The Gift of Strongly Recommending Higher Personal Online Security

/ 25 December 2015

Today is Christmas, a day when a substantial portion of western humans celebrate by giving one another gifts and sitting by trees that we’ve brought into our home. If you know me well, you know how little that part matters to me anymore. So, in part, let me give all of you the gift of explaining just why taking advantage of a few higher security measures for online accounts of yours is actually something you should do, perhaps even making it a prior-to-2016-actually-starting New Year’s resolution to start doing. Before I go any further, for those who may ask, I wrote this across the weeks ahead of today, and it merely automatically posted itself this morning. Also, for those who celebrate it, Merry Christmas!

There are two major steps I’ll be recommending here, though you could say that a third is woven in the midst of those: Strong Passwords and Two-Factor Authentication.

Before I dive in let me say a few things. Firstly, it has been well over 2, maybe even 3.5 or so, years that I have consistently been using strong passwords with every new online account I set up or password I need to change, I even changed many passwords to be strong just because that is more secure. It has been at least since early 2013 that I’ve been using two-factor authentication everywhere I can. So, it is safe to say I’m doing everything in my power to secure my online accounts, and write these suggestions from that experience.

Secondly, a key part of committing to doing strong passwords everywhere is using a password management tool you trust so you can actually keep track of the passwords. The one I use on all my devices (from my watch to my iMac and everything in between) is 1Password, so my examples will be using it. The other major option I’ve heard great things about is LastPass. Recent versions of Safari have this ability built-in and synced over iCloud to all your devices, with you being able to view the passwords on your Mac in the Keychain Access application that is built-in to OS X (as well as in Safari preferences). Many other options exist as well. Any should be adequate. There are advantages and disadvantages to each software option. The important thing to understand is how your data is stored, encrypted, and synced. I can’t clearly speak for anything but 1Password here, but I know 1Password’s entire design is around your privacy and security, with your master password being required to decrypt the contents of your vaults, which it only decrypts what it needs of at any given moment, and never stores the actual text of the master password anywhere. Even with data in Dropbox, iCloud, or any other folder area for syncing no one running those services can access the data. These kinds of software use proven standards to encrypt your data using much the same technology that banks keep their digital data secure with. Partly from the above link, partly from Googling, you could spend a ton of time reading up on the security of 1Password, to start off.

Now on to my primary recommendations, starting with Strong Passwords. Why hold yourself to strong passwords? Any of you could tell that the password “-BVbtP4,B}xtFD4G” is much stronger than “billy”. One could be guessed, especially by computers, nearly instantly, the other would be a larger effort to crack. None of us want unauthorized people (anyone but ourselves) into our online accounts, so using strong passwords is quite important. By strong I don’t simply mean something where you replace letters with numbers, because software trying to get into online accounts tend to quickly test those variations.Strong Password Generator That is why a combination of length and type of characters (alpha, numeric, symbols) is important. An alternative to using something like 1Password’s built-in generator (seen in the image above) or that of whatever your password management software has (I use about 70% 1Password and 30% the iCloud Keychain password generator built into Safari these days, and use both tools to keep track of my passwords) is to find a website that can generate strong passwords, like this one, but then you run into potential concerns of the whole notion of a website generating these passwords, and are they possibly, even unintentionally, storing them in logs somewhere? It’d be hard to tell for the average person. Either way, using strong passwords everywhere you can handle doing so is one way you can make your online digital life a bit more secure.

My second recommendation is to use Two-Factor Authentication (2FA) with every online service that has the option. This is on top of using strong passwords, though I’ll admit to using slightly less strong (hence, memorable) passwords on some sites where I also have 2FA enabled. When 2FA is enabled you not only need your password, but also a code sent to your mobile phone (via SMS, sometimes voice call), authenticator app (Google makes a good one, but 1Password also supports this), or for some services (FB, iCloud, etc.) their own custom mechanisms in order to log in. The codes are on average 6 digits. You say this is too much of an inconvenience. But is it really more of one than if someone gets at your Google account, or your iCloud account, or your FB account? I think not. Anyway, many of these sites have an option to whitelist devices when first logged in with a 2FA code, so for your own devices this won’t be much of a nuisance.

So, what sites support 2FA you ask? My go-to resource for what websites support 2FA is the Two Factor Auth website. That site has a clear list of sites, organized into categories, that lists websites that do and don’t have 2FA, with what type of 2FA marked and links to the sites’ 2FA documentation. I glance back at this site every so often to make sure that if other sites I use have gained 2FA I know about it and go to set it up. That site would be a good place to start if you’re convinced that 2FA is something to try out.

Two-Factor Logins

As the screenshot provided here is evidence, I have a lot of my online accounts backed by 2FA. But that list isn’t even the full list of sites. That is partly because I mostly only tag logins with 2FA in 1Password that either have their code generation in 1Password and/or have other recovery data in 1Password and/or are important accounts of mine that use 2FA, but a few more actually do have 2FA enabled. But it is also because a handful of those accounts (namely Google, Microsoft, and WordPress.com) are ones I use to sign in to other websites and services too, hence effectively backing those logins by 2FA. Skype uses my Microsoft account, Zoho (and a few others) my Google account. Nearly every WordPress-based website I play any sort of administrative or managerial role in has the awesomely powerful WordPress.com-linking Jetpack plugin running, and as one feature of that I (and anyone else with accounts on those sites) can log in to those sites using their WordPress.com account, and hence, depending on their account settings, log in backed with 2FA. That is how I logged in to my own blog a few days ago to set this up to post. Many of the sites I help maintain don’t (yet) use HTTPS, so even without 2FA logging in through the WordPress.com portal means that your actual login credentials are passed through a secure page.

It is certainly true that online accounts of mine with weak passwords (I define weak passwords as anything not created using a strong password generator) and/or no 2FA are a rarity these days. Though conceivably hackers could still get into my online accounts, the chances of that is much slimmer than for Joe Schmoe with the password “queenstown1278”. Actually, the chances basically are nil for all of the 2FA accounts by the very nature of what 2FA is.

So, on this Christmas morning I leave you with the gift of the inability to be ignorant of these two important things you can do to greatly enhance the security of your online accounts. Further, I hereby challenge everyone who reads this to at least experiment with both strong passwords and 2FA before 2015 bids us farewell. I’m not saying that you need to go all-in with only strong passwords and 2FA everywhere it is an option the way I have, but definitely let yourself try both out and see how it goes.

Merry Christmas and have a Happy New Year!

Discussion