Kuni's Blog

Search

SearchSearch

Cybersecurity for Everyone

Oct 17, 2023, 5 min read

Blogpost sections:

  • Password Managers
  • 2 Factor Authentication (2FA)
  • Email Addresses
  • Antivirus
  • Data Encryption

Password Managers

There are two attack vectors that could compromise your accounts: server side and client side.

The server side threat refers to a website you signed up to suffering a database breach.

There is no real way to protect yourself against this type of attack as the security of the websites you use is not under your control; the best thing you can do is contain the threat to a single account. This is easily achieved by never repeating passwords across different accounts.

The client side threat refers to a bad actor trying to crack your particular accounts password.

The way to protect yourself against this type of threat is using long and random passwords. Password cracking algorithms take exponentially longer time to crack a password with every additional character.

To recap, to have a good security we need a long and random password for every account. This is obviously a hassle to do; humans are very bad coming up with randomness and even worse at trying to remember multiple random strings of characters.

This is where password managers come in. Password managers generate and manage long and truly random passwords for you. You will only need to remember one single password; the one to access your password manager.

You should get a password manager that is open source and preferably local.

I recommend KeepassXC, but syncing the KeepassXC database across multiple devices can be a pain. If this is your case you can try Bitwarden, preferably self hosting an instance.

Two Factor Authentication (2FA)

For a good account security there should be two accessing requirements:

  • Something you know; your password
  • Something you have; your 2FA

2FA is a layer of security on top of your password. With 2FA enabled, an attacker wont just need your password to access your account, but also an always changing 2FA code.

There are three main types of 2FA: SMS, TOTP and Physical Keys.

SMS

Please, never use SMS 2FA.

SMS 2FA is unsecure and subject to SIM Swapping, an attack where a bad actor social engineers an employee of your mobile phones carrier and tricks them into activating a SIM card that they possess. This way they can receive your calls and texts, including your two-factor authentication codes.

This attack is way more common than it seems, and many high-profile Twitter accounts have been compromised this way.

TOTP

TOTP (Time-based One Time Password) is a temporary extra password, usually made up of 6 numbers.

One popular example of a TOTP generator app is Google authenticator. Use a TOTP authenticator that is open source and lets you backup your keys in case your device is lost or broken.

I recommend Aegis for Android and Raivo for iOS. Alternatively you can use your own password manager’s TOTP feature, which trades off security for convenience but is still better than nothing.

Physical key

The most secure 2FA method. It’s a physical USB key.

The most popular brand of physical keys is Yubico.

Email Addresses

Using only one email address for everything is a bad practice.

At the very least you should have two email addresses; one for important stuff such as work and finances, and a different one for lesser important thing such as social media and videogames.

There’s not a perfect method in how to manage your email addresses, but you shouldn’t need to sign up to a sketchy website with the same email you use to sign up to your bank.

You can also make use of email aliases. Many email providers let you make aliases for your main email account, thus creating artificial secondary addresses that resend all received emails to your main account, making it much easier to manage than having multiple separate email addresses while providing the same upgraded security.

Tip: if you have hundreds of unread mails because your inbox gets flooded with ad emails, you can easily opt out scrolling to the bottom of one of the undesired emails and clicking “unsubscribe”.

Antivirus

Contrary to popular belief, you don’t need a third party antivirus if you use a recent Windows operating system, Windows Defender is enough.

MacOS and Linux don’t need an antivirus because there are almost no viruses designed for them. This is because MacOS (and specially Linux) have both a smaller and more computer savvy user base, which makes it a waste of time for hackers to code a virus that targets these operating systems instead of Windows.

Data Encryption

Encrypt your hard drives using tools like Bitlocker for Windows.

Use cloud storage services that support end to end encryption (E2EE), like iCloud and MEGA.

Useful Sites

  • haveibeenpwned: check if your accounts have been compromised in known data breaches.
  • Emailnator: temporary email addresses to sign up in sketchy sites.
  • Onlinesim: temporary phone numbers so you don’t have to share your number with any app for verification
  • Wormhole: sharing files with E2EE

Graph View

Backlinks