Level Up Your Security: The Guide to Password Managers & 2FA

By on

 

The security of your online accounts is paramount in today's digital world. These accounts often contain sensitive information, such as financial data, personal details, and even private communications. If compromised, this information could be used for identity theft, financial fraud, or even social attacks. Threat actors employ various methods to gain access to accounts, including phishing scams, malware, and brute-force attacks. Therefore, it's crucial to take steps to safeguard your online accounts. This includes creating strong and unique passwords for each account, enabling two-factor authentication whenever possible, and staying vigilant about suspicious emails or links. By following these practices, you can significantly reduce the risk of unauthorized access and protect your valuable online information.

People getting on internet is increasing day by day in Nepal and a lot of them have no idea about how to make their digital accounts secure. So, I am here to help you guys out and make your digital life safe, secure and less hassle.

Before starting, let me tell you about how my own brother used to manage his passwords. He used to save his passwords in Chrome (google password manager), and some were written in a Note App. When he had to enter password, he would either open chrome or note app, then copy and paste it, this is just a terrible way to manage password. Nepal123, kathmandu, etc. are the most common and worst passwords used by a lot of Nepali people and let me tell you, he might also have used those passwords in the past. Now that I have introduced him with a password manager app, his passwords are way less terrible and a lot less hassle to manage passwords. He no longer has to scroll through the list of passwords or go through note app for password.
So, I am here to change your game of online security and managing passwords.

Some bad practices with managing passwords
There are a lot of bad practices in regards of passwords, like using short and weak passwords. So, let's talk about them.

  • Short password: A short password makes it weak against brute-force attacks, so it is generally a good idea to make passwords at least 20 characters long.
  • Same Password: Since a lot of people don't use password manager, it makes it a lot harder to memorize a lot of passwords, so, people tend use same password on multiple accounts. This is a very bad idea. If one of your accounts gets compromised, all your other accounts get into the risk of getting compromised.
  • Weak Password: There are a lot of examples of weak passwords, like; using common phrases like name, address, date of birth, phone number, dictionary words, etc. in password.
  • Saving the passwords in a note app or worse, writing it in a notebook (which can easily be lost or stolen).
  • Not making backup of password vault. Backup is required if the password manager service you are using gets compromised or goes down or you get locked out due to some reason.

How to make good passwords
You might be wondering, then what is a good password and how to create a good password? Well, let me help you with that.

  • The password should be long. i.e. at least 20 characters long.
  • Password should be random; it should not contain common phrases and words.
  • Password should be a combination of small and capital letters, numbers and special characters.

After applying all of this, your password should have at least 100 bits of entropy, which means it will take 2^100 guesses to successfully brute-force your password. It will take thousands of years, so your password is really safe.
If you are thinking, I can't possibly create that kind of password and remember all of them, well then, a password manager is your friend.

A password manager app is just what the name suggests, an app to help you manage your passwords. Password manager apps are like secure vaults for your digital life. They store your login information for various websites and applications, eliminating the need to remember (and reuse) complex passwords. These apps can also generate strong, unique passwords for each account, significantly improving your online security. With autofill features, password managers can also save you time by automatically entering your credentials when you need them. And it will also save you from frustration of managing the passwords of all your accounts (from a google account to your bank accounts).

Now that you might have been convinced to use a password manager app, you might be looking for which app to use. There are a lot of password manager apps, free and paid, which might be overwhelming to choose from when you are just starting. So, let me help you with that.

I personally use Bitwarden. It is a popular password manager that offers both free and premium plans. I use free plan, which I think is enough for most of the people. One of Bitwarden’s strengths is its open-source nature, which means its code is publicly verifiable for security purposes. It is also recommended by a lot of security professionals, and you can find out more about it on their own website.

Some other free and open-source options I would recommend are KeePassXC and Proton Pass. And some paid options I would recommend are 1Password and Dashlane. There certainly are a lot of other options, feel free to do your own research and find the perfect one for you.

You might be wondering, why I just only included third party password managers app and not the ones provided by Phone or PC OEMs. The biggest reason is the cross-platform operability. Most OEMs provide a password manager, like Google has Google Password Manager, Samsung has Samsung Pass, Apple has iCloud Keychain (now has dedicated password manager app), and likewise. But all of them are limited to their own ecosystem. Trust me, getting locked up in one ecosystem is one of the worst things you can do. You can read more about this in Bitwarden’s blog post.

If you have saved your passwords in chrome or other browsers, you can export them in csv or any other format and then import them into your password manager of choice. And if you already are using a password manager app and want to switch to another, every app will give you option to export your password.

Now you have good passwords on all your accounts, but that’s not it all. You can add two factor authentication on your accounts for additional security. In fact, you should set up two factor authentication on all accounts (if possible).

Two factor authentication aka 2FA is a security measure that adds an extra layer of protection to your online accounts. It requires two forms of identification to access your information, making it significantly harder for unauthorized individuals to gain entry. Typically, the first factor is your password, while the second can be a code sent to your phone, a biometric scan like a fingerprint, or a physical security key. By implementing 2FA, you significantly reduce the risk of unauthorized access, even if your password is compromised.

But there are different types of 2FA methods with different strength.

  • OTP based 2FA (SMS and Email) are the weakest ones, so, you should avoid using those if possible.
  • Authenticator app, Push-based and Hardware keys based 2FA are the ones you should use.
Although Hardware Key (U2F Key) is the best form of 2FA, you will have to buy a physical key, which a lot of you might not be willing to do, so, Authenticator app based 2FA is the best option. You can install an authenticator app on your phone or pc, which will contain unique and time sensitive codes to login to your account.

Let's talk about some of the options for authenticator app. There certainly are a lot of options, from free to paid ones. Ente Auth, Aegis, 2FAS, KeePassXC, Bitwarden Authenticator, are some of the best ones out there. If you go with any one of them you will be completely fine, but if you are going to use other than mentioned here, you should make sure that it offers an export option (this is extremely important). Feel free to do your own research. If you are still confused, go with Ente Auth, I am personally using this app because of their cross-platform support.

Tip: Make sure to make an encrypted local copy of your password manager vault and 2FA keys, as a backup for in case of emergency.

Now that you have setup good passwords and 2FA on your account, but you might still be vulnerable to some forms of attacks, like social engineering. Social engineering is a deceptive tactic employed by cybercriminals to manipulate individuals into giving up their sensitive information or performing actions that compromise security. These attacks exploit human psychology, leveraging trust, fear, or curiosity to trick victims. Common methods of this attack include phishing emails, pretexting, and baiting.

To protect yourself from social engineering attacks, you just need to be aware of what you are doing, because they are quite easy to identify if you think twice.

  • If something looks too good to be true, do not download or open it, it might be bait.
  • Always double check the links you are visiting, if the link is from suspicious source.
  • Do not enter your login details or any sensitive details on any website, if the link is suspicious.
  • Avoid downloading softwares from random websites. Avoid modded/pirated softwares.
  • Always use an adblocker, a lot of ads contain malware, so it is generally a good idea to block ads.

Recently I have been seeing a lot of facebook and instagram accounts getting hacked and some of them even had 2FA enabled. Now you might be wondering how this is even possible. An attack called session hijacking can bypass even two factor authentication. In this type of attack, attacker intercepts the victim's session token(cookie), a unique identifier that verifies the user's identity to the website. By obtaining this token, the attacker can impersonate the legitimate user and login to your account without entering password and 2FA code. To obtain the session cookies in the first place, attackers typically employ social engineering tactics.


Comments

Post a Comment

Popular posts from this blog

How to Install and Activate Microsoft Office

By on
Image
  Here is the guide to install and activate Microsoft Office. Follow through step by step carefully. (Keep in mind that pirating a software is illegal in most countries, follow through with caution.) Download Office Deployment Tool: Download  Office Deployment Tool Create a Office folder and move .exe file inside this folder Double click the downloaded .exe file to run it Accept the UAC prompt (It will require admin password, if you are not admin yourself) Accept the license terms and press continue Navigate to the Office folder you created and press OK It will say Files Extracted Successfully and press OK Delete all extracted xml files Download config.xml: Visit config.office.com  on your browser Press Create under Create a new configuration option If you know what you are doing, you can config the options yourself. If you don't, just follow through the steps Just select the options mentioned here. If some options are not mentioned here, just leave it as it is Which a...
Read more

Beginner Friendly Revanced Manager Guide

By on
Image
Revanced is the continuation of project Vanced.  Youtube has been continuously deteriorating the user experience even of the paying users. Even though you have premium subscription of youtube, you can't get very good experience from the app due to terrible design decisions made by youtube. And then comes Revanced, adding the quality of life features like adblock, sponsorblock, return youtube dislike and many more. Here I made a very beginner friendly guide to install youtube revanced. Follow through the step by step method. A few things to note before we begin: This guide is for non-rooted devices but will work on rooted devices Perform all of these steps from your phone If you already have Vanced installed, uninstall it as it doesn't work anymore This guide is for YouTube, but the same steps apply to other supported apps ( See here for the list of supported apps ) If you downloaded a pre-made version of YouTube ReVanced from a website, uninstall it as it's not official and...
Read more