I got a warning that someone from the Russian Federation had logged into a very old Evernote act. I hoped they enjoyed the samples and architecture plans for a never built home.
This led me to https://haveibeenpwned.com which said my data had been released in 13 breaches. I of course was stupidly using the same password in multiple accounts. I have fixed all those passwords. I was just wondering if the more computer security minded people had any other suggestions for further actions I might need to take. I use a MacBook Pro which I do not think has been compromised.
I use KeePass which is a free and open source password management tool. It can store the database with strong encryption, generate random passwords with whatever options you want, and it’s cross platform with an active ecosystem of developers (including mobile).
The commerical options are decent too but I wanted to keep it under my control. The website is below.
– I only ever access my serious/sensitive accounts from my home PC, or in a tight pinch, from another trusted PC (like my brother’s house).
– I use 2FA on all serious/sensitive accounts, e.g. financial. I have the security ping sent to my email address (which I can access anywhere in the world), not my phone…phones get lost, bricked, hacked, forgotten somewhere, stolen, and SIM cards replaced…just too many issues for me.
– for accounts I am not too worried about (Evernote would count, here), I do the following:
I have an 8 character secret, hard-to-guess sequence that I have memorized/used for 30 years now. It is a mix of blah, so let’s pretend it is DM$m@k3r (which I would remember as “DMS Maker”).
Every URL one might log-in to has the form www.somethingURLspecific.com. When I register, I do two things:
-1) My email of record on that site is set to "myregulargmail+somethingURLspecific@gmail.com. Gmail allows the appending of characters after a “+” sign but before the “@” sign and knows to send these to your [email protected] account. Doing this makes your login ID a little more obscure and it’s easy to remember.
-2) My password is set to somethingURLspecific.mysecretsequence. So in the case of Evernote, if I used stuff like that, which I don’t for privacy considerations, my login credentials would be:
So as long as I can remember my email address (I can) and don’t forget my secret sequence (I don’t) and can look at the address bar and see what URL I am at (I can), I am good. Anywhere in the world.
The only issue I encounter is the dopey sites that think they are doing you a favor by putting arcane rules in place as to ID or password requirements, thereby limiting what you are actually able to do. My favorite example are the banking sites that, for legacy reasons, still disallow passwords longer than 8 chars.
+1 for KeePass; I’ve been using it for like 12 years now. I keep the encrypted database file synced between my devices and it has a stupidly long derived password.
I use randomly generated passwords except for things I have to be able to remember / login with the mobile app (I don’t run keepass on my phone except in emergencies). For those a long pass-phrase (similar to what that XKCD comic suggests).
+1 to 2 factor on everything; as someone who breaks into accounts for a living it’s the most effective deterrent measure. Try to avoid SMS and phone call based 2 factor if you can though (but if it’s the only option still use it). I use Yubikeys / U2F hardware tokens on the services that support it. They’re nice and convenient, even a lot of laptops have them in the power buttons or other designated button now so you don’t have to carry an extra around. Typically, when using a hardware key you can add multiple to a given account. I have one that stays with my workstation, one that’s with me if I have to login somewhere else, and one that’s escrowed away. If one is taken I can easily remove it from the account, and cloning them is the game of advanced adversaries with specific goals rather than bulk account exploitation.
I like the idea of these, but I lose track of physical objects (wallet, phone, keys) all the time, even in my house…is this information stored in the cloud somewhere. Related question: how does the information on the various Yubikeys stay synced?
It’s not, but you can have as many as you want as backups / extras. it’s also embedded in some laptops and mobile devices now.
Simply put, it’s not. Each key has its own unique keys that are never supposed to leave the device. When you pair a new key, that key’s public identifier is kept in the account that it will authenticate to. When the key is used, it uses asymmetrical cryptography to validate it’s the same key, without ever sharing it’s secret with the service that’s authenticated to. The same yubikey/U2F device can be used across multiple services.
