Account security best practices
Account security best practices
How to make sure every service you use is as secure and as private as possible.
The best way to protect data is not to record it
Almost everyone has at least a dozen accounts and it can be quite a disaster if your password gets published in yet another data breach. Passwords aren’t the only information worth stealing and the best way to protect important information is never to collect it. In general, it’s best to avoid making an account with a service if you don’t need to. Sadly many services force you into making an account by gating content, which is a dark pattern.
This also applies to payment information. Not only should you only input payment information when you need to, but you should also consider what kind of payment methods you use. Cryptocurrency is perfectly transparent to everyone, and your credit cards are perfectly transparent to whoever your card provider shares their data with. In many cases its worth asking yourself “does this service really need my information to do what I need it to do?”
Using a password manager
There are many password managers usually with trade-offs between trust and convenience. The most secure option would be to run an offline password manager and manually sync between devices, but there are other options that provide a cloud-based solution for convenience.
Some good password mangers are:
If you use nextcloud you can also use it to sync paswords
Benefits of using a password manager
1) Strong passwords
The most obivous advantage of a password manager is the ability to store and keep difficult to remember passwords. This is critical to having a strong unique password for each account.
2) Unique details
Passwords aren’t the only thing that is best to have unique. You can also easily keep track of different usernames and e-mails for each service. Not only that but you can avoid disclosing your e-mail adress with a temporary e-mail through a free service like TempMail.
3) Account fungibility
With a password manager it is now much easier to manage multiple accounts. Sometimes it’s nice to start fresh, other times services like reddit will want you to have a properly aged account to comment or access certain features. Keeping track of accounts makes sure you don’t forget any.
Multi-factor authentication
Multi-factor authentication is an essentatial tool in keeping accounts secure. This allows you to be protected even if someone gets access to your password. There are many ways to use multi-factor authentication but it us usually up to the service to support it. It is best to enable whatever method is available and works for you.
SMS/e-mail codes
This is the bare-minimum for a service trying to offer two-factor authentication. If you’re not using unique passwords, e-mail authentication won’t provide you any additional benefit. Also using a throw-away e-mail that you don’t have access to excludes you from using e-mail based authentication.
SMS authentication has often been broken by dedicated attackers social engineering the service provider. This is largely only done for high value targets. Another drawback to SMS multi-factor authentication is that you have to divulge your mobile number to the service.
With these shortcomings in mind, SMS/e-mail confimation is still another layer of protection that can still be helpful.
TOTP codes / “Google Authenticator”
Timed one-time-pad codes are a fantastic tool. Essentially you are given a special ‘key’ by scanning a QR code which will generate random numbers to act as your “second password” and it works quite well for this.
There is often a “recovery code” that must not be disclosed as this will allow someone to generate your time codes. TOTP codes are great because it would be very hard for an attacker to have access to your password as well as a personal device to enter the code.
If you’re on android Aegis Authenticator is available on F-Droid
On iOS you can use Google Authenticator
Avoiding data leaks
You can generally assume that all your information for every service is being collected and sold for purposes outside your control. Services get hacked and data breaches happen. The less exposed you are to any paticular service being compromised the better.
Integrations are evil
“Sign in with…” sounds very convenient but it undermines the uniqueness of each account. The more big tech can identify patterns between your accounts they can very often glean unintuitive insights from fairly innocuous data.
Avoid signing in with big tech platforms and only authorize apps to connect to your accounts in very limited circumstances. Remove any unused integrations once you’re done with them.
Disable e-mail alerts
There aren’t many conditions that allow you to guarantee that your e-mails aren’t being read by someone, or something else. When a service sends you an e-mail alert about something, (like an online purchase for example) this gives your e-mail provider and anyone they share data with access to a key window into your life.
Salt your data
Many sites and services will ask for data that serves no purpose and can’t be verified. You are under no obligation to provide them a correct, useful dataset to be used against you.
“Salting your data” is to simply input incorrect or unintelligible data such as incorrect birth dates or fake names to undermine these data-collection efforts.