Securing Your Online Accounts

Given the critical nature of people’s online accounts today, and the extent to which its left up to you, as a user, to follow good security practices, its important to be aware of how you can be attacked, good security practices, and common pitfalls/gotchas in securing your crucial online accounts.

Passwords

The first step in securing accounts is to make sure that the passwords defined for each service you use don’t make you an easy target. They should be:

• Of sufficient complexity - Meaning that it it is not feasible for someone without your password to find it by guessing. To assure this, the randomness of the password is more important than the length or character set. To assure randomness, this should generated by a computer. Bitwarden’s password generator is a pretty good option. Even so, a longer random password is harder to crack than a short one, and so a minimum password length is sensible. General guidelines: no less than 12 completely random characters, or a combination or 4 dictionary words.
• Unique - Each password is used for one service, and not for any other service. The reason being, when one service gets hacked, hackers may extract the credentials and sell them to others, or even just release them publicly. Then others try to use those credentials to access higher value accounts. Given the (relatively) commonplace nature of such breaches, and the large number of online accounts a person typically has, it is likely that a number of your credentials have already been compromised. To check if your account details are in a publicly available data set, you can use HaveIBeenPwned to check for leaked credentials associated with your email. (NB: this website was started by a high-profile security researcher and thus is reputable and safe to use)

Given the difficulties involved in memorizing a large number of (sufficiently) complex passwords, it is not recommended to try to memorize passwords. Bodies setting cybersecurity standards, such as Britain’s NCSC, are unanimous in this recommendation - it is not within human capabilities to memorize the number of unique, complex passwords that we would need. Uniqueness and/or complexity are always compromised.

Instead, it is typically recommended to use a password manager. An online password management service is the most convenient for most people, so that passwords can always be saved and retrieved regardless of where you are and what device you’re using. Bitwarden is a recommended provider of this type of service.

The downside is that this service itself then becomes one of the most critical services to secure - and its password must still be memorized. Some degree of knowledge and care is certainly required to secure this service properly.

If we drop the aspiration to have always-available passwords, simpler alternatives may be used:

• A local password manager that keeps all the data locally on a specific device. Password compromise is then only possible if the device is first compromised. However, many people have & do struggle with keeping their devices secure and virus-free.
• A simpler alternative is to write passwords down in a notebook and store it in a safe, or other safe place, when not in use. This transforms the problem of information security into a problem of physical security, which is easier to reason about. This is therefore a good option for many people.

Regardless of which option you use, using any such system that allows you to use generated, strong, random & unique passwords will be a giant leap forward for your security.

Multi-Factor Authentication

For most accounts, a strong password is sufficient to deter unauthorized access. However, we cannot be certain that a determined attacker will be unable to crack the password or get access to it by some other means.

For this reason, for critical accounts, it is always recommended to use an additional factor to secure access. This is not another password, but (normally) a token that is in some way linked to something you have.

The benefit of this is that a hacker must now achieve access to two separate accounts instead of one - e.g. after compromising your password, they would also need access to your phone to read a generated, time-sensitive login token.

Second factors typically fall into one of the following types:

• SMS (not recommended)
• An authenticator phone app, generating time-sensitive single-use (TOTP) tokens
• Hardware tokens (dedicated or, preferably, universal 2nd factor)

However, these options are very different in terms of their security implications, so lets dig into them one-by-one.

SMS Tokens

With an SMS second factor, you will provide your phone number to the service, and when a second factor is required for access, a generated one-time, time-sensitive token will be sent to you via SMS. This method is widely used, as it is the easiest for a user in terms of setup & use. However, it is not a very secure approach.

Unfortunately, phone numbers are vulnerable to a few different attacks, such as SIM swapping and SIM cloning. These seem to be currently the most common types of attacks on online banking & cryptocurrency wallets. Some phone companies are adopting better security to protect against these threats, but unfortunately most are still lagging, and its not always clear what protections companies actually have in place. In many cases, there is a different between a company’s stated policy and what is reliably enforced. Nevertheless, there are some things to look for:

• Ability to request SIM swaps over the phone is normally a bad sign
• Ability to request SIM swaps only in-person, with ID documents - this is not so bad. This sounds high-risk for a potential fraudster, however in practice, fraudsters have been actively exploiting these procedures using falsified documents
• Ability to request SIM swaps online-only, using an account secured with MFA is the best option, if a carrier with such a policy is available

Overall, it is best to avoid the use of SMS for MFA whenever other factors are available. If it is the only option available, it is still recommended as it does add some additional security vs a password-only account.

Note that if choosing a more secure MFA option you should try to make sure that the SMS option is explicitly disabled, as it often remains enabled by default. Your security is only as strong as the weakest link in the chain, that is what attackers will focus on.

Authenticator Apps

This approach seems to be the “sweet spot” for MFA methods today, with wide (but not universal) support available and the approach being quire secure (albeit not completely impervious to attack).

Typically, you install an app on your phone, then scan a QR code on the service to register. Once registered, the app will generate tokens that will be used as the additional factor for login. The app saved a secret as part of the initial registration and thereafter operates completely offline, with all data being stored only locally on the device.

Since the token generation is all local to the device, and therefore cannot be remotely transferred, it is much more secure than the SMS factor.

One possible attack that remains is for a hacker to gain access to the phone itself via malware. Phone OS’s are generally quire secure, so this is not easy nor a common occurence. But it is not completely unheard of. This sort of attack is also effective for stealing SMS tokens & possibly passwords too - so this is not a weakness just of authenticator apps.

The major downside of authenticator apps in fact concerns physical loss of the phone. Unless another MFA method is registered with each service, this will render you unable to login ( & reliant on account recovery mechanisms, if they exist).

So you have to have a backup. Unfortunately, most services don’t support multiple registrations - when you register a new device, the tokens generated by the existing device will stop working. However, you can (and should) register multiple devices as part of a single registration process. When the registration shows you a QR code to scan, you can scan it with two (or more) devices, and then the tokens generated by both devices will work. It would be suggested to register with a second phone that you leave at home, in addition to your main phone.

Hardware Tokens

Traditional tokens used for a single service may generate a code, in much the same way as a phone app, but in a dedicated device:

Some banks have variants on these that work together with your bank card, but are otherwise similar in concept.

These offer all the same benefits of authenticator apps, but eliminate the risk of malware infection. They also are less of a target for pickpockets than valuable phones are.

So, whenever a physical token is offered for MFA that is the only option you should use.

However, most services don’t offer to send out physical tokens, and even if they did, it would be inconvenient to have separate tokens for each important online account.

This is where multipurpose hardware tokens come in. Hardware Tokens like Yubikeys implement generic authentication standards (U2F and/or WebAuthn) that allow them to generate tokens for multiple different services. They look something like this:

There is a capacitative button that requires someone to be present and touching the Yubikey in order for a token to be generated. Various types of USB and NFC interfaces are available that allow the key to directly enter the generated token on any device. As a used, you never need to see the token, which helps to prevent phishing attacks.

Unfortunately, support for these tokens is rather lacking. You should expect support for them from your email provider & password manager. This already makes investing in such keys worthwhile. But you shouldn’t expect direct support from many additional services.

However, Yubikeys can still improve security for services that offer authenticator app support. Yubico - the makers of Yubikey - offers a Yubico Authenticator app, which store the tokens on Yubikeys instead of directly on the phone. This mitigates the risk of malware accessing tokens by infecting your phone.

As with authenticator apps, you need a backup strategy in case of a lost or inaccessible key. It is therefore recommended to buy two Yubikeys and register both to each account.

Password & MFA Recovery

If you set up your accounts with strong passwords & a secure second factor, you should have achieved a good level of security. But, there is another access method that can undo all of your hard work: account recovery.

In a perfect world, these mechanisms would not need to exist. But we don’t live in a perfect world, and service providers know it. People forget their passwords and need to reset them. They lose their phones which generate the tokens needed to access their important MFA-protected accounts, but they still want to be able to access those accounts.

This is why most services offer various account recovery mechanisms - convenience for the user trumps the fact that these decrease security somewhat. Normally, these mechanisms rely on an email address - or , sometimes, a phone number.

An email dependency is not optimal from a security point of view - its an extra dependency that can be attacked - but may be justifiable for convenience’s sake. Even when using a password manager, sometimes you can fail to save passwords occasionally. An email account can (and should) have a highly secured login with a strong password and secure MFA setup applied. As such, it is not necessarily a weak point.

The same cannot be said for phone/SMS-based recovery. If at all possible, you should avoid using accounts that rely on a phone for any form of account recovery.

Another recovery mechanism you may come across - typically when setting up MFA - is recovery codes. Certain services which don’t offer password resets also offer similar one-time codes that can be used in place of a forgotten password.

In both cases, these codes should be treated with care. They should be printed and stored in a safe place. Any other (physical or digital) copies should then be destroyed. In the case of MFA recovery code, they should not be stored alongside passwords.

Identifying Important Accounts to Secure

For the most part identifying which accounts should be treated as critical is a matter of common sense. They are those that are critical to your livelihood and/or identity, for example:

• Bank accounts
• Brokerage accounts
• Pension accounts

But, as we have seen, there are also dependencies between your accounts, which have security implications. This leads us to also treat the following accounts as critical accounts:

• Email
• Phone provider
• Password Manager

For other types of accounts, you may not have to be as cautious. Certainly, focus your efforts on your most important accounts first. But, you might find, there are also a surprising number of accounts that attackers could use to either (a) empty your wallet or (b) use your identity to scam others. So caution is still the name of the game - better to secure too many accounts than too few. Better safe than sorry.

Conclusion

As we’ve seen in this post, online security is not easy, and genuinely good security is not even always available to use. Personally, as a technologist, these are saddening facts.

However, there are a few things that can be recommended to everyone to lessen the chances of becoming a victim:

1. Use unique, computer-generated, random and complex passwords for each site using a generator like this one
2. As a necessity of (1), don’t attempt to memorize your passwords - keep them written down or (if technically-minded) in a password manager application
3. Enable MFA for al your important accounts, registered to two devices ( & make sure you have a corresponding set of recovery codes safely stored )
4. Review where SMS can be used for login/MFA/account recovery and attempt to disable this option wherever possible. For critical accounts, only SMS-based MFA is a red flag, and use of SMS in account recovery should be reason enough to change your provider.