Security today is quite hard to maintain in personal and professional settings, but it's possible to achieve it even with that. Quite a few corporations and companies experienced devastating ransomware attacks in the last few years. Mobile and desktop operating systems are also not that secure. The same thing goes for most modern software, as you can see constant news about how Windows, macOS, iOS, WhatsApp, crypto wallets, and others are being exploited every day. To get the best feeling of how broken software is, we can look at this year's Tianfu Cup results (computer hacking contest held each year, Tianfu is Chines version of popular Pwn2Own content), and it will make you cry.
We also see constant supply chain attacks in the developer world, malicious node/python packages stealing credentials from local machines, which has become customary to see in the news. Even with all of these issues, it's possible to maintain some good security by following a couple of basic steps. Most more prominent corporations have security protocols in place, but it's not often the case for smaller companies and startups. Even IT-oriented companies are known to have horrible security practices or none at all. This article will go over basic steps to ensure he/she/they did everything possible to cover all edge cases. The most basic steps are handling passwords properly, using two-factor auth on every service you can, and other bits and pieces.
The first and probably most important thing to handle appropriately is passwords, as credential stuffing attacks are on the rise, with all of the leaked data sold on dark markets and modern GPUs being able to crack hashes faster than ever. There are many problems with passwords, how we create them, store them, and track leaked passwords due to attacks. Most people do not think about any of these, as they think up a not so random password that's reused on most sites without much consideration. Password reuse is the most horrible thing one could do, and for this part, we need to add an obligatory XKCD comic on password strength.
To solve our password problems, we'll start by taking on the first issue. The answer to our question is to use password generators; there are many available online, free tools on Github, CLI tools, or password generators embedded in the password managers. Most of these will provide good enough passwords so that modern tech can't crack them easily. Sometimes, there's a bit of a problem with certain websites, as they have password length limits that are obsolete or weird, so do not be surprised if some sites won't accept 20+ character passwords. Another thing to note while generating passwords is whether it's strong, most password managers provide this out of the box, but there are also online solutions to check password strength.
A good way for not tech-savvy people is described above in the comic, and it can't be easier.
Probably the easiest way to do so is to use a password manager and call it a day, and there are many options out there depending on what's your cup of tea, open-source, cloud-hosted, multiplatform. You can pick whatever you'd like. We'll mention just open-source ones as BitWarden or KeePassXC. For commercial products, it's easy to find online comparisons and see what's best for you. Ideally, they have support for the desktop and mobile operating systems of your choosing. Another good way of handling password storage, this one you can recommend to your family, is to write them down in a book. Notebooks might not sound modern or whatnot, but for people who are not tech-savvy, using a password manager can be challenging. The more straightforward approach would be to generate good passwords and write them down.
A remarkable human named Troy Hunt has created a genius web that you can use in your personal or professional life. The site in question is haveibeenpwned.com, and you can do a couple of exciting things there.
The first one is to check if your emails and phone numbers were ever in some leak. You'll be surprised how much leaked data there is, mainly if you use an old email address.
Another excellent part is the Passwords section which allows you to check if the password you use is already leaked, and don't worry, it's safe to input your password. The site uses an excellent technique to ensure anonymity while doing so. Take a look at this awesome blog post if you are interested in how it works.
Along with all of this, it's possible to have the site notify you if your email ends up in any of the new credential leaks. The same thing is possible for domains which makes it easy to track company leaked credentials.
And the last bit is for developers; the site has an API that you can use, or you can download the whole database and use it on-premise to check passwords. Many websites, password managers, and companies use HIBP API to ensure people can't use weak and already leaked passwords.
Just by doing these steps, generating passwords strongly, storing them in a safe and accessible way, and tracking if your email and password were leaked will help you a lot down the road. This might be easier for professional use as companies enforce these rules, but it might seem overwhelming. When I began using a password manager, it took me almost a year to find all my online accounts and add them to the manager. Please start with the most important ones and see how you feel about them. Another important aspect is that now since you'll be using a password manager, you can't access everything all the time. If you do not have a phone or laptop, you won't know the password, so forget about checking Instagram in some cases.
Having good passwords won't save us all the time; if services stores passwords in plaintext (it still happens, unfortunately), the password ends up in logs, the service is using weak hashing, or all of these together, your password is leaked online. A popular thing to do is try a credential stuffing attack, throw that username/password into all popular services online and see if it works. If you are not using password manager, this will impact you; otherwise, the original leaked service will be a problem. To tackle this, we can enable two-factor authentification to ease our minds. Most of the popular services provide some form of 2FA, so you can pick which one you'd like to use. If attackers have access to our password without code from the second form of authentification, they won't access the account. We'll go over a couple of them and list the pros and cons from worst to best.
It would be best never to use a phone for two-factor authentication; SIM swapping attacks are easy to pull off. You can look at the cryptocurrency community that had millions stolen from people as hackers could duplicate SIM cards and access 2FA codes. Unfortunately, some services only provide this option, but it's better than nothing.
There are a couple of options to use mobile apps for 2FA, probably the most popular one is Google Authenticator, and it works as you would expect. The only downside to this is that mobile operating systems are not that secure (no matter what Apple says, and I am an Apple fanboi); both up to date Android and iOS are constantly exploited. With this in mind, if you are paranoid, it's better to take some old phone, update it as much as possible, disconnect all networking (wifi, Bluetooth, etc.), rip out the SIM card and anything that can communicate to the outside and use that device only for 2FA.
Another wise option is hardware keys, which are standard in most of the more prominent software corporations. Hardware keys allow us to have a USB key that needs to be plugged into a device to pass the 2FA. This is the best approach as no one can steal this key over the internet, so you are pretty safe unless you lose the key. To combat that issue, buy a couple of them and create duplicates. You can carry one with you, and another can be in the deposit box in your bank or buried behind your house, depending on what's your preference. Most of the newer keys have NFC for mobile users, so they are easily used in combination with your phone.
Additionally, developers can set up hardware keys and use them for SSH connections or signing git commits, making your life a lot easier. There's a lot of online resources on how to set up this online if you are interested.
We'll only mention a paid product once in this article because they deserve it, so head over to yubico.com and take a look at all the keys they have for sale.
Along with 2FA, we can also generate scratch codes for the services you are using. You get a list of 5 to 10 one-time use codes to log into your account if you do not have access to 2FA. These should never be stored alongside original 2FA or passwords; print them out (or write them down if you do not trust your printer) and take them to the bank for safekeeping. (trust me, you don't want to spend two weeks talking with Blizzard just because you lost your 2FA codes and do not know the answers to security questions or have access to scratch codes).
The more paranoid we are about the security, it's more a hassle to maintain it. If we use a separate phone or hardware key, we need to ensure we have duplicates in case something goes wrong, as the last thing we would like to see is us locked out of the services due to lost 2FA.
Having a good password manager, following essential advice, and using 2FA with hardware keys will keep you safer online. Still, one aspect most people underestimate is timely updates for critical software. It does not matter that operating system you are using; if it's not up to date, you'll be exposed to the latest vulnerabilities, so always take time to update as soon it's possible. This is especially important for mobile systems and Windows machines due to them being so popular. So be vigilant, take time each week to update everything, as you would be surprised how many attacks are possible just because of unpatched vulnerability.
Another thing to mention is that people sometimes like to use older systems due to some constraints (e.g., you need software that does not run on the latest version of macOS). It would be best to avoid these kinds of situations if possible. Sometimes vulnerabilities are fixed in the latest versions, and even the older version got an update; not all security fixes are there (looking at you, Apple).
Not using your actual email for all of the services is becoming more and more popular (e.g., Apple offers to use anonymous email when using Sign in with Apple). We can achieve this in a couple of different ways. When using any email provider like Gmail or iCloud, it's tricky to hide our actual email, but we can still separate things if we'd like to. It's possible to use firstname.lastname@example.org to separate services. This will make it easier to sort things, but it's not great. If you only have hosted email, you can always use something like Apple offers (and there are other similar options). A better option is for folks with custom domains (domains are cheap, so go and buy one for yourself) is to enable catch-all for emails. A single email will receive all of the emails from a domain. We can then register services as email@example.com, firstname.lastname@example.org, email@example.com, and of course, firstname.lastname@example.org for everything else. Catch-all emails allow us to know if some services leaked our email (or sold it to 3rd party), and it hides our actual email, which makes our life a lot easier. The only thing to remember is to renew your domain (or buy it for ten years in advance, but do not forget to set a reminder to renew it).
One common aspect of modern life is to share credentials with someone; whether you want to share your Netflix password with your friends or you need to deliver credentials to a client, the problem stays the same, how do we share it securely?
Thankfully, this problem has been solved multiple times, but even it all of that, people are still sending passwords over email/Slack/WhatsApp or any other way you can imagine that is not secure. So here are some of the available options when we need to do so.
For tech-savvy folks, you could use any form of crypto that uses a public/private key; there are a lot of older tools but one I have been using lately, and it's nice, is age.
When you need a simple solution, some of the password managers can share passwords with 3rd party in a secure manner. If your password manager of choice does not have these options, there are sites like onetimesecret.com that will help you share password-protected content. You can zip anything with some secure password, send that zip to whomever, and then share the zip password using some online service for one-time sharing.
In the end, everything will be ok as long as you are not pasting passwords into chat apps or writing them on a piece of paper around the office.
Throughout this article, we went over some of the most fundamental aspects of security in 2022. Honestly, it's been like this for some time now, and these will be valid points for years to come; no passwordless dark blockchain will save the planet.
Nothing less than this should be acceptable for private or professional usage. It's easy to use a password manager, securely handle 2FA, have backups of all of our credentials, and ways to restore access to accounts if the worst happens. If we do all of this and keep our systems up to date, we'll be setting an excellent foundation for every other security practice we want to use later on. One final thought for the end, just because most of the software/hardware is broken, it does not mean we can just let go not and not care about security. Try to apply basic security and go from there, take smaller steps until you get to a level that works for you.
Like what you’ve read? Check out our open positions and join the Martian team!See openings