Passwords and Online Accounts
With recent developments regarding storyofrachel's accounts being targeted and compromised, I think it's pretty important to show that a major lesson can be learned about how to protect your online accounts. Hopefully you've already heard and live by all that is below in the post, but for those that don't, consider this a good entry to securing your online accounts.
- Don't use the same username for two different services
This is one of the easiest ways to link two accounts to the same user. Malicious actors will have a much more difficult time knowing all the services you use if the names are unique and unrelated.
- Don't use the same password more than once
We're all guilty of this. Convenience is a sweet siren, but if one account is ever compromised, it can domino to all of your other accounts if they share the same password.
- Change your passwords regularly
Even if your password is secure, it is good practice to regularly update these passwords. By changing your password every 6 months, a service breach from 1 year ago won't do much to compromise your account.
- Use Multi-Factor Authentication
There are three main ways to prove an identity: something you know (password), something you have (phone), or something you are (fingerprint). Your security improves dramatically when using two of these to log into services. Most of the time, this is in the form of the service sending you a text message when you log in. If someone knows your password, they would also need your phone (or a way to intercept your texts). If/When ChaCha gets MFA, enable it as soon as you can. ZDNet released a good article today on MFA so please take the time to at least skim through
Regarding 2 and 3, using a password manager such as KeePass, Lastpass, or Bitwarden can make generating and keeping up with your passwords a breeze.
Good post, @fuschiaRuler
I'd also add that Text-based MFA is insecure. What's more recommended is TOTP, where you scan a barcode with an app like Authy or Google Authenticator on your phone and then it provides codes to you that you enter in the website. What's most recommended is hardware based 2FA with a physical token like a yubikey, but this isn't widely supported yet and requires the purchase of a specific device.
Everyone (I repeat, EVERYONE) should be using a password manager. Password reuse is a serious problem, and everyone's guilty of it to some degree - but you need to work hard to make sure you can prevent password compromise. I know it's annoying, and I know you don't want to do it, but trust me: it's worth it. Once you have it set up it can make your life easier by typing in passwords for you, and it makes your online life infinitely more secure. You should absolutely use new, uncompromised, PASSPHRASES for your password manager password, and you need to enable 2FA.
A password manager becomes a single point of failure. If it ever gets breached, are you not completely fucked?
Potentially, yes. However, it is something to think about on a personal threat model. For 99% of people, a password manager will greatly improve their security. An individual will likely know if they are at a point that they cannot trust a password manager, and this guide would be moot.
In addition, it is my hope that if you use a password manager, MFA is enabled to reduce the chance of a breach even more.
Agree with fuschia here- your threat model should influence what type of password manager you use. However, you should still use one. If you're super worried about giving your passwords to another service, even if it's something open source like bitwarden, you can use KeepassXC with hardware 2FA challenge-response. KeepassXC keeps your password database on your computer, and not on a server somewhere.
Besides, it's not like these services are storing your passwords unencrypted. These sites never see your passwords, only the encrypted versions of them - and your password is the encryption key. If the site ever gets breached, all that should be stolen is encrypted password databases, which will be bad, but they would need to be decrypted before they can be used. If you are using a strong master password/passphrase, brute forcing your database should be extremely difficult, if not near impossible. (And you NEED to be using a strong master PASSPHRASE).
I honesty cannot think of a situation where an individual shouldn't store most of their passwords in a password manager. The increase in security provided by using strong, randomized passwords for each service far outweighs any minute risk of compromise.
Completely agree. I avoid text based MFA as much as possible. I'd rather people use it than not at all, though.