Passwords and Verification

Security Questions:

  • Let’s get this out of the way – security questions are by and large a terrible system. Most preconfigured ones rely on information that is extremely findable with a little bit of digging once I know your name. If your only recovery and security option is to include security questions, customize your own, make up fake answers that you can remember, or use a random string of letters/numbers/words to answer them (here make sure you have a findable place to store those strings).

Passwords!

  • Here’s a great guide on password creation: https://ssd.eff.org/en/module/creating-strong-passwords
    • Essentially, you want your password to be as long and as random as possible. Numbers and weird symbols are nowhere near as important as length. In fact, the person who wrote capitals, lowercase, numbers and symbols into the banner NIST document on password creation has publicly disavowed it as a practice.

    • Don’t reuse passwords! Sites have data breaches all the time and if someone gets your spotify password, there’s no need to give them your email password at the same time.
      • One tactic that is used is to have a recurring long memorized string used across sites that is customized for each site – so lilongpassword for your linkedin and fblongpassword for your facebook or some variation thereof. We cannot recommend this tactic wholeheartedly as, though it helps protect from scammers doing “credential stuffing” where known passwords are tried on the other accounts of a person, in a targeted reading of data breaches and public info dumps looking for you specifically, all it takes is two of these passwords to be revealed to understand the system.

Password Managers:

  • So you’ve got all these different passwords now and it’s almost impossible to keep them all in your head. They’re only as secure as the way you store them. If they’re in an email document or a notepad on your phone or written down in one place – all it takes is that storage being compromised to either lose them all (and access to all these accounts) or to give someone else access to all of them. There’s a tool for that! Password managers.
    • Password managers are, at their core, a single-use encrypted database. You enter one password to get into your password storage – one thing to remember but differentiated passwords.
    • We recommend locally stored password managers like Keepass(KeepassXC is cross-platform or keepassDroid for android) over cloud syncing managers – this means that the only place to access your passwords is from your computer, with the password to the database. If you take this option, make sure and back it up (ideally to an encrypted drive) once in a while. We also recommend against autofilling password managers – despite the added utility, we’d rather not have something we want to be secure talking to other parts of our computer.
    • If you do want cloud sync, there are a fair amount of available free and paid syncing managers. Take the time to do a little research on what security researchers say about a given password manager before giving it your data. We can’t speak extensively to cloud-syncing password managers but of the most popular would recommend Dashlane or 1Password over LastPass because of LastPass’s history with breaches and security failures.

Two Factor Authentication (2FA):

  • This is an additional security measure that can be enabled on many online accounts. There are a lot of okay options and if you’re actively worried about an imminent security threat online, go ahead and get the easiest one set up as soon as possible. That said,let’s get into some of the different kinds.
    • By far the most common type of 2FA you’re going to encounter is SMS authentication. Any time you log into a new device, you’re going to have to confirm it with a text message code. This system is better than nothing but not good. SMS messages are one of the least protected ways we can communicate – from stingray interception to manipulation of the phone company, SMS is not a good thing to trust your security to. Additionally, in any case where your phone is your only 2FA, imagine it being seized by police (or stolen) – all that extra security is out the window.
    • Using an authenticator app is slightly better. Yes, your phone is still a point of vulnerability, but you’re removing the SMS security flaw from the equation. These would be tools like Google Authenticator (use cautiously) or Authy that can be installed on a smartphone and use cloud storage.
    • There’s a physical option for 2FA as well – devices like they Yubikey are increasingly supported as a form of authentication. This is more and more the most recommended security and one device can be used across multiple supported accounts.
      • If you need to be able to use between phone and computer, make sure you get one with “near field communication” to allow it to talk to your phone.  The other option on newer phones is to get a USB-C version (looks like a micro USB but an oval instead of a trapezoid), though not all older computers will have a USB-C port so we recommend being cautious in choosing this option or getting two keys, one that can be used in USB-A (classic “regular” USB) and one that can be used in USB-C.
      • “Nano” keys are the ones that have almost no stick hanging out and can comfortably sit semi-permanently in a USB drive unobtrusively. We really don’t like those as they give the state everything it needs in the case of device seizure.  Additionally, what we’ve seen with nano thumb drives is that they often stay in the computer when it is loaned out, traveled with, taken in to get fixed, or even when broken and disposed of. All of that sounds a lot like “security vulnerability” and the best way to make sure it doesn’t happen is not to open the door.
      • If you choose to keep one of these on your keychain, consider what situations you bring that keychain into – moments where you may be arrestable are not a great time to have something on your belt with access to all of your accounts.  Think about storing it somewhere discrete at home as well.
    • Some accounts (like gmail) will also allow you the option of generating one-time use codes. This option allows you to potentially just jot down a single code if you know you’re going to be using a new device away from home and can be stored as paper if there are good storage options or as a file on an encrypted drive or device.

Recovery accounts:

  • These are a complicated question – in some cases a recovery email or phone number may be the difference between regaining access to a hacked account and having to fight an uphill battle to shut it down. However, this also opens the door to a chain of account failure where having access to one account means that an assortment of others are vulnerable, so good practices here are key.
  • Make sure all of your account recovery information is up to date – old or abandoned accounts are a serious vulnerability. A new account with the same name may be created on sites that recycle usernames, leaving a huge security flaw.
  • Consider setting up an account that is not linked to anything else and is not publicly listed anywhere or used for correspondence to be a recovery account. If no one can find your recovery account, it’s way harder for it to be compromised.
  • As far as phone numbers – if it’s the only option, it may be a good one. Some sites only really need to be accessed by someone that knows your phone number as opposed to has access to it. Consider this carefully and plan for each site’s different security protocols.