How to secure online accounts

It's important to protect your online accounts and identities, especially if you work for a large company and have access to infrastructure or sensitive data. These recommendations are mainly intended for developers, system administrators and other roles with high access levels. If you are passionate about security, you can also follow this article.

1. Use secure passwords or passphrases. They should be random and have enough length. According to NIST Special Publication 800-63B: "Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric" ^[1].
   But I would suggest the following guidelines for your password and passphrase:
   
   • Password: at least 12 character in total, with uppercase and lowercase letters, numbers and special characters, like !@#$%^&*.
   • Passphrase: at least 5 non-common words.
   Random passwords usually can be securely generated using password manager of your choice.


2. Use a password manager to store all your secrets.
   This gives you the ability to use random passwords everywhere. You only need to remember one master password.
   Recommended password managers:
   
   • Bitwarden.
   • KeePassXC.
   • 1Password.


3. Enable TOTP where available; use application, as SMS is not secure. Recommended applications:
   • iOS: Ente Auth or OTP Auth.
   • Android (via F-Droid): Ente Auth or Aegis.
   • Android (via Play Store): Ente Auth or Aegis.


4. Back up your TOTP database after adding new accounts. This will allow you to restore access to your accounts if your phone is lost or stolen.


5. Generate backup codes that give you a way to restore access to accounts if you lose access to your phone and TOTP backups. These should be stored separately from passwords.


6. Do not use Gmail, Outlook, Yahoo, etc. as your main email. For example, Gmail doesn't provide a support for free users. If your account will be locked by any reason - you'll not be able to recover it. To protect yourself from lockdown and to not rely on any specific email provider - buy your personal domain and pay for email service of your choice.
   Recommended providers:
   • Mailbox.
   • Tutanota.
   • ProtonMail.
   • Fastmail.


7. Use unique aliases for all your accounts, like [email protected], for example: [email protected]. In case of data breach, hackers will only get your email address for a SPECIFIC service. They will not be able to guess your email for any other service because "salt" (just a short random string, like 53gha3 in the example) was used in the address. Also, you can easily change a "salt" in your alias, so that breached address cannot be used to sign in anymore. And by using service name in the alias ("microsoft" in my example), you will understand, which service is breached, or who sold your email to third-parties.


8. Monitor breaches with HIBP (RSS).

---
[1] Read more at nist.gov.

Created on 2021-06-29
Last edited on 2024-04-29