Keeping your accounts secure

Hii guys,

Recently, my girlfriend got her Reddit account hacked and this got me to think, I don't think a lot of people really know how to keep their accounts secure.
So, that is exactly what I'm going to explain to the best of my ability in this blog post!

Please note that the recommendations tend to change relatively often so what I describe in this post might not be relevant anymore next year, however, most of the guidelines should still apply in the foreseeable future.
This post was also in part inspired by a post on the website of OperationTulip, so you'll find a lot of information is similar to that.
I also want to point out that to keep your accounts secure can take a lot of effort, especially in the beginning, but after that, it's not much effort.
But as somebody that made all this effort himself as well, I can personally say that if you take some time to get used to it, it'll just become a routine for you and you won't really have to think about it that much.
And, of course, it's all worth the effort in the long run!

Now do keep in mind that only one of these points isn't going to do much.
Security is as strong as its weakest link, and you'll notice this is a very recurrent theme in this post.
When you're reading through this post, you should notice that a lot of points intertwine with one and another pretty deeply.
Even if you have the best password possible, something can go wrong putting you at risk.
As such, don't just think you're done after improving just one of the things below.

I also want to point out that outside of OperationTulip being one of my partners at this time, I'm not affiliated with any of the brands named in this post at the time of writing this.
Let's get into it!

Your email is you

We've all seen it on plenty of websites where they ask for your email.
Now, you might, of course, think that this is just so they can spam your inbox full of "newsletters" (mostly advertisements) but there often is actually quite a good reason for it.
You see, on most websites, you can request a link to reset your password when you've forgotten it.
This link will be sent to... you've guessed it... your email!
This means that if your email gets compromised, you are going to be in for a ride.
As such, make sure you keep your email as secure as you can.
Keep reading to find some ways on how to do this!

Don't re-use passwords

Ah yes, we've all been there at some point, using the same password for most of your accounts.
Don't tell me you never did this, I have some secret sauce in my website that just tells me you're lying.
I mean, it's simple right, make one bloody strong password and use that everywhere.
No "what password did I use for this service" moments.

But now imagine Facebook accidentally stores your password in plain-text in their database and that database would get breached.
Now, your super-strong password is open in the world, next to your email.
And, of course, you use the same password everywhere...
What could possibly go wrong...
*points at previous point*
Again, security is only as strong as its weakest link.

As such, it's recommended use different passwords for each service.
This way, even if a password gets leaked, the damage should be minimal since they now only have one password belonging to one service only.
Remember when I said it'll be worth it in the long run?
Well, that investment of a few hours to change all your passwords now has already paid itself back because you are going to save a few hours on getting back control of all your accounts and changing their passwords!

Now, you might ask "but how am I going to remember all those passwords?".
Well, simply put, you don't.
And that's exactly what I'll be talking about in the next point!

Use a password manager

Remembering a single password can already be tedious and this gets exponentially worse with each additional password.
Luckily, developers have come up with a solution to this, they are called "password managers".
You probably have seen advertisements for them here and there already.
Some popular password managers include, but are not limited to:
- LastPass (~€38.95/year)
- Dashlane (~€39.96/year)
- 1Password (~€32.07/year)
- KeePass (Free)

These are all fine password managers with each their own pros and cons.
I personally am not a fan of LastPass, Dashlane and 1Password because not only are they closed-source (meaning they rely primarily on the "security by obscurity" principle) but they also tend to hide some great features behind a paywall (like synchronization, advanced 2FA or simply limiting the number of passwords in your "vault").
It also means that you have to trust them on their word of "not taking a peek in your vault" instead of having the liberty of checking it all for yourself if you really wanted to.
KeePass is a fine open-source password manager, however, your vault lives in a file with no built-in synchronization support so you'll have to manually tinker with a way to synchronize (and back-up) that file.
As such, I don't recommend it for anyone but advanced users (and considering you are still reading this post, I doubt this includes you).

All password managers, in essence, do the same:
- generate stronk passwords (based on some criteria you can set, like length and character set)
- store the credentials for the user
- make it easy to copy and paste them in the browser (in some cases they even have auto-fill support with an extension)

This means that all you need to remember is one strong "master password".
Again, security is only as strong as its weakest link so make this password really nice and strong.
In my specific case, my master password is over 32 characters long (weird flex but okay).

So then, which one do I recommend?
Well, I have been a proud user of BitWarden for a while.
BitWarden currently offers everything I want, it's open-source (albeit with AGPL, which is a bummer), it's free (for the main features), it's cloud-based (with the option to host your own vault if you're adventurous).
It does give a few limits when you're a free user but at ~€8.94 a year, it's not too bad, especially for what you get but the limitations you get aren't too major, they are only minor inconveniences like more advances 2FA (like with a Yubikey, FIDO U2f and Duo), password hygiene reports, account health reports (eg. weak, exposed and re-used passwords) and some additional features.
Not necessary if you know how to do this yourself, but welcome additions.

Another one I've heard a lot of positive things about is called " Psono ", this one is free without limitations you would care about as a single user and has some nice extras like a PGP integration (I'll come back to this in a bit) and the aforementioned Yubikey/FIDO U2F/Duo 2FA.
Unfortunately, I can't really say much else about it since I've never used it personally.

Additionally, since we already use a password manager now, we don't need our browser (or Google) to store our passwords.
Doing so only leaves our passwords more exposed (because now it's hanging around on other places that might be attacked), so it's best to just nuke our passwords from there once we've migrated everything.

Use a second factor

So, now that we've created a strong password, we should be done right?
WRONG!
As I said, passwords can still be leaked and depending on the time between this happening and you noticing, a lot could have been done already (especially if it's your email).
As such, we need to add an additional checkpoint for attackers to pass.
We call this "2-Factor Authentication".
It's literally just what it sounds like, adding a second factor for authentication.
This is often done in the form of a "One Time Password" (OTP).
You probably have seen them in the form of those little RSA tokens or the Google Authenticator app .
Card image cap
There are many different ones.
The most common ones are installed on your smartphone (because you tend to have that with you a lot anyway) and are called Google Authenticator and Authy .
Some companies like Valve and Blizzard have their own specific apps or physical devices.
These apps (or physical tokens) generate a code that you must enter after a successful login (or in rare cases, during the login itself).
Only after this code is verified and found to be correct, access is granted.
This means that not only do you need to have the password, but you also need to have access to something physical (eg. your smartphone or the token).

These OTPs, however, don't provide much protection against phishing (I'll explain this in a bit).
An attacker could have access to your password and email, phish you and have you enter your token, which they'll then use to gain access to your account (before it expires that is).
As such, a more secure protocol has been made based on a "challenge-response" system (like FIDO U2F).
What it does is have you register a key (eg. your smartphone or, more commonly, a hardware token like the Yubikey) to a service.
Then, the next time you login into this service, your key will be presented a challenge that only that device can solve.
Once the appropriate "solution" (response) to the challenge is given, you'll get access.

The difference between this and a OTP, however, is the sheer complexity.
You see, the client can not only forward the challenge to the key, but it can also include the origin.
This means that the solution given by the key now also is based on the origin as well.
When the solution is then send back to the server, the server can verify both the solution on the challenge but also check if the origin is in their allowed lists.
So this means that phishing would become extremely difficult as now an attacker needs to compromise a whitelisted origin as well, which is a whole different scope.

Some good hardware tokens that support challenge-response systems (the primary ones being FIDO U2F and FIDO2) include, but are not limited to:
- Yubico Yubikey (~€20-€60)
- Google Titan (~€50)
- NitroKey (~€22-€109)
- Ledger Nano X (~€119)

Now setting up 2FA can be a bit tricky at first but it's not to bad once you figured it out, and again, it's definitely worth the effort (and investment if you're going with a hardware token).

Be sceptical

Are you sure you're handsome enough to attract single women in your area?
Seriously though, if a mail looks sketchy, be very careful with what you do.
Depending on the context, it might be best to just outright ignore it.
These examples don't exactly take in consideration mails you are expecting (eg. one from your boss with the yearly revenue reports).
It's primarily aimed at the more sketchy emails like (these are btw real spam messages I've gotten):
- "Latest spy technology"
- "Track your wallet through your phone!"
- "Especially for you" (okay, this is actually a legit email from Domino's in my case)

Always be sceptical when clicking a link and ask yourself:
- Did I expect it? (eg. I just requested a password reset link)
- Where is it going to lead me? (Is it going to lead me to some weird domain or an actual legit domain?)
- Does it request my credentials? (possible phishing?)

Especially be sceptical when opening an attachment.
If you didn't expect an attachment to be in the mail or it doesn't look like something that you should have to deal with (like the PGP keys in my emails), then don't open them.
Only if you're certain you were expecting an attachment (eg. the yearly revenue reports I just mentioned) you can consider opening them.
Don't just look at the extension of the file (eg. .txt and .pdf) because these can be messed with.

The lock isn't the key

Ah yes, the famous "green lock".
How often do I hear people saying: "if it has a green lock, it's fine".
WRONG!
All the green lock (a.k.a "HTTPS") tells you is that your connection was made securely and you can't easily be wiretapped by your colleague (implying your machine isn't compromised by malware).
Unless the certificate of the server was pinned, you can't be sure that you're dealing with the right party.
Especially with the advent of Let's Encrypt , I can register a domain (say "rab0bank.nl") and request a certificate from Let's Encrypt.
Because I'm the owner of the domain, I get my certificate.
Now, I can set up a phishing website and act like I'm Rabobank (which operates on rabobank.nl, not rab0bank.nl... well, they actually do, I just checked, smart guys one step ahead).
All the green lock really means is that the communication between you and the server is secure, it doesn't prove the identity of the server unless the certificate is pinned (which requires a prior visit or the certificate to be pinned by the browser developers).

If there is no lock at all, then don't even think about entering any details because, now, somebody else can just sniff your packets and read the data.

Bonus: Always lock your machine

This is a big thing really, when you leave your machine unattended for even a moment, lock your screen.
How often have I posted things to my colleague's Facebook, send messages to their friends or changed their wallpaper to something juicy just because they didn't lock their screen?
And these are only the "innocent" things, I could have completely compromised the system with the access I had.
Install malicious certificates to nullify his HTTPS for me (allowing me to do a Man-In-The-Middle attack), install a backdoor, steal his credentials (in the case he also left a password vault unlocked) etc. etc.

As such, when leaving your machine, always lock it.

Bonus: Have I Been Pwned

It should come as no surprise that I'm going to mention it.
My website has integrated with HaveIBeenPwned , allowing me to inform you when your password is compromised when you register, change your password or login.
On HIBP, you can enter your email address and check whether it is part of a data breach of sorts and what information has been leaked during it.

Card image cap

Oh dear...

You can also have them notify you when your email is found on new database breaches, which is just awesome to take action before it is too late.

Conclusion

This is only scraping the surface really.
There is so, so much more that you can do to keep your accounts secure but these are the ones I most commonly use.

If I missed any important ones, feel free to leave a comment down below or hit me up on my subreddit .
I hope you guys found this post useful!

G33k Out!

Comments


Leave a comment


Please login to leave comment!