Stepping up the security ladder

I was chatting with some people today about passwords and internet security. There’s a lot of complicated terminology and sometimes conflicting advice. And I wanted to try and cut through it a bit.

Security – not just on computers, but in other places too – is a trade-off of convenience for safety. It would be great if we could leave all our doors unlocked and not have to carry keys, for example. But people would go into our houses and steal our stuff. So we add locks and have the inconvenience of carrying keys, and of sometimes forgetting them and getting locked out. This is the trade off.

The next level of home security might be to add an alarm. This gets you extra safety, but you need to arm and disarm the alarm, remember the code, put up with annoying false alarms, and so on. You get extra security, but pay the price of convenience.

There are different levels of internet security too. And just as some people have more valuable stuff in their homes and want more security, some people have more valuable internet stuff and need greater online protections. Not all levels are appropriate for everybody.

BUT being on the first step – the lowest level – probably isn’t a great idea for anyone. No one has a three-digit combination lock on their front door.

So here’s a list of steps you can take with internet/online security. Each step is an increase in security, but in most cases with more complexity, inconvenience and/or cost.

Disclaimer: You are entirely responsible for your own internet security. I can not be held liable for anything that happens as a result of your decisions to use or not use one of the tools or approaches outlined below. Thanks!

Level 1: Stop using the same password for everything

If you use one password for everything, then stop doing so. Why? Well, your personal details can be hacked or become public. The Have I been Pwned website can tell you if your details are public because of a data breach.

If your email address and password are somehow “out there” then other nasty people can take them and try to log in with them. And once they have access to one thing of yours, they may be able to get access to others.

At the very least you should identify critical services and set different passwords for them.

For example, once your email account is hacked, people can do password resets for other things.

Once your Facebook is hacked then people may have access to services where you use a Facebook login button.

Or if your Amazon account is hacked then people can send themselves cheap plastic or electronic tat at your expense as it stores your payment cards online!

And if you have email on your own domain like “me@mydomain.com” rather than GMail or Outlook or Yahoo mail then consider your domain and hosting accounts special too. If they get hacked it may be possible to redirect your email elsewhere and then, again, other things can be gotten into using email-based password resets.

Level 2: Use complex passwords

A complex password is one that is hard to guess.

Easy-to-guess passwords are those that:

• contain commonly used words or patterns (see the most common password lists!)
• contain dictionary words or commonly used names like football teams
• simple variations of these things created by adding numbers or changing letters to numbers, like swapping an ‘o’ for a zero.

These common patterns and tricks are all know by the nasty people who want to hack you and they will try them.

Do NOT type your actual password into here (or anywhere that you don’t trust). Let me say that again: do NOT type your actual password in here. But you can use a tool like How Secure Is My Password to see how long it might take a hacker to guess different kinds of password.

So a long, complex and randomly-generated password is better, even though it’s hard to remember. I’d argue that even if you write it down, that’s still better. Most hacks are not by people who steal your wallet or handbag. They are by armies of computer programs trying to get into your online profiles from afar.

So having “8xgbek65sg$gstv:” as a password written on a piece of paper that you keep safely somewhere is probably better than having a password like “JackIsAwesome77”.

But it doesn’t have to be a random collection of letters, numbers and symbols. You can also combine random words together such as “proud-taken-dollar” and this is MORE secure and easier to remember. If you ignore the geeky maths and terminology this little cartoon explains that: https://www.xkcd.com/936/

Level 3: Combine levels 1 and 2 and use a password manager

A password manager is a tool that stores all your passwords, and generates new ones for you. They keep everything secure and encrypted, and you just need to remember one strong, complex master password to get access to it.

With a password manager you can use a different, and complex password on every website that you can create an account on!

Example password manager tools are 1Password and LastPass, which are not open-source, but are easy to get started with and well supported. Open source tools also exist such as KeePass and Bitwarden, but they are harder to get started with, so not for the non-tech-savvy!

Always remember to use a service that is trusted and recommended before typing passwords into it. Some web browsers also have password remembering built in, but remember that this only works for that browser – if you use a different web browser one day your remembered passwords won’t be there.

Password managers cost a little bit of money, but seriously, it’s the cost of like two cups of coffee a month. Is keeping safe online worth that? (This is a rhetorical question and the answer is YES IT IS!!!)

And in a strange twist to what I said earlier, passsword managers may actually be MORE convenient as well as more secure. Many have tools that automatically fill in log in forms for you and if you take time to learn the tools well and use keyboard shortcuts you’ll probably find them more convenient. Here’s a video I recorded demonstrating that:

Level 4: Use “2 factor authentication” for critical services

Two-factor authentication (which may go under a different name in some places) is where you have to do something else after entering a password to prove that you are you.

This could be sending a code to your phone, making you tap something in an app on your phone, or using an app on your phone to generate a code.

With two-factor authentication enabled, if someone gets hold of or manages to guess your password (which you can assume they will) they will need something else to log in. Plus, these codes also only work once, so even if someone got a code it probably wouldn’t work.

So level 4 is to start using this two-factor login for some of the critical services like email, domain names, hosting and social media accounts.

There are some intricacies to this. It’s suggested that codes to your phone may not be a good idea as your phone can be hijacked. Storing the codes in the same place as your passwords (as some password managers allow you to do) may be putting all of your eggs in one basket. And the Google Authenticator app forgets all your codes if you get a new phone.

BUT…you’re always better off with two-factor codes, regardless of how you store them.

And it’s worth noting that many places will refer to the Google Authenticator app, but most one-time code apps (such as Authy, or the tools built in to password managers) do exactly the same thing and can be used as a replacement for Google Authenticator.

Level 5: Use 2 factor codes for as many things as possible…

…and store the codes in you password manager for convenience.

As stated in Level 4, this is an all-your-eggs-in-one-basket approach but password managers make this really convenient and two-factor is always a step up.

So once you’re used to using it on your critical services, start to turn it on in other places too.

Level 6: Use 2 factor codes for as many things as possible…

…but store them somewhere other than your password manager.

This is harder to do and we’re kinda into the realm of high levels of inconvenience.

Previously-mentioned apps like Google Authenticator and Authy help you to do it. But then you need to remember another PIN or password. And it may be, if both your passwords and the codes are on your phone, that your phone becomes the single thing that knows everything, and this isn’t do great.

The key here is to be thinking about keeping the “two factors” – the passwords and the codes – separate.

One way to achieve this might be just to use different master passwords for your password manager and two-factor code app.

In any case, if you’re read this far you are probably taking security very seriously and can start to do your own research.

Level 7: Physical security keys

Physical security keys, like Yubikeys, are small devices that you plug into a USB port, lightning port on your phone, or use an “NFC” tap (like a contactless payment card) to identify you.

These are expensive but give you a couple of additional levels of security:

1. It proves that it’s actually you (or whoever has the key) physically present at the login.
2. They ensure that you’re authenticating with a REAL site, not a fake/phishing site designed to steal your details.

If you re-sell hosting or deal with sensitive personal data under GDPR you should probably be looking at this kind of technology, and it’s actually super easy to use.

What if you lose or forget your key? Well, you would probably have your 2FA codes as a backup! And you can also buy two keys: one to carry with you, and a backup to keep in a safe or something. Both keys will need to be registered with each service you use them on.

I’ve found that these keys are actually incredibly convenient. And there are good guides to getting started:

• Getting Started with Security Keys
• Tim Nash’s expereinces getting started with a Feitian ePass key

Conclusions

This probably all sounds a bit scary and there’s lots of information and technical stuff here. I add that this is not a comprehensive or definitive list of levels. It’s just how I see things.

BUT…you should take this seriously and not be scared by the higher levels if you’re not there yet or don’t need that level of security.

I’d encourage everyone to evaluate which level they are on, and seriously consider if they could move to the next level.

It’s an area that I’m REALLY keen to help less technical people with. So if that’s you drop me a line and I’ll see what I can do to help.

Finally…I’ve not actually said which level I’m on or what I do for security. You can assume I’m on one of the higher levels, but I would never publish my security strategy, and neither should you. ALWAYS keep your security details, logins, passwords and so on private and only ever share details with people you 100% trust.

BONUS: Sending passwords to people

Occasionally…VERY occasionally…you may need to send a login to someone else. As a web developer who helps people with email and websites I get this a lot. So here are some things to consider about that:

1. Do you need to send a login?: Many services where you need to give access to someone else allow you to add other people. Examples of this that I frequently come across are: WordPress, CloudFlare, MailChimp and Facebook pages or apps. Add a new user if you can. Then…when that person no longer needs access, remove it or delete them. Don’t send a login if you don’t need to!
2. Email is probably not secure: If you really do need to send a login, there is no guarantee that email is encrypted or secure. Assume your message can be intercepted and read by someone other than the recipient. So do not send complete login details by email.
3. Email may persist: There is no guarantee that an email will be deleted by the recipient. If you email someone login details they may sit in that person’s inbox for years to come. So, again, don’t send complete login details by email. If you do, or have ever done so, change the password for that account.
4. Split the details up!: Splitting up the login details over two different communication methods is a good stragety. Like with passwords this makes the process a bit “two factor”. If the username is intercepted by email, the hacker still won’t have the password. So, for example, send the username by email, but send the password using a text message or messenger app. For an extra bit of security don’t mention where to use the login details. Say “here’s the password you need” rather than “Here’s the password for my Facebook account”.
5. Use a one-time messaging service: There are services that basically work like a “this message will self destruct” service. I often use https://onetimesecret.com. You copy the information in, it gives you a link, you send the link to the other person, and once they have opened the link, the information is deleted. It can’t be seen again! As always, be careful who you trust. Assume the person running this is malicious and if you put a password into the system do NOT say what the password is for.
6. Change/remove/delete: Change the password once access is no longer needed – remember that password managers make this easy. Remove users that no longer need access. Delete secret information when it no longer needs to be shared.