Thursday, December 28, 2017

Alohomora: Simple Security for Muggles and Wizards alike

Two years ago, I wrote a post specifically about passwords.
However, these days there are a few more things that one should be doing to protect themselves so I will be going over a few digital security topics in this post.

Wait! Don't be scared, I know security can sound hard but it doesn't have to be. I'd like this guide to be easy to follow so even someone without an interest in security can quickly start being secure online.


I've covered this before but I'll summarize the post here.

Password Setup Steps:
  1. Create two very strong, but easy to remember passwords for you password manager and email.
    You can do this by:
    1. Rolling some dice to create a Diceware Passphrase
      Easy creation site (use 6 words minimum!) and EFF's explanation on how/why 
    2. Use the Schneier Scheme
  2. Write down these passwords and put them in a safe place.
    This may sound odd, but even Bruce Shneier has said:
    If you can't remember your passwords, write them down and put the paper in your wallet. But just write the sentence - or better yet - a hint that will help you remember your sentence. Or use a [password manager]. Don't feel this is a failure; most of us have far too many passwords to be able to remember them all.
    - Bruce Schneier, Nov, 2008. Blog post link
  3. Choose a Password Manager
    There's a few choices out there but likely you'll look at the following
    1.  1Password (nicer on MacOS/iOS than Windows/Android)
    2. LastPass
    3. Keepass

Update Old, Insecure Passwords

This can be time consuming, but it's important to get clean up all your old passwords. You probably used the same password in multiple places, right? Use your password manager's password generator to come up with secure passwords, preferably as long as the service will allow.

This process can be daunting however, so unless you're ready to spend a lot of time doing it, let's make this easier. If you're using LastPass, I believe it will give you a password strength report to help you clean up.

I'd go about this slowly to make it easy. Whenever you log into a service, check the password. If it's weak, change it before you go about your tasks. Otherwise, grab a different password to update.

One day you'll have all your passwords updated!

Enable Two-Factor Authentication Everywhere 

Everywhere you can enable 2FA, and all other forms are better to chose over SMS. Here's a site that will help you find out what services you use that support 2FA.

There's a variety of Two-Factor Authentication (2FA) or multi-factor authentication (a guide by the EFF here) but the main two you'll encounter are:
  1. SMS.
    Which works, but isn't very secure. Without going into too much detail, it's possible for a hacker to pretend they're another phone number and intercept SMS. So if there's another option choose that. If this is your only option, it's still better than no 2FA.
  2. Authenticator/TOTP
    This form of 2FA gets you to punch in a 6 digit code when you log in. Authy is a popular app to use to manage these codes for many services, as-is the Google Authenticator. It's nice to keep all of your codes in one place.
Using any 2FA method means you may be offered the option to print out backup codes. If a service offers this, definitely do it and store those codes in a safe place!

Use a Secure Messaging App

I'd recommend using Signal, or (if you trust Facebook) WhatsApp for private messaging (as they implement the same protocol to secure your messages)
I would highly discourage use of Telegram (here's one reason why).

I'd go into more details, but the EFF is also re-thinking what secure messengers need these days, so I'll hold off on giving detailed recommendations myself.

Best Practices

Overall best practices are hard to write. I'll try and give some useful advice though:
  • Always think critically before taking action.
    Who told you to click or install something? Think about why you might want to do it.
  • Not sure? Ask.
    Hopefully you have a tech-savvy friend you can ask to confirm something. If not, getting better at Googling things is a useful skill!
  • Use an ad-blocker (such as uBlock Origin chrome firefox)