How to protect your online accounts This note was created on 6/29/2021 This note was last edited on 1/31/2023 It's very important to protect your online accounts and identities, especially if you work in big companies and have access to infrastructure or some confidential data. These recommendations mostly intended for developers, system administrators and other roles with high access levels. If you passionate about security, you can also follow this article. Feel free to contact me, if you have something to add here. 1. Use secure passwords or passphrases. They should be random and have enough length. According to NIST Special Publication 800-63B: "Memorized secrets SHALL be at least 8 characters in length if chosen by the subscriber. Memorized secrets chosen randomly by the CSP or verifier SHALL be at least 6 characters in length and MAY be entirely numeric"[1]. But I would suggest the following guidelines for your password and passphrase: Password: at least 12 character in total, with uppercase and lowercase letters, numbers and special characters, like "!@#$%^&*". Passphrase: at least 5 non-common words. Random passwords usually can be securely generated in password manager of your choice. 2. Use password manager to store all your secrets. This will provide you a way to use random passwords everywhere. You will need to remember only one master passsword. Recommended password managers: - Bitwarden (https://bitwarden.com). - KeePassXC (https://keepassxc.org). - 1Password (https://1password.com). 3. Enable TOTP where available; use application, as SMS in not secure. Recommended applications: - iOS: Raivo (https://apps.apple.com/us/app/raivo-otp/id1459042137). - Android: Aegis (https://play.google.com/store/apps/details?id=com.beemdevelopment.aegis&hl=en&gl=US). 4. Create backup of you TOTP database after adding new accounts. This will provide you a way to restore access to your accounts, in case your phone will get lost or stolen. 5. Generate backup codes, that will give you a way to restore access to accounts, if you'd lose access to your phone and TOTP backups. They should be stored separately from passwords. 6. Do not use Gmail, Outlook, Yahoo, etc. as your main email. For example, Gmail doesn't provide a support for free users. If your account will be locked by any reason - you'll not be able to recover it. To protect yourself from lockdown and to not rely on any specific email provider - buy your personal domain and pay for email service of your choice. Recommended providers: - Tutanota (https://tutanota.com). - ProtonMail (https://protonmail.com). - Mailbox (https://mailbox.org). - Fastmail (https://www.fastmail.com). 7. Use unique aliases for all your accounts, like `info+site_salt@yourdomain.com`, for example: `info+microsoft_53gha3@johndoe.com`. In case of data breach, hackers will only get your email address for **SPECIFIC** service. They will not be able to guess your email for any other service because "salt" (just a short random string, like `53gha3` in the example) was used in the address. Also, you can easily change a "salt" in your alias, so that breached address cannot be used to sign in anymore. And by using service name in the alias ("microsoft" in our example), you will understand, which service is breached, or who sold your email to third-parties. 8. Monitor breaches with [HIBP](https://haveibeenpwned.com) ([RSS](https://feeds.feedburner.com/HaveIBeenPwnedLatestBreaches)). --- [1] NIST Special Publication 800-63B: https://pages.nist.gov/800-63-3/sp800-63b.html