Tuesday, December 25, 2018

How to Be Secure Online: The Blog Post

I've read a lot recently about some new types attacks I wasn't aware of before.  Most of these can be defended against pretty easily, it's just a matter of knowing the threats.  I wanted to summarize some of the things everyone should be doing at this point, but most people aren't.

Use a password manager

At this point, you really should be using a password manager.  You have to assume some of the sites you use will be breached in any given year, and when they are the username and password you use there will be tried on other popular sites.  The only way to be safe is to use different random passwords for every site.  There is no way you can memorize random passwords for every site, even if you limit it to only the sites you actually care about the security of.

However, security isn't the only benefit of a password manager, it is also much more convenient.  You can memorize one really good random password, with no restrictions on maximum length or allowed characters, and then use random passwords on every site.  You'll never have to worry about password complexity restrictions, or being forced to change your password again.  Just generate a new 30 character random password and let the password manager worry about keeping track of it.

I wrote about password managers in more detail here.  If you just want the easiest path, then LastPass will work fine.  I use KeepassXC which is open source and offline.  You have to copy the password file between computers and phones yourself, using something like Dropbox, or the open source Syncthing.


Use a long password

You should only need one or two passwords, if you are using a password manager, so you can make them very strong.  You should make your password very long, and not worry about complexity too much.

I've always been bothered with password strength estimators that score you based on complexity.  A classic example of a bad password estimator is http://www.passwordmeter.com/

If I generate a random 20 character password, but one that consists of only lowercase letters like xznmjetjsciqukhspaxv passwordmeter.com gives that a score of 21% (weak).  A 6 character random password like z&*4uV gets a score of 64% (strong), merely because it has lower case, upper case, digits, and special characters.  Tacking on 2 more characters z&*4uV.9 gets you to 100% (very strong).  While that is an ok password, the 20 character one is much, much stronger, despite being all lower case.  Even if the attacker knew that your password was all lowercases there would still be over 10^28 possibilities.  Trying every possible 6 character password, even with all 95 normal keyboard characters possible, is only about 10^12 possibilities.  Which makes the 20 character password roughly a quadrillion times more secure than the 6 character one.  Even the 8 character one is a trillion times worse than the 20 character one.

Luckily, people are starting to wise up to how useless things like replacing o with 0 are.  NIST has updated password guidelines that are a great summary of what restrictions should be on password systems.  Password estimators like the one above used to be much more common, and even major companies used them.  A long time ago I made my own password estimator, which attempted to replace common dictionary words and then figure out the number of possible combinations, however Dropbox has a way better version of that called zxcvbn, named for the bottom row of letters on a keyboard.  Using zxcvbn as a password would seem random to many estimators, but isn't actually, and attackers were already trying keyboard patterns.

At some point, zxcvbn changed its algorithm for calculating entropy.  I didn't like this change, so I made a page with both the new and old versions of it so you can compare the two.


Don't use SMS for 2 factor authentication

Don't use actual cell phone numbers with a traditional carrier, like Verizon, for 2 factor auth.  It is quite easy, and increasingly common to intercept SMS codes via SIM swapping attacks.  All an attacker needs is your phone number; then they call your carrier and pretend to be you with a new phone and SIM card, and ask for your number to be ported to the new phone.  Then they request a 2 factor auth code and it goes to the phone they have instead of yours.

If you are going to use 2 factor auth, you should use a hardware device like a Yubikey, or an app like Authy.  If the service only supports SMS based 2 factor auth, then use a VOIP number like Google Voice, which can't be easily ported to a new carrier.

The worst part of this, is that using plain SMS for 2 factor auth can make you less secure than no 2 factor auth, because an attacker attempting to social engineer their way into your account will be more believable if they have access to SMS codes being sent to them, versus if there is no 2 factor turned on.  In some cases services allow you to reset your password using only your SMS phone number, so someone who knows your phone number, but not your password, can reset it and get into your account.


Freeze your credit

After the Equifax data breach it's safe to assume that if you have a credit history in the US, that history including SSN and date of birth was leaked.  To open new accounts one typically only needs SSN, DOB and name.  To prove your identity online you are sometimes asked security questions generated from your credit history (things like what bank was your car loan in 2015 with?).  All those things were leaked.

A credit freeze simply adds a random PIN that will be needed to open new accounts, ie, any time someone wants to do a hard pull of your credit with one of the reporting agencies, they will require you to lift the freeze, using the PIN.  Note that you can still use your existing accounts with the freeze in place, it's only opening new accounts that will be blocked.  You can quickly and temporarily remove a freeze (called thawing) within a few minutes.  See here or here for more info on how to freeze your credit.

When freezing your credit, make sure they use the word "Freeze" on the page.  Be careful not to do any sort of credit monitoring or "locking", those are paid services that are less effective than freezes.  They will push those hard, both because they can charge for them, and because people freezing their credit restricts the agencies from doing whatever they want with your info.  Worse still, if the monitoring is with a third party, the will require your SSN and other info to monitor your credit, giving your info to yet another database that will inevitable be leaked at some point.