Written on 2021-11-14
Updated on 2023-04-03
To my friends and family who feel like staying secure in the Internet Age is an impossible task, this post will walk you through the most valuable things you can do to be tougher than the majority of the population.
I said “tougher than the majority of the population,” but why does the majority matter? It’s like the old joke about two hikers being chased by a bear: one hiker starts putting on running shoes and the other goes, “Are you nuts? You can’t outrun a bear.” He responds, “I don’t have to outrun the bear - only you.” Most bad actors on the internet, just like the bear, are fairly lazy and will do 20% of the work to compromise the easiest 80% of the targets. Here we’ll move you into that hardened 20% of targets.
Like you, I hate the “Download the latest update and restart?” popups on my computer and phone. However, staying up-to-date with the latest versions of the software you run is one of the biggest things you can do to reduce your risk. The reason: security bugs that allow bad actors to do nasty things are being discovered on a nearly daily basis for all software known to man. When knowledge of these bugs hits the tech community, software manufacturers scramble to protect their users and push a fixed version of their product. If users are constantly updating their software, they’ll be protected as soon as the manufacturers’ updates arrives.
The problems begin when users ignore their software updates and run old versions. Information takes time to travel in criminal communities too, so if an announcement about a security bug in MacOS is issued at 10 AM and Apple pushes a fix by 6 PM then criminals have only had 8 hours to leverage the bug before Mac users who regularly update their OS are no longer vulnerable. As time goes by though, the news spreads and increasing numbers of bad guys will include the exploit as part of their standard hacking toolkit. If you’re running an old version of MacOS before the fix, you’re now easy prey.
Action Items
If you’re like most people, you have 2-3 passwords that you use across your email, social media, Netflix, Amazon, banking, hotel & airline logins, and so on. You simply remember these passwords, and begrudgingly change them when you’re forced to. There are multiple problems with this “password promiscuity” approach:
The good news: all these problems go away with a simple tool called a password manager.
A password manager’s function is twofold: first, it will store all your username/password logins for you in a database that is encrypted with a “master password” so that not even the password manager company gets to see them. This frees you from needing to remember anything but the master password, and gives you a record of exactly what credentials you used for that site you haven’t touched in 3 years.
Second, when signing up for new sites, a password manager will provide a secure password generator that allows you to create long passwords of random text like ^19@VjCwvYrs1@W88bT9HBJWn@2aK4 (which are exceedingly hard to break). All your passwords are stored in the database, so you get a damn robust password without any additional load on your memory. Better yet, each site will have a unique random password so Marriott’s ineptitude won’t compromise your other accounts (e.g. your bank!).
If you don’t already have a password manager, I recommend using one called 1Password. It’s the best balance of ease-of-use and security that I’ve found, and at $3/month is a positive steal for keeping your accounts safe. It also comes with a plugin for your browser that can auto-fill login forms on websites, helps in sharing passwords among a family (e.g. the home wifi password), and can even proactively which of your login credentials have been exposed in security breaches. (Disclaimer: I have no incentive to advertise 1Password; it’s simply the best product on the market in my opinion.)
Conversely, do not use the password manager called Lastpass. They’ve proven themselves terrible stewards of customer data over the years, including leaking customer vaults in 2022 and then covering up the details.
A closing note: most password managers offer a “Secure Note” feature where you can store arbitrary information that’s not a website login. I use these to store things like IRS e-file PINs, combos to safes, and health insurance & credit card information. I’ve trained the muscle of, “If it’s important and private, it goes in my password manager,” which proves invaluable when you need it (e.g. my credit card was eaten by an ATM while travelling, and I was able to quickly get customer service because I had the card number and support phone number stored in my password manager).
Action Items
2-factor authentication (“2FA” for short) is commonplace nowadays, but most 2FA is text-based or email-based. If I’m a developer building a website, I have a million and one things to do to launch my website. 2FA is considered blanket “good” and sending texts or emails is very easy to code, so I have the app send 6-digit codes to your phone or email and move on to other things.
The problem: it’s fairly easy to compromise the layperson’s email account, and intercepting 2FA codes sent to your phone number isn’t so difficult thanks to the lax security of telecom companies. This means that, in practice, the supposedly-secure 2FA via SMS or email is little stronger than just a username & password.
The 2FA that isn’t garbage is the one that requires you to enter a generated code, called a Time-based One-Time Password (TOTP). The code generators come in various forms - physical tokens that show numbers you have to enter, USB dongles that must be plugged into your computer, and phone applications that simulate the physical tokens showing you numbers. The common factor is that you register the code generator with the website in advance, so that at login time an attacker needs access to both your password and the code generator.
The major problem with TOTP: if you lose the code generator, you’re locked out of your account. Most websites provide you “emergency recovery codes” to bypass 2FA in this eventuality, but where do you store these? Physical paper is vulnerable to destruction and loss, and digital is vulnerable to hacking.
1Password has the ability to serve as a TOTP code generator, and I choose to use it to generate my 2FA codes. This is decidedly less secure than a standalone code generator: if someone compromises my 1Password vault then they have both my passwords and 2FA codes, which is everything they need to log in as me. However, I’m already putting a large degree of trust in 1Password, my 1Password vault getting compromised would put me up shit creek anyways, I need to store my emergency recovery codes somewhere, and 1Password’s security practices are very good. I’ve therefore decided that the security tradeoff is worth the convenience, and made my 1Password master password really, really strong.
A note: using 1Password for my TOTP code generation is still significantly more secure than not having 2FA at all. Without 2FA, I’m vulnerable to all the issues of password-only authentication as laid out in the “Password Managers” section above, while with 2FA an attacker needs to breach my 1Password account before they can compromise any of my logins.
Whether you should use TOTP 2FA at all isn’t in question: you absolutely should whenever it’s offered. Whether you use a separate code generator to serve your TOTP codes is a matter of personal risk tolerance. For more security and less convenience, go with a separate device and make sure to store your emergency recovery codes in a secure spot. For less security and more convenience, use your password manager as your TOTP code generator.
Action Items
There is a cybersecurity attack known as the “man-in-the-middle” (MITM) attack. The way it works, from a real college prank:
facebook.com with an image of Marty & Doc.This attack has been around for a long time, and we’ve developed a defense against it that you’ve seen: HTTPS. Regular HTTP connections (websites that start with http://, no s at the end) are vulnerable to MITM attacks. HTTPS connections, however, a) encrypt the data between your computer and the destination website (so my computer can’t snoop on my roommate’s traffic) and b) bear a stamp of approval from the website so that your computer will know if the contents it receives have been tampered with. Unfortunately, many websites don’t implement HTTPS properly and so simply connecting via https:// isn’t enough.
For technical reasons, this attack is only doable against computers connected to the same router. This means that your home network is safe unless your child has a penchant for computer science, but public wifi networks become increasingly risky with a) the number of people on the network and b) the sophistication of the people on the network. Your corner coffeeshop might be okay, but city and airport wifi are basically herpes (because well-funded adversary states have almost definitely set up tiny devices in hidden corners to record all traffic, and maybe even inject malicious software).
Question: if HTTPS only partially helps, what’s the real fix? Answer: a virtual private network (VPN).
You can think of a VPN like an ironclad tube between your computer and some destination that all your network traffic passes through. If your VPN is company-provided, the other end of that protected tunnel is inside your company’s internal network. If you’re using a VPN-as-a-service like NordVPN or ExpressVPN, the other end of that tunnel is wherever you choose when you create the VPN connection. This keeps your traffic safe, even if when it passes through an extra-risky network like airport wifi.
Action Items
https://If you follow the above guidance, you’ll have elevated your security posture beyond the vast majority of people on the internet. While it’s impossible to achieve 100% security, you’ll have made yourself such a tough target that all but the most driven bad actors (i.e. government hackers with a purpose) will look for easier prey. Enjoy your running shoes.