Secure authentication for sensitive online credentials
Most credentials won’t cost you thousands of dollars if compromised. This post is for the credentials that are that sensitive. Use cases are securing valuable Twitter handles and holding cryptocurrencies in online exchanges.
Preferably you’d hold anything of real value offline, such as a hardware wallet or paper wallet. In many cases, there is a cost-benefit analysis to be made of security over convenience. This article is for the widest audience: People who lack the confidence/interest/ability to live completely offline, and want a good balance of security and convenience.
This post describes how to set this system up in a way that provides a measurable level of security; minimizes single points of failure; provides strong security guarantees while also staying reasonably convenient; and includes countermeasures to known exploits.
How to think about information security
Provable security
Nobody likes surprises.
Minimizing single points of failure
Everybody makes mistakes. Nobody wants to lose everything when they do.
Minimizing attack surface
Fewer ways to be hacked = fewer surprises.
Mitigating known exploits
History doesn’t need to repeat itself at our expense.
The first set of credentials: a username-password combination
Never reuse passwords
This is the most basic advice you will get on the subject of internet security. The reason you should never reuse passwords is that the sites which you have accounts on must store your password in some format. Typically they store the password in some encrypted format, but that is not always the case.
Websites get hacked all the time. Sometimes they don’t encrypt the user credentials properly, other times hackers crack the passwords. In most cases it’s hard to avoid re-using usernames (e.g. for email notifications), but reusing passwords means any single breach will breach most or all of your accounts.
Use a password manager
The solution to having many increasingly difficult user-password credentials to remember is to store them in an organized, encrypted way. That’s a password manager. Instead of memorizing passwords for each website, you remember one master password, and let the password manager manage everything else.
There are two variants of password managers: online and offline. If you use an online password manager like Lastpass, you depend on them to use appropriate security practices. While there are more risks with online password managers, they are significantly more convenient if you need to authenticate from multiple devices or switch computers (which you will over time). Despite this, online password managers can be incredibly secure if done right. In fact, Facebook uses Lastpass, rather than an offline password manager.
For people with special security needs (probably not you), offline password managers like Keepass are a safer choice. You must take special care to make sure you have copies of this and to regularly update them. Offline password managers are more secure at the expense of convenience, but you are still ultimately trusting the code which implements this. For this reason, you should try to use open source, well-known password managers.
A protocol for a human memorable, but strong password
You still need a password for your password manager. Clearly you can’t store your password manager’s password in the password manager, because all the data is encrypted. There is no way around a password which must be remembered or stored outside of the password manager. This is an important password worth remembering, so I show you how to create a strong, memorable password.
It is important that you create a password with a provable amount of security. The security of passwords is measured in entropy, bound on how much work would have to go into brute forcing the password. As I mentioned earlier, humans are extremely bad at generating random data. (They are also extremely bad at remembering random data.)
A famous technique used to encode random data into a provably secure and human memorable password. The idea is use random numbers to pick words from a list. The words picked are concatenated to form a phrase, which is used as the password. The random numbers are generated with physical dice and not software. The list of words is provided to you and each word is labeled with its position in the list.
This technique makes it extremely to measure the strength of a password. If the dictionary has D words and you choose N words to make your password, the entropy of your password has a lower bound of D^N. Every new word you use increases the entropy of your password by a factor of D. Your goal is to choose N such that D^N is greater an amount of entropy that is largely considered to be safe from brute force attacks in 2017. Your password entropy is compared to that of a sequence of bits (0’s and 1's). That is, if your password has 5 bits of entropy, it is equivalent to the strength of a password 5 bits long where each bit is a 1 or a 0 (e.g. 01001). The Diceware site describes how long you should make your password based on your threat model but it is safe to say that most people will want between 70 to 100 bits of entropy: https://world.std.com/~reinhold/dicewarefaq.html#howlong. For Diceware’s list that is 5 to 8 words.
With this technique it is easy to make provably strong passwords that are also easy for humans to remember. It turns out that humans are very good at remembering information encoded as a sequence of words. For example, the randomly generated alphanumeric password B9SsaWeem5RQT has equivalent security to the Diceware passphrase tuba marine rube rpm malay ton. There’s a famous web comic that describes this technique: https://xkcd.com/936/.
How to make strong passwords with your password manager
Password managers give you great flexibility in choosing passwords, but not always guidance on how strong that password should be. What I suggest is generating a sequence of at least 22 randomly chosen alphanumeric characters. Here’s why:
- Authentication is often implemented incorrectly, especially with financial institutions. If you use special characters, you can run into weird issues where the password is accepted but it is impossible to authenticate. This is honestly just a headache to deal with and eliminating them prevents you from needing to deal with these problems. It is not for security.
- 22 alphanumeric characters chosen randomly gives you 6²²² different unique passwords that might be chosen. (Each character can be a lower case letter, upper case letter, or single digit number for 62 possibilities.) This gives you about 128 bits of security, which is the same as that of AES, widely used and considered extremely secure against even government adversaries.
- Passwords without special characters are easier to analyze in their entropy and work with. People are very familiar with the ISO basic latin alphabet (a, b, …) and western arabic numerals (0, 1, …). There is no standard set of special characters I know of, they vary according to culture, and some of the unicode special characters look extremely similar causing confusion. The U+FF65 and U+10101 look identical. Compare ・ and 𐄁 symbols. You may have to manually type in your password at some point and it will be hard to tell exactly what these characters are.
The second set of credentials: Doing 2FA correctly
2FA stands for 2nd factor authentication. If a username and password are 1st factor authentication, 2FA is a second way of authenticating. 2FA mitigates the damage of a hacker having stolen your credentials and should be used for especially sensitive accounts.
Yes, you should use 2FA, too
Why use 2FA? Because in the event you make a mistake or get unlucky, you probably don’t want to incur catastrophic losses. So when 2FA is available, use it! 2FA is something that takes time and effort for a site to offer, so they wouldn’t be offering it unless there were a reason. Since we should prioritize provable security, never reject 2FA unless you are absolutely sure you don’t need it.
Avoid 2FA based on your phone number
Text/voice authentication is when you are sent a code over text/voice, respectively. (This is different than an app on your phone.) These are extremely convenient because almost everyone has a cell phone, and everyone has text and voice by default. It is unfortunately extremely insecure for reasons outside of your control. Cell phone providers have the ability to change the phone associated with your physical device. This means a sufficiently skilled and knowledgeable hacker can have calls or texts to your number routed to their phone. Or they can bribe an insider to routing calls to you to their phone. Or they can walk into a carrier’s retail store and convince some low-level employee they are indeed you, etc. With text authentication then you are no more secure than whatever security practices your phone provider has, and their incentives are not aligned with yours.
How to use 2FA for online services
There are multiple ways 2FA can be done, some significantly less secure than others. In general a device will be used to generate codes offline. If the device is general purpose with a code generating app, we consider it a software implementation. Software 2FA implementations typically use TOTP (time-based one-time password — basically a number that changes every 30 seconds) and it is widely supported. If the device is special purpose and designed for authentication, we consider it a hardware implementation. U2F (universal 2nd factor) is an open standard to support 2FA with a hardware device that provides maximal security, but it is not widely supported in 2017. When it becomes more widely supported, the answer will be to always use it. With today’s limited support in mind, I see a few ways forward.
- Use an app like Google Authenticator on your cell phone for TOTP 2FA. In my opinion this is a great balance between convenience and security. One risk is that your cell phone needs to store the secret used by the TOTP software. It is possible that the secret key can be stolen by malware. Another risk is that if you forget to make a copy of the secret key used to generate the 2FA codes, losing your phone means locking yourself out of your account. If the service provides a means of disabling your 2FA via email and you opt-in, that significantly reduces the security of the account. This TOTP 2FA solution is appropriate for most people and provides a significant increase in security.
- Use a dedicated hardware token that implements TOTP. The differences here are that these devices are significantly less complex and so easier to secure from threats like malware; and that they are not connected to the internet meaning they can only be compromised through physical access. These TOTP tokens can be shaped like credit cards and put into your wallet or key fobs you carry around with you. This solution is appropriate for people who do not want to expose themselves to the risk of software TOTP (i.e. phone getting hacked in some way) but for some reason cannot use U2F. (If you have high security needs you should probably find a way to make U2F work.) One annoyance is that TOTP requires keeping accurate time. Every time you authenticate the TOTP device will re-sync time with the server. But if you don’t authenticate for a while, the device will not work and you will have to re-sync manually to get it working again. That part is just an inconvenience and does not relate to security.
Hardening tips
Hardening is the process of making an existing system more secure.
Remove unneeded API access or change access to read only
Any major exchange allows for API access. In a nutshell, API access allows you to automate actions without having to log into the site manually. This is typically used for trading. It is also sometimes used for crypto tax tools to download your trade history (more accurate than a csv export).
If you have an API enabled which allows you to execute trades or withdraw balances from an exchange, it can be exploited to trade your Bitcoin for some of the hacker’s obscure cryptocurrency at an extraordinary rate or they can simply withdraw your Bitcoin to an address they control.
Consider a VPN
For each site the browser will show “http” or “https”. If you see “http”, then your internet traffic is not encrypted. This means that anyone snooping your internet traffic can see this information. If you are browsing the web perhaps the only implication is privacy, but if you are entering sensitive information, such as authenticating, they could see your username and password.
Most sites are https these days, but you can’t guarantee this for every site. And your home router is typically encrypted (e.g. WPA2 security), so at home you might not expect eavesdroppers. However, if you are using public wifi, communication with the router is not encrypted and anyone can see what you are doing. In that case, you should strongly consider using a paid VPN.
Don’t use Windows or Internet Explorer
It pains me to think that I need to mention this, but Windows is not a secure operating system and Internet Explorer is not a secure browser. They prioritized backwards compatibility across major versions and each time they did this they added an increasing amount of complexity, couldn’t fix design flaws, eschewed standards, etc. They had reasons to do this but if you are doing anything security critical, it might be good to avoid that.
Malware writers typically target the most popular systems. Obviously, that means Windows and Internet Explorer has been a target for a very long time. This doesn’t necessarily mean more obscure systems are safer, but it’s safe to say that an Internet Explorer exploit probably won’t work on Firefox and a Windows 7 exploit probably won’t work on Ubuntu 18.
At the very least, if you are going to use Windows, make sure you are using the latest version, that you regularly apply security updates, and that (in the case of Windows) you have an Antivirus. Don’t use internet explorer.
Run your sensitive applications in a separate environment
Environment is general. It could be computer, operating system, or browser. Possibly more ways to think about this (e.g. Network). I’ll discuss most convenient to least convenient.
One option is to use a separate browser for your sensitive applications. There are attacks such as cross-site scripting which only work when you are logged in on the same browser. So if you are using Chrome and someone tries to exploit cross-site scripting, you will be unaffected if you only log into Binance on Opera.
A virtual machine is also an option but in my opinion too heavy handed for most people. A virtual machine is basically a program for another operating system. So if you’re running Ubuntu 18, you could run MacOS in a virtual machine or even Ubuntu 18. Consider this if you want to run a program which could possibly be malicious. Virtual machines can easily be reset to a prior state or destroyed, and these programs typically make it much harder for malware to affect your host operating system. Specifically, I always run node software in a virtual environment.
Sometimes VMs are too slow for comfort. Personally, I think you should first try tweaking your VM settings for better performance, but to be realistic most people will not know how or may still be dissatisfied. If you really want to do something which could result in catching malware, the way to get the best performance is to buy another computer for high-malware-risk activity. I imagine most things you do are not high-malware-risk, so you could just buy a cheap second computer just for this purpose.
Bookmark the urls of your exchanges and never type it into your browser window
This is a countermeasure for phishing sites. Phishing sites are malicious sites dìsguised as the real one with the intention of extracting your credentials. The site content can be mirrored perfectly, but it will be a website they controI. There are many ways to construct homographic urls. These can be hard to spot. Did you notice the two examples in this paragraph?
With that in mind, it’s best to visit websites by selecting them from a bookmark. The issue with navigating by hyperlinks is that the actual text may be different than the link location (e.g. www.fb.com). The issue with googling it and picking the first link is that advertisements can be displayed in a way that makes it look like they’re part of the search results, not some content someone else paid to show whoever typed in “binance” into google.
Protecting against data loss
Username-password credentials
As I mentioned, you should be using a password manager. If using a reputable online password manager, your credentials are technically stored encrypted on one of their servers. You can be reasonable confident that they take strong measures to ensure against data loss.
If you use an offline password manager, just keep some extra copies in a few places. Like one could be uploaded to Dropbox, another on a usb somewhere.
2FA seed backups
If you’ve ever used 2FA, the seed is what allows you to configure it in the first place. The site will typically discard this information once you’ve set 2FA up, so if you’ve forgotten to get the seed, you will need set up your 2FA with a new seed (and save it this time).
Save the 2FA secrets or one-time codes offline (e.g. on paper) or encrypted within a password manager. That is, when you open your password manager, any 2FA secrets or codes should not be in plaintext. Decrypting that data should not involve information that is in your password manager or part of the master password. If the 2FA data is not encrypted, then a compromise of the password manager means that 2FA accounts are compromised. Personally, I keep my 2FA secrets on my online password manager but encrypted with my PGP key. That PGP key is protected with a strong Diceware password.
It is also possible to get a disposable cell phone, install Google Auth, and set up the codes for each account. The most likely way you are to lose your 2FA codes is by losing your phone or breaking it. In that case you will need a new phone anyway, at least until you get your old phone back.
Account recovery
Do not allow recovery by text or call, ever
As I mentioned earlier, your carrier can be manipulated into routing your number to a hacker’s device. Do not allow phone-based account recovery for emails trusted by your sensitive accounts. Looking at you, Gmail. I think it’s good practice to avoid SMS recovery for anything if you are serious about security. It is better to have no recovery option than one which can be easily exploited.
Have a dedicated security email for sensitive password resets
An email with elevated privileges should be isolated from separate functions like personal correspondence. It is preferable if the security email has a randomly generated username not publicly associated with your identity. The security email should not have any way to reset passwords. The authentication details can be stored in a password manager but they need to be encrypted rather than in plaintext. That way a compromise of the password manager does not compromise your most sensitive accounts and they can still be recovered by you with the security email.
Answer your security questions with random data
The default set of security questions often ask things that are discoverable by third-parties, like mother’s maiden name, city you were born in, etc.
This data is discoverable for the right person. If you want to be more secure, consider putting in some other data as that answer (and store it in your password manager).
If the answers to your security questions are random data then it can only be broken by brute force. The questions and answers can be stored in a password manager. That random data can be a randomly generated number between 0 and 10,000.
