Authentication (User Identity Verification) & Passwords
And here we have the continuation of the checklist. A few of you have gotten back to me with more tips, thanks! I'll add them gradually and then publish them as a comprehensive e-book. If we get through today's topic together, the bad guys will have a little more work to do again.
This is a crucial topic, so I have a big request for you. If you use passwords ALL THE TIME, CHANGE IT TODAY.
- Use a long, strong, unique password for each of your accounts - find out how strong your password is *1.
- I'm not an advocate of changing passwords frequently if the passwords are unique, long and ideally protected by two-factor authentication. Change passwords as soon as you suspect a password leak.
- Use a secure password manager to encrypt, store and fill in login credentials, such as BitWarden or KeePass / KeePassXC. Leave it up to you whether you entrust your passwords to a cloud service or use a solution that you have full control over. One thing I know for sure, you can't do it without a password manager *2.
- Don't store passwords in your browser
- Sign up for suspected password leak alerts and update passwords for compromised accounts *4.
- Enable two-factor authentication, if available, and use an authentication app or hardware token (e.g. Yubikey). You can use a multifactor app from Google Autheticator, Microsoft Autheticator, or choose an Opensource app *5.
- When you enable multifactor authentication, you will usually be provided with a few codes that you can use in case your phone is lost, damaged or unavailable. You should ideally store them on paper or safely offline - a disk in a safe, etc. I probably wouldn't recommend you store the codes in a password manager.
- If you use a PIN instead of a password, avoid using a 4 digit numeric code. It is popular for users to use the year of birth :-).
- Do not log in on other people's devices. If you can't do otherwise and have to, use inprivate mode / incognito window - Ctrl+Shift+N/ Cmd+Shift+N.
- Never answer truthfully to online security questions that are required in case of password loss/reset. Ideally, do not use this feature at all. This includes questions such as date of birth, mother's name, etc.
- Be careful not to be filmed by a camera when entering your password.
1 - How secure is my password
https://www.security.org/how-secure-is-my-password/
2 - Password manager
https://bitwarden.com/
https://keepass.info/
https://keepassxc.org/
https://lastpass.com/
https://www.yubico.com/products/
3 - Generating a username in Bitwarden
https://bitwarden.com/blog/whats-in-a-user-name/
4 - Monitoring leaked passwords
https://haveibeenpwned.com/
https://monitor.firefox.com/
5 - 2-factor authentication applications
List of web services and information on whether they support 2FA
https://2fa.directory/cz/#remote
Android
Aegis - https://getaegis.app/
Authenticator Pro - https://github.com/jamie-mh/AuthenticatorPro
andOTP - https://github.com/andOTP/andOTP
iOS
Tofu - https://www.tofuauth.com/
Autheticator - https://mattrubin.me/authenticator/
Raivo - https://github.com/raivo-otp/ios-application
Windows
https://winauth.github.io/winauth/download.html
#hackerprotect #cybersecurity #technology #cloud #passwords
