General security
Most systems today use username and password as a main way of identifying and authenticating users.
For an end user, it is important to make a clear distinction between weak and strong passwords. A password is considered weak if it is only one known word, if it contains names (family members) or dates (friends’ birthday) it is short (less than 8 characters) or it is too simple (like pass1234). Such a password is an easy target for many hacking techniques.
Considering bad practices, like repeatedly using the same password on different services, or putting sticky notes on a monitor with a written password, it becomes way too easy to be a target, intentionally or by accident.
By contrast, a strong password has nothing of what is mentioned. It is not a known word, it is lengthy (between 8 and 16 characters, even more for some special cases), it is unique, it contains upper and lower case letters, numbers, special characters – in general, it makes no sense to anyone. Such passwords are hard to crack due to lack of any predictable pattern, behavior or emotion tied to it, meaning only brute force can crack it and such method is time and resource consuming.
In short, a strong password will make you a less attractive target. Also, it is only the first step.
Two factor authentication (2FA)
A common suggestion is to use a second factor (combined with password), which nowadays usually means 6 or 8 digit code that expires after 30 seconds, called OTC (one time code). Sites you’re using the most will likely have an option to add a second factor, however, only a small number will enforce it. It is very likely that your favorite site already has 2FA support, you just have to activate it. Feel free to check on the site of your choice or use the following link.
Due to the architecture of OTC, it is worth noting that it is not an unbeatable system. Feel free to read more about it here. Regardless, using one most certainly increases the security of your account.
Recommendation: Authy – it will allow you to encrypt your secrets with a phrase of your choosing and it has a very useful option of keeping sync between devices, meaning changing devices will be easy without needing to set up your accounts again.
Notable mentions: Google Authenticator, Microsoft Authenticator
Password management
There is no need to mention how troublesome keeping strong passwords for each account can be. People have a hard time to remember one strong password, let alone dozens. Fortunately, there are a number of solutions that offer password management and generation.
In short, this is how it works: a password manager will generate a strong password for you and remember it. Depending on your software and subscription plan (if any), there should be an option to check if the suggested, generated password was in any known breaches. You can always check that manually here.
You will have to set up a master password to unlock all others. Adding 2FA to the password manager is mandatory.
Recommendation: BitWarden as it is a free and open source. It has a small yearly fee for extra tools that many won’t need and it works both as a standalone software and browser extension. It has 2FA support.
Notable mentions: LastPass, 1Password, Dashlane
Followup steps
Setting up 2FA and password manager is a great step in increasing your security. However, as a saying goes, don’t put all your eggs in the same basket. Whatever solutions you choose in the end, make sure they are not from the same vendor. That way, should the unthinkable happen and the security company has a security breach, only half of your information will be compromised leaving you with enough time to react and change the information.
In setting up all of this, you will be asked to save backup codes for 2FA and there will be an option to export all your passwords from password manager. Now, let’s not undo all the good work, by keeping those exported information insecure. A suggestion would be to use an encrypted USB drive. There are numerous solutions, most are OS specific, but one that stands out is VeraCrypt, as it is free and open source, and multiplatform, meaning you can unlock your USB on any system.
It is recommended to update your passwords and keys on your usb periodically, so your backup won’t be outdated.