mirror of
https://github.com/Lissy93/personal-security-checklist.git
synced 2024-12-19 04:34:20 -05:00
Completes authentication section update
Added / Updated the following points withing the Authentication section: - Shield your Password/ PIN - Update Passwords Periodically - Keep Backup Codes Safe - Sign up for Breach Alerts - Avoid using SMS for 2FA - Avoid using your PM to Generate OTPs - Avoid Face Unlock - Watch out for Keyloggers - Consider a Hardware Token - Consider Offline Password Manager - Consider Unique Usernames
This commit is contained in:
parent
d41b7cec37
commit
58aceb3bfd
18
README.md
18
README.md
@ -39,13 +39,23 @@ Use strong passwords, which can't be easily guessed or cracked. Length is more i
|
||||
**Don't reuse Passwords** | Recommended | If someone was to reuse a password, and one site they had an account with suffered a leak (data breaches occur aprox. every [39 seconds](https://eng.umd.edu/news/story/study-hackers-attack-every-39-seconds)), then a criminal could easily gain unauthorized access to their other accounts. This is usually done through large-scale automated login requests, and it is called Credential Stuffing. Unfortunately this is all too common, but it's simple to protect against- use a different password for each of your online accounts
|
||||
**Use a Secure Password Manager** | Recommended | For most people it is going to be near-impossible to remember hundreds of strong and unique passwords. A password manager is an application that generates, stores and auto-fills your login credentials for you. All your passwords will be encrypted against 1 master passwords (which you must remember, and it should be very strong). Most password managers have browser extensions and mobile apps, so whatever device you are on, your passwords can be auto-filled. A good all-rounder is [BitWarden](https://bitwarden.com), or see [Recommended Password Managers](/5_Privacy_Respecting_Software.md#password-managers)
|
||||
**Enable 2-Factor Authentication** | Recommended | 2FA is where you must provide both something you know (a password) and something you have (such as a code on your phone) to log in. This means that if anyone has got your password (e.g. through phishing, malware or a data breach), they will no be able to log into your account. It's easy to get started, download [an authenticator app](/5_Privacy_Respecting_Software.md#2-factor-authentication) onto your phone, and then go to your account security settings and follow the steps to enable 2FA. Next time you log in on a new device, you will be prompted for the code that displays in the app on your phone (it works without internet, and the code usually changes every 30-seconds)
|
||||
**Don’t save your password in browsers** | Optional | Most modern browsers offer to save your credentials when you log into a site. Don’t allow this, as they are not always encrypted, hence could allow someone to gain access into your accounts. Instead use a password manager to store (and auto-fill) your passwords
|
||||
**Sign up for Breach Alerts** | Optional | After a websites suffers a significant data breach, the leaked data often ends up on the internet. There are several websites that collect these leaked records, and allow you to search your email address to check if you are in any of their lists. [Firefox Monitor](https://monitor.firefox.com), [Have i been pwned](https://haveibeenpwned.com) and [Breach Alarm](https://breachalarm.com) allow you to sign up for monitoring, where they will notify you if your email address appears in any new data sets. It is useful to know as soon as possible when this happens, so that you can change your passwords for the affected accounts. Have i been pwned also has domain-wide notification, where you can receive alerts if any email addresses under your entire domain appear (useful if you use aliases for [anonymous forwarding](/5_Privacy_Respecting_Software.md#anonymous-mail-forwarding))
|
||||
**Keep Backup Codes Safe** | Optional | When you enable multi-factor authentication, you will usually be given several codes that you can use if your 2FA method is lost, broken or unavailable. Keep these codes somewhere safe, to prevent loss or unauthorised access. You could store them in your password manager, in an encrypted note, or write them down somewhere safe
|
||||
**Shield your Password/ PIN** | Optional | When typing your password in public places, ensure you are not in direct line of site of a CCTV camera and that no one is able to see over your shoulder. Cover your password or pin code while you type, and do not reveal any plain text passwords on screen
|
||||
**Update Passwords Periodically** | Optional | Database leaks and breaches are common, and it is likely that several of your passwords are already somewhere online. Occasionally updating passwords of security-critical accounts can help mitigate this. But providing that all your passwords are long, strong and unique, there is no need to do this too often- annually should be sufficient. Enforcing mandatory password changes within organisations is [no longer recommended](https://duo.com/decipher/microsoft-will-no-longer-recommend-forcing-periodic-password-changes), as it encourages colleagues to select weaker passwords
|
||||
**Don’t save your password in browsers** | Optional | Most modern browsers offer to save your credentials when you log into a site. Don’t allow this, as they are not always encrypted, hence could allow someone to gain access into your accounts. Instead use a dedicated password manager to store (and auto-fill) your passwords
|
||||
**Be cautious when logging in on someone else’s device** | Optional | When using someone else's machine, ensure that you're in a private/ incognito session (Use Ctrl+Shift+N/ Cmd+Shift+N). This will ensure that none of your credentials, cookies, browsing history of session data gets saved. Ideally you should avoid logging into your accounts on other people's computer, since you can't be sure their system is clean. Be especially cautious of public machines, as malware and tracking is more common here
|
||||
**Avoid password hints** | Optional | Some sites allow you to set password hints. Using this feature can make it easier for social engineers to guess your credentials
|
||||
**Never answer online security questions truthfully** | Optional | If a site asks security questions (such as place of birth, mother's maiden name or first car etc), don't provide real answers. It is a trivial task for hackers to find out this information online or through social engineering. Instead, create a fictitious answer, and store it inside your password manager
|
||||
**Don’t use a 4-digit PIN to access your phone** | Optional | Don’t use a short PIN to access your smartphone or computer. Instead, use a text password or much longer pin. Numeric passphrases are easy crack, (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a 4-character alpha-numeric code)
|
||||
**Use an offline password manager** | Advanced | Consider an offline password manager, encrypted by a strong password. If you work across two or more computers, this could be stored on an encrypted USB. [KeePass](http://keepass.info/) is a strong choice.
|
||||
**If possible, try to avoid biometric and hardware-based authentication** | Advanced | Fingerprint sensors, face detection and voice recognition are all hackable. Where possible replace these with traditional strong passwords.
|
||||
**Don’t use a 4-digit PIN** | Optional | Don’t use a short PIN to access your smartphone or computer. Instead, use a text password or much longer pin. Numeric passphrases are easy crack, (A 4-digit pin has 10,000 combinations, compared to 7.4 million for a 4-character alpha-numeric code)
|
||||
**Avoid using SMS for 2FA** | Optional | When enabling multi-factor authentication, opt for app-based codes or a hardware token, if supported. SMS is susceptible to a number of common threats, such as [SIM-swapping](https://www.maketecheasier.com/sim-card-hijacking) and [interception](https://secure-voice.com/ss7_attacks). There's also no guarantee of how securely your phone number will be stored, or what else it will be used for. From a practical point of view, SMS will only work when you have signal, and can be slow
|
||||
**Avoid using your PM to Generate OTPs** | Advanced | Many password managers are also able to generate 2FA codes. It is best not to use your primary password manager as your 2FA authenticator as well, since it would become a single point of failure if compromised. Instead use a dedicated [authenticator app](/5_Privacy_Respecting_Software.md#2-factor-authentication) on your phone or laptop
|
||||
**Avoid Face Unlock** | Advanced | Most phones and laptops offer a facial recognition authentication feature, using the camera to compare a snapshot of your face with a stored hash. It may be very convenient, but there are numerous ways to [fool it](https://www.forbes.com/sites/jvchamary/2017/09/18/security-apple-face-id-iphone-x/) and gain access to the device, through digital photos and reconstructions from CCTV footage. Unlike your password- there are likely photos of your face on the internet, and videos recorded by surveillance cameras
|
||||
**Watch out for Keyloggers** | Advanced | A hardware [keylogger](https://en.wikipedia.org/wiki/Hardware_keylogger) is a physical device planted between your keyboard and the USB port, which intercepts all key strokes, and sometimes relays data to a remote server. It gives a hacker access to everything typed, including passwords. The best way to stay protected, is just by checking your USB connection after your PC has been unattended. It is also possible for keyloggers to be planted inside the keyboard housing, so look for any signs that the case has been tampered with, and consider bringing your own keyboard to work. Data typed on a virtual keyboard, pasted from the clipboard or auto-filled by a password manager can not be intercepted by a hardware keylogger, so if you are on a public computer, consider typing passwords with the on-screen keyboard
|
||||
**Consider a Hardware Token** | Advanced | A U2F/ FIDO2 security key is a USB (or NFC) device that you insert while logging in to an online service, in to verify your identity, instead of entering a OTP from your authenticator. [SoloKey](https://solokeys.com) and [NitroKey](https://www.nitrokey.com) are examples of such keys. They bring with them several security benefits, since the browser communicates directly with the device and cannot be fooled as to which host is requesting authentication, because the TLS certificate is checked. [This post](https://security.stackexchange.com/a/71704) is a good explanation of the security of using FIDO U2F tokens. Of course it is important to store the physical key somewhere safe, or keep it on your person. Some online accounts allow for several methods of 2FA to be enabled
|
||||
**Consider Offline Password Manager** | Advanced | For increased security, an encrypted offline password manager will give you full control over your data. [KeePass](https://keepass.info) is a popular choice, with lots of [plugins](https://keepass.info/plugins.html) and community forks with additional compatibility and functionality. Popular clients include: [KeePassXC](https://keepassxc.org) (desktop), [KeePassDX](https://www.keepassdx.com) (Android) and [StrongBox](https://apps.apple.com/us/app/strongbox-password-safe/id897283731) (iOS). The drawback being that it may be slightly less convenient for some, and it will be up to you to back it up, and store it securely
|
||||
**Consider Unique Usernames** | Advanced | Having different passwords for each account is a good first step, but if you also use a unique username, email or phone number to log in, then it will be significantly harder for anyone trying to gain unauthorised access. The easiest method for multiple emails, is using auto-generated aliases for anonymous mail forwarding. This is where [anything]@yourdomain.com will arrive in your inbox, allowing you to use a different email for each account (see [Mail Alias Providers](/5_Privacy_Respecting_Software.md#anonymous-mail-forwarding)). Usernames are easier, since you can use your password manager to generate, store and autofill these. Virtual phone numbers can be generated through your VOIP provider
|
||||
|
||||
|
||||
**Recommended Software**: [Password Managers](/5_Privacy_Respecting_Software.md#password-managers) | [2FA Authenticators](/5_Privacy_Respecting_Software.md#2-factor-authentication)
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user