Secure authentication for sensitive online credentials

Noah Ruderman
Dec 7, 2017 · 13 min read

Most credentials won’t cost you thousands of dollars if compromised. This post is for the credentials that are that sensitive. Use cases are securing valuable Twitter handles and holding cryptocurrencies in online exchanges.

Preferably you’d hold anything of real value offline, such as a hardware wallet or paper wallet. In many cases, there is a cost-benefit analysis to be made of security over convenience. This article is for the widest audience: People who lack the confidence/interest/ability to live completely offline, and want a good balance of security and convenience.

This post describes how to set this system up in a way that provides a measurable level of security; minimizes single points of failure; provides strong security guarantees while also staying reasonably convenient; and includes countermeasures to known exploits.

How to think about information security

Provable security

Minimizing single points of failure

Minimizing attack surface

Mitigating known exploits

The first set of credentials: a username-password combination

Never reuse passwords

Websites get hacked all the time. Sometimes they don’t encrypt the user credentials properly, other times hackers crack the passwords. In most cases it’s hard to avoid re-using usernames (e.g. for email notifications), but reusing passwords means any single breach will breach most or all of your accounts.

Use a password manager

There are two variants of password managers: online and offline. If you use an online password manager like Lastpass, you depend on them to use appropriate security practices. While there are more risks with online password managers, they are significantly more convenient if you need to authenticate from multiple devices or switch computers (which you will over time). Despite this, online password managers can be incredibly secure if done right. In fact, Facebook uses Lastpass, rather than an offline password manager.

For people with special security needs (probably not you), offline password managers like Keepass are a safer choice. You must take special care to make sure you have copies of this and to regularly update them. Offline password managers are more secure at the expense of convenience, but you are still ultimately trusting the code which implements this. For this reason, you should try to use open source, well-known password managers.

A protocol for a human memorable, but strong password

It is important that you create a password with a provable amount of security. The security of passwords is measured in entropy, bound on how much work would have to go into brute forcing the password. As I mentioned earlier, humans are extremely bad at generating random data. (They are also extremely bad at remembering random data.)

A famous technique used to encode random data into a provably secure and human memorable password. The idea is use random numbers to pick words from a list. The words picked are concatenated to form a phrase, which is used as the password. The random numbers are generated with physical dice and not software. The list of words is provided to you and each word is labeled with its position in the list.

This technique makes it extremely to measure the strength of a password. If the dictionary has D words and you choose N words to make your password, the entropy of your password has a lower bound of D^N. Every new word you use increases the entropy of your password by a factor of D. Your goal is to choose N such that D^N is greater an amount of entropy that is largely considered to be safe from brute force attacks in 2017. Your password entropy is compared to that of a sequence of bits (0’s and 1's). That is, if your password has 5 bits of entropy, it is equivalent to the strength of a password 5 bits long where each bit is a 1 or a 0 (e.g. 01001). The Diceware site describes how long you should make your password based on your threat model but it is safe to say that most people will want between 70 to 100 bits of entropy: https://world.std.com/~reinhold/dicewarefaq.html#howlong. For Diceware’s list that is 5 to 8 words.

With this technique it is easy to make provably strong passwords that are also easy for humans to remember. It turns out that humans are very good at remembering information encoded as a sequence of words. For example, the randomly generated alphanumeric password B9SsaWeem5RQT has equivalent security to the Diceware passphrase tuba marine rube rpm malay ton. There’s a famous web comic that describes this technique: https://xkcd.com/936/.

How to make strong passwords with your password manager

  • Authentication is often implemented incorrectly, especially with financial institutions. If you use special characters, you can run into weird issues where the password is accepted but it is impossible to authenticate. This is honestly just a headache to deal with and eliminating them prevents you from needing to deal with these problems. It is not for security.
  • 22 alphanumeric characters chosen randomly gives you 6²²² different unique passwords that might be chosen. (Each character can be a lower case letter, upper case letter, or single digit number for 62 possibilities.) This gives you about 128 bits of security, which is the same as that of AES, widely used and considered extremely secure against even government adversaries.
  • Passwords without special characters are easier to analyze in their entropy and work with. People are very familiar with the ISO basic latin alphabet (a, b, …) and western arabic numerals (0, 1, …). There is no standard set of special characters I know of, they vary according to culture, and some of the unicode special characters look extremely similar causing confusion. The U+FF65 and U+10101 look identical. Compare ・ and 𐄁 symbols. You may have to manually type in your password at some point and it will be hard to tell exactly what these characters are.

The second set of credentials: Doing 2FA correctly

Yes, you should use 2FA, too

Avoid 2FA based on your phone number

How to use 2FA for online services

  • Use an app like Google Authenticator on your cell phone for TOTP 2FA. In my opinion this is a great balance between convenience and security. One risk is that your cell phone needs to store the secret used by the TOTP software. It is possible that the secret key can be stolen by malware. Another risk is that if you forget to make a copy of the secret key used to generate the 2FA codes, losing your phone means locking yourself out of your account. If the service provides a means of disabling your 2FA via email and you opt-in, that significantly reduces the security of the account. This TOTP 2FA solution is appropriate for most people and provides a significant increase in security.
  • Use a dedicated hardware token that implements TOTP. The differences here are that these devices are significantly less complex and so easier to secure from threats like malware; and that they are not connected to the internet meaning they can only be compromised through physical access. These TOTP tokens can be shaped like credit cards and put into your wallet or key fobs you carry around with you. This solution is appropriate for people who do not want to expose themselves to the risk of software TOTP (i.e. phone getting hacked in some way) but for some reason cannot use U2F. (If you have high security needs you should probably find a way to make U2F work.) One annoyance is that TOTP requires keeping accurate time. Every time you authenticate the TOTP device will re-sync time with the server. But if you don’t authenticate for a while, the device will not work and you will have to re-sync manually to get it working again. That part is just an inconvenience and does not relate to security.

Hardening tips

Remove unneeded API access or change access to read only

If you have an API enabled which allows you to execute trades or withdraw balances from an exchange, it can be exploited to trade your Bitcoin for some of the hacker’s obscure cryptocurrency at an extraordinary rate or they can simply withdraw your Bitcoin to an address they control.

Consider a VPN

Most sites are https these days, but you can’t guarantee this for every site. And your home router is typically encrypted (e.g. WPA2 security), so at home you might not expect eavesdroppers. However, if you are using public wifi, communication with the router is not encrypted and anyone can see what you are doing. In that case, you should strongly consider using a paid VPN.

Don’t use Windows or Internet Explorer

Malware writers typically target the most popular systems. Obviously, that means Windows and Internet Explorer has been a target for a very long time. This doesn’t necessarily mean more obscure systems are safer, but it’s safe to say that an Internet Explorer exploit probably won’t work on Firefox and a Windows 7 exploit probably won’t work on Ubuntu 18.

At the very least, if you are going to use Windows, make sure you are using the latest version, that you regularly apply security updates, and that (in the case of Windows) you have an Antivirus. Don’t use internet explorer.

Run your sensitive applications in a separate environment

One option is to use a separate browser for your sensitive applications. There are attacks such as cross-site scripting which only work when you are logged in on the same browser. So if you are using Chrome and someone tries to exploit cross-site scripting, you will be unaffected if you only log into Binance on Opera.

A virtual machine is also an option but in my opinion too heavy handed for most people. A virtual machine is basically a program for another operating system. So if you’re running Ubuntu 18, you could run MacOS in a virtual machine or even Ubuntu 18. Consider this if you want to run a program which could possibly be malicious. Virtual machines can easily be reset to a prior state or destroyed, and these programs typically make it much harder for malware to affect your host operating system. Specifically, I always run node software in a virtual environment.

Sometimes VMs are too slow for comfort. Personally, I think you should first try tweaking your VM settings for better performance, but to be realistic most people will not know how or may still be dissatisfied. If you really want to do something which could result in catching malware, the way to get the best performance is to buy another computer for high-malware-risk activity. I imagine most things you do are not high-malware-risk, so you could just buy a cheap second computer just for this purpose.

Bookmark the urls of your exchanges and never type it into your browser window

With that in mind, it’s best to visit websites by selecting them from a bookmark. The issue with navigating by hyperlinks is that the actual text may be different than the link location (e.g. www.fb.com). The issue with googling it and picking the first link is that advertisements can be displayed in a way that makes it look like they’re part of the search results, not some content someone else paid to show whoever typed in “binance” into google.

Protecting against data loss

Username-password credentials

If you use an offline password manager, just keep some extra copies in a few places. Like one could be uploaded to Dropbox, another on a usb somewhere.

2FA seed backups

Save the 2FA secrets or one-time codes offline (e.g. on paper) or encrypted within a password manager. That is, when you open your password manager, any 2FA secrets or codes should not be in plaintext. Decrypting that data should not involve information that is in your password manager or part of the master password. If the 2FA data is not encrypted, then a compromise of the password manager means that 2FA accounts are compromised. Personally, I keep my 2FA secrets on my online password manager but encrypted with my PGP key. That PGP key is protected with a strong Diceware password.

It is also possible to get a disposable cell phone, install Google Auth, and set up the codes for each account. The most likely way you are to lose your 2FA codes is by losing your phone or breaking it. In that case you will need a new phone anyway, at least until you get your old phone back.

Account recovery

Do not allow recovery by text or call, ever

Have a dedicated security email for sensitive password resets

Answer your security questions with random data

This data is discoverable for the right person. If you want to be more secure, consider putting in some other data as that answer (and store it in your password manager).

If the answers to your security questions are random data then it can only be broken by brute force. The questions and answers can be stored in a password manager. That random data can be a randomly generated number between 0 and 10,000.