My approach for password management was simple so far – keeping a few passwords in my head and using them randomly for online services. This is a very bad approach because if one service gets compromised all your other accounts using the same password are at risk. I started receiving suspicious emails/activities for some of my services and my Uber was hacked (lost $300 in one day for rides in Russia – fortunately Uber did chargeback), so it was time to raise security to a higher level. This is my new approach.
Have I been pwned?
Have I Been Pwned is a great service for checking if you are at risk. You can enter your email and/or password and see if services you are using have been compromised. If so, you are at risk and have to secure your account(s).
Even I am using Mac, I wanted to be sure that I don’t have malicious software on my machine. I decided to use Kaspersky Internet Security (KIS). Another good option would also be Bitdefender. Full scan reported and deleted only few adwares. I disabled web antivirus option because it was interfering with some web apps. I don’t see any slowdown with real-time protection.
1password is an amazing app for password management:
- Generates strong unique passwords
- Stores your usernames/passwords in a secure way
- 2FA/MFA management (no need to use other apps like Authy for this)
- Desktop app, mobile app, browser extensions – meaning full and easy integration and sync
- Access to all of your services by using only one master password or fingerprint
- Easy backup/restore solution with Emergency Kit
- Write down your 1password master password on a piece of paper and store it in some secure place for one week until you memorize it. Then destroy the paper.
- Store 1password Emergency Kit document in a safe place. I put it on my Dropbox, flash memory and also printed it physically and keeping it with my passport 😀
- Make a list of critical/important services you are using. Communication (emails, Slack, Whatsapp, Skype, etc), social media (Facebook, Instagram, Linkedin, etc), financial services, blog, GitHub, etc.
- Go through critical services and change passwords. Use 1Password to generate strong unique password per service and store login info in the app.
- Go through critical services and activate 2FA/MFA. When you edit logins in 1Password, it will allow you to scan QR code and add MFA security to the app. It’s much better than Google Authenticator and Authy because: 1) easy backup/restore with emergency kit without depending on your mobile number; 2) using only one app for both passwords and MFA; 3) using it on multiple devices (phone, computer); 4) automatically filling both password and MFA code by only providing your master password or even better – fingerprint. If some service supports only SMS MFA instead of app MFA (Instagram for example), then store backup codes for that service inside of 1password, so that you can easily access in case of phone/computer loss. Sometimes, service supports only SMS MFA and doesn’t provide backup codes (shame on you Linkedin) – in that case you will have to contact them in case of not having access to your mobile number. Sometimes you will have to do additional work, like with GitHub for example – once MFA is activated you can’t access it from command line using your password anymore, but you have to generate GitHub token (store it in 1password as well) and use it instead of your password.
- Clear your browser(s) history / cache / saved passwords, etc. Then, as you go, repeat the last two steps for all other non-critical services. This means that you probably have hundreds of online services and you can secure them (non-critical ones) when you first access them instead of going through 1000 services at once.
- 1password is not tied to your mobile number, so even if you loose all your 1password devices (phone and computer for example) you will be able to access it using Emergency Kit.
- Use 1password to store other sensitive data like credit cards info.
But don’t forget:
“People are used to having a technology solution, but social engineering bypasses all technologies, including firewalls. Technology is critical, but we have to look at people and processes. Social engineering is a form of hacking that uses influence tactics.”