Protecting Integrity Online
The world isn't that scary of a place. We live in it every day. However, that doesn't mean that there aren't threats out there to consider. While Christians may be called to love our neighbors, that doesn't translate to living a careless and vulnerable life. We ought to be wise with how we operate and live our lives especially as believers who are supposed to be representing Christ.
With that said, lately online security has been something I've taken more time to research since seeing some strange activity on some of my own accounts. The last thing I want is someone masquerading as me, and potentially defaming the name of Christ in the process.
I've taken a few big takeaways that I think everyone needs to be aware of when it comes to protecting your integrity and witness online.
You Need A Password Manager!
The first is to use a password manager. The vast majority of accounts online require a username and password, and the average American internet user has about 150 online accounts. That's a lot of passwords to keep up with especially if you want unique and strong passwords! As human beings, we have limits to remembering hard to crack passwords. As a matter of fact, we often create a password that we think is strong and then end up reusing it on various different accounts. This is a bad idea. All it takes is one data leak with your username and password combination and all of your accounts are now vulnerable with your "strong" password.
A Password Manager helps you use different and complex passwords for every account.
Password managers make creating secure, complex, and unique passwords for every online account a breeze. This is because they allow you to access all of your unique passwords with one master password. This way you only need to remember one secure password instead of trying to remember a bunch of them or worse reusing one you think is secure.
Isn't my browser a password manager?
While popular browsers like Chrome, Firefox, and Safari will allow you to save and even create stronger passwords, they aren't very secure. Browsers are designed to get you on the web and logged in as fast as possible. They weren't designed with the security of your accounts as their top priority. This feature is more of an add-on with the goal of helping you get online faster and the second goal of helping you be a little more secure. The problem is that these passwords are stored on your device and can be unlocked with the local account password for the computer you are on. They also aren't very convenient to use for all of your accounts which makes using them across your devices somewhat challenging. If you absolutely refuse to use a dedicated password manager, the browser tool is better than nothing, but it's just not the right tool for the job. This is like using a butter knife instead of a flat head screwdriver. It works, but there's a better tool.
High Quality Password Managers
Here's a list of password managers that are well reviewed.
There are many more, but those are a few I've seen on several lists.
What if someone hacks into my password manager? Won't they then have access to ALL of my accounts?
Honestly, this was originally the reason I was very hesitant to use a password manager. Technically, the answer is yes, but there are ways to secure your password manager to limit that risk considerably if not eliminate it altogether.
The first is to use a really good master password. If you make your master password too simple, that's like leaving the front door to your house open and hoping the thieves don't find the safe hidden in your master bedroom closet... (Side note: Don't hide a safe or any valuables in the master bedroom closet. That's the first place thieves look.) You want a password that is easy for you to remember, but complex and difficult to crack. I suggest you do a little research yourself about creating secure passwords. Here are a few things to try though. One is to find a quote of some kind that you can easily remember and use the first letter of each word as a character using capitalization and symbols as seems appropriate. The quote should be something obscure and unpopular. Something a parent would always say or a song you made up as a kid would be ideal. You want to have a password that is 24 characters long or so. Another option is to use words in a list that are unrelated and use a word that isn't in the dictionary such as one you made up as a kid. For your own security, don't use this example, but an example might be: Secretary-Jupiter-Washington-Jaguar-Voltrue-Blazethinity. Something long like this with made up words will be much harder to crack while relatively easy to remember.
The next thing is securing access to the account for recovery purposes or accessing on a new device. Some password managers use an access key that you can save somewhere or print out. 1Password has a sheet you can print out and put in a safe place. Others such as LastPass offer a trusted contact who can access your account if needed. You'll want to secure this information and access to protect your account.
After that many password managers allow you to use 2fa authentication codes. I HIGHLY advise you set this up on your password manager. Apps like Authy can be used to secure your password vault even if someone somehow cracks your master password. For extra security, you can actually use a Yubikey and the Yubico Authenticator app to keep your 2fa codes offline. You could store this one key away and literally only use it for installing your password manager on new devices. This won't protect the devices you've already authorized, but it will keep a threat actor from accessing your passwords elsewhere.
Finally, you can use double blind passwords on your sensitive accounts or on all of your accounts if you want. A double blind password is like your last defense. If all else fails, and someone actually gets into your password manager, they end up with incorrect passwords! That is because setting up a double blind password means the password saved in your password manager is intentionally wrong. You can do this by letting your password manager create and save a new complex password for a site you are on. However, before you save this new password to the site itself, you add something to the end of the password that only you know. (You could even get a little more tricky by deleting a couple characters and then adding your special phrase, pin, code at the end...) This results in your password manager having the wrong password saved, so that your password manager is blind to the true password and so are you. Thus it is called a double blind password. This is great because you can easily remember your part of a double blind password while retaining the benefits of complex and unique passwords for each site. When you go to log in, let your password manager fill in it's part and then add yours before clicking to sign in. It's that simple.
With this in place, you are a million times more secure than trying to create and remember your own "secure" password for every online account you might have.
However, there's one other thing you need to keep in mind. 2FA ALL THE THINGS!
Use 2FA or 2SV wherever available
If you are anything like me, you might be thinking what is 2FA and why is it needed? 2FA or Two Factor Authentication is the next step in securing your accounts online. It is all about adding a second verification that the person logging in to your account is you. 2SV or Two Step Verification is essentially the same thing. There is a difference, but that comes down to how you implement and use what is available to you.
The most common and least secure method of 2FA is through SMS text messaging. If there isn't a more secure 2FA method available for one of your accounts, it's better to use SMS for 2FA than not having 2FA at all. The problem with SMS is that it is pretty easy to intercept, so while you might think you have secured your account, you may not have done much to keep the bad guys out. This is kind of like adding a chain to your front door and not having a deadbolt. If the bad guys want in, they just kick a little harder. However, if that's all that is available, it's better than nothing at all. Sadly, there are still lots of online accounts that don't offer any kind of 2FA. Of those that do offer 2FA, most offer SMS or require SMS for 2FA. Requiring SMS for 2FA is a shame, and some of the big names are still guilty. Apple and Amazon are a couple of big names I can think of that require SMS if you set up 2FA putting those accounts at risk. However, it's still better to have a chain on the door than no lock at all.
The better method is to use TOTP or time-based one time passwords from an authenticator app like Authy or one of the various competitors. The one I'd advise against using is Google Authenticator. It was essentially first to the market, but better options exist now that keep your TOTP secure. If you are on a site that supports Google Authenticator, it also supports any other TOTP authenticator apps. You don't have to use Google Authenticator just because that is what the site calls it. Some password managers include TOTP as a feature to store along with your passwords. This essentially moves the TOTP from 2FA to 2SV because it's on the same device that your passwords are stored on, but it does make using TOTP very convenient and fast although technically less secure because of being on the same device. One thing to note is that there are sites that offer TOTP support but require SMS as a backup. In those cases, implementing TOTP codes is more about convenience than security since an attacker could just choose to have codes sent to the phone number instead.
A few sites also support hardware security keys! This is GREAT (except if they require SMS fallback...) because the keys are convenient to use and extremely secure. The two big names in security keys are Yubikey and Google Titan. Both of these options are fantastic for security. Where Google failed with their authenticator app, they excelled with the Titan security key. The Yubikey options are also great and come in many form factors for your device needs. Hardware security keys are technically a bit more secure than TOTP and are true 2FA. Yubikey also supports storing some TOTP which are accessible in the Yubico Authenticator app. You are limited to storing 32 TOTP though.
A Note on Banks and 2FA
If you live in America, the state of 2FA and bank accounts is pretty terrible. It's actually pretty bad around the world, but there are certainly some foreign banks that support non-SMS 2FA. While the major American banks do support and even enforce 2FA, they require SMS and often times email (which is also a relatively insecure option). The only American bank that supports TOTP without SMS fallback that I'm aware of is Woodforest National Bank. With that said, SMS based 2FA is better than no 2FA, so if that's what you have, it's better than not having it. In those cases, I suggest making sure you have a very strong password.
I hope this makes you think a little more about your own online security and ways you can protect the integrity of your witness.
God bless,
Pastor Nate
Protecting Integrity Online
Reviewed by Nate Cress
on
Thursday, April 29, 2021
Rating: 5