Passwords and Online Accounts
With recent developments regarding storyofrachel’s accounts being targeted and compromised, I think it’s pretty important to show that a major lesson can be learned about how to protect your online accounts. Hopefully you’ve already heard and live by all that is below in the post, but for those that don’t, consider this a good entry to securing your online accounts.
- Don’t use the same username for two different services
This is one of the easiest ways to link two accounts to the same user. Malicious actors will have a much more difficult time knowing all the services you use if the names are unique and unrelated.
- Don’t use the same password more than once
We’re all guilty of this. Convenience is a sweet siren, but if one account is ever compromised, it can domino to all of your other accounts if they share the same password.
- Change your passwords regularly
Even if your password is secure, it is good practice to regularly update these passwords. By changing your password every 6 months, a service breach from 1 year ago won’t do much to compromise your account.
- Use Multi-Factor Authentication
There are three main ways to prove an identity: something you know (password), something you have (phone), or something you are (fingerprint). Your security improves dramatically when using two of these to log into services. Most of the time, this is in the form of the service sending you a text message when you log in. If someone knows your password, they would also need your phone (or a way to intercept your texts). If/When ChaCha gets MFA, enable it as soon as you can. ZDNet released a good article today on MFA so please take the time to at least skim through
Regarding 2 and 3, using a password manager such as KeePass, Lastpass, or Bitwarden can make generating and keeping up with your passwords a breeze.
Good post, @fuschiaRuler
I’d also add that Text-based MFA is insecure. What’s more recommended is TOTP, where you scan a barcode with an app like Authy or Google Authenticator on your phone and then it provides codes to you that you enter in the website. What’s most recommended is hardware based 2FA with a physical token like a yubikey, but this isn’t widely supported yet and requires the purchase of a specific device.
Everyone (I repeat, EVERYONE) should be using a password manager. Password reuse is a serious problem, and everyone’s guilty of it to some degree - but you need to work hard to make sure you can prevent password compromise. I know it’s annoying, and I know you don’t want to do it, but trust me: it’s worth it. Once you have it set up it can make your life easier by typing in passwords for you, and it makes your online life infinitely more secure. You should absolutely use new, uncompromised, PASSPHRASES for your password manager password, and you need to enable 2FA.
A password manager becomes a single point of failure. If it ever gets breached, are you not completely fucked?