokens (RSA token, eToken etc), phone numbers (by sending SMS codes to your phone), « Authenticator » apps that generate random codes, or U2F keys. FIDO U2F is an emerging industry standard that allows for two-factor authentication. Currently, only a few applications (Dashlane, LastPass) and one browser (Google Chrome) are supported, with the following services supporting a U2F token: Google services, Dropbox, Github. I recently got a Yubico 4 key – which also has U2F support – and it’s a charm to work with.
I recommend to enable Two Factor Authentication on any service that allows it and that is important to you. If you are conscious about security, consider getting a U2F key as well.
Social Media Authentication
Sometimes you are proposed to « Log In with your Facebook / Twitter / Google+ account ». Why not, but you need to pay attention to the fact that the services might steal your personal information or post on your behalf on social media. You can also end up with many services using your data without caring / knowing. I recommend to review at least every 3 to 6 months to which services you granted access and cut them off if you don’t use them any longer. The less apps have access to my social media info, the better – hey I’m just paranoid.
Facebook – Security
I found out recently that you can import your public OpenPGP key in Facebook (Settings > Security > Public Key). This allows Facebook to send you notifications in an encrypted form which makes it harder for an attacker to gain control of your account. Once enabled, any information (including recovery info!) will be encrypted.
Password aging and account cleanup
Through the year, I generally go through a few cycles of changing my passwords on all of the sites that I am using. Thanks to the password manager tracking all the passwords and sites , I can also review whether I still use a service or not and can reduce my « online footprint » by deleting accounts/services that are no longer needed.
It is wise to encrypt your devices, including your mobile phone. Ensure you have contingencies in place to recover your data such as storing photos in the cloud, and/or perform regular backups. If your device gets lost or stolen, you’ll save yourself from having your personal data available and exploitable by the offender(s).
Data Storage / Backup in the cloud
Ensure you select a provider that provides encryption of your personal data. For example, Backblaze supports encryption and 2FA and allows you to replace their default encryption method with your own passphrase, making the content accessible only to you. The drawback is that if you lose your passphrase, you lose all of your data.
Private / Public Keys
This is a topic for maybe the more advanced or security conscious user, nevertheless I recommend you to go have a look at keybase.io. In the insecure world that the Internet is, it make sense to have your own pair of public and private keys and to ensure that you can claim ownership over several accounts, be it twitter, your own website, or more. Keybase allows you to track individuals (meaning you acknowledge they are truly the person they claim to be) or to be tracked (i.e. be endorsed by people who acknowledge your identity). You can use your public key to secure your Facebook notifications, for example. (see above)
Max’s stance on Security
While caring about security may be cumbersome and time consuming, you have to consider that our online activities now take a real place in our lives, and very often our personal information and money is involved. It is legitimate to expect for websites and commercial organisations to protect your identity and secure your transactions. But it’s also our duty to protect our own information. You (hopefully) don’t have your PIN code and other sensitive info tucked inside your wallet (or worse, as a post-it on the card), you don’t leave your keys on your car or on your home’s door. Same goes with passwords and personal information. They are precious to you, they can be stolen and they can be exploited. Do your part and protect them.