Use the password and security features of your device and software;
many people don't even bother to set a password !
It's especially important on smartphones, because a lot of smartphone apps
don't even have a "log out" feature. They assume that if you have the phone
and were able to log in once, a while ago,
you must be the account owner, no account password needed.
Don't use the same password on multiple sites. If one site is breached, all the others become vulnerable.
Do NOT use Facebook login or Google login as your login to lots of other web sites. Not only does it let everything get shared,
but if Facebook or Google ever deactivates your account for some reason, you've lost access to those other sites too.
Similarly, don't use a Microsoft login to your Windows PC, use a local login.
Really, you should have only 2 or 3 passwords you remember; the rest should
be in a password manager. And in general, length is more important than complexity
(but having both is even better).
Avoids writing down passwords on Post-It's and other insecure places.
Makes it easy to use a different password for every web site.
Makes it easy to use long random passwords.
Makes it easy to use two-factor authentication such as software-TOTP.
Can report duplicate passwords.
Makes it easy to look at list of accounts and delete ones you don't want any more.
Some will check for your info appearing in data breach lists.
Great place to store other important info such as photo of passport ID page,
info for reporting lost credit card, etc.
Some passwords they can't apply automatically: your PC's BIOS and Windows login info,
encrypted boot drive's password, physical-world passwords such as ATM and credit-card PINs.
You can store those passwords in the password manager, but not drag them out to apply them.
A quirk: every now and then, I find I have to type a password manually. Maybe I'm reading it out of the password manager
in my laptop, and typing it into someone's phone. In that case, having a password that mixes lots of letters and
numbers and special characters is a real pain. And having similar-looking characters such as "1" and "l" and "0" and "O"
is a pain. So I try to avoid generating passwords with that last problem.
Arguments against password managers:
Single point of risk for ALL your information. If the database is stolen and cracked, you're in big trouble.
Single point of failure for ALL your information. If you lose the database or forget the
master password, you're in big trouble.
One major risk: if you store your bank login info in a password manager, and it gets hacked, and the
thief empties your bank account, neither the password manager company nor your bank will compensate you.
Both will deny any liability, according to their terms of service. Your money will be gone.
Online: your passwords are stored online, which is bad (have to trust that place;
what if they go bankrupt)
and good (accessible from any device; backed up). Usually there will be a synchronized local
copy of your password database, too.
Local application: your passwords are stored only on your device. You have to do backups.
Feature of a security suite: same as local application.
Browser feature: first implementations of this had some holes/bugs, no way to
sync across different brands of browsers, maybe no way to sync across multiple devices.
Devices supported (PC, smartphone, tablet, etc).
Browsers supported (almost all managers use a related add-on in your browser).
Syncing devices to each other.
Handles credit card info.
Handles application passwords.
Supports two-factor authentication to web sites.
Supports fingerprint (biometric) or 2FA to open the password manager itself.
Miscellaneous: form-filling, import from other managers, automatic login capture,
profile info, notes, credit report monitoring, data breach monitoring, etc.
I don't want a manager with a browser add-on that watches every web page I load;
that increases the attack surface of both apps.
And an offline manager is more secure.
So I chose KeePassXC 2.x, and use just the application,
there are no browser add-ons for it.
I auto-type username and password from KeePass application into login web page.
In database security encryption settings, change file format to latest version, and
increase the decryption time for more protection.
In my cloud backup application, I disabled backup of the KeePass database file;
I want to back it up to my own devices (external hard drive, etc) only.
On Android phone, I installed Keepass2Android Offline. Connect cable and copy KeePass database file to
phone to get the file into Android / Data, then have Keepass2Android Offline access it from there.
Some strange things on Android: there is no "log out" in the Yahoo Mail app; you have to "remove" your email account,
and then when you add it back later, you're asked for your phone's PIN, not your Yahoo Mail password.
Similar for GMail app, but even worse: removing your GMail account could affect many other services on the phone.
ProtonMail app also has no logout; after password is given at installation time it never asks for password again.
Reddit app has a "log out" button, but then when you log back in, it doesn't ask for a password, you're just back in !
The Tripadvisor, AirBNB, and FaceSlim apps do have a proper sign-in/sign-out behavior.
The WhatsApp app has no sign-out at all. I guess you could use the browser and web sites instead of installing
these apps, but then you lose a lot of functionality and nice UI.
Reasons to use a password manager on a smartphone, despite the app issues I listed:
From /u/VividVerism on reddit:
Logging into web pages. Signing into apps for the first time. Signing into apps after deleting data
and/or reinstalling and/or factory reset. Banking apps and similar high-security apps that do
require a password either to log in or confirm a purchase/transfer/etc. Storing Wi-Fi passwords.
Having your passwords handy for manually logging into sites on computers you don't own,
or while traveling. Storing things other than passwords, such as credit card information,
social security numbers, or library card information. Installing plugins to let you transfer
passwords via QR code or to plug your phone into a computer via USB to type your passwords for you.
Using the TOTP features to generate 2FA codes instead of a dedicated app. Storing passwords
for any new accounts you set up on your phone. Keeping a database backup with you.
I'm probably missing a few use cases. In short, yes: there are plenty of reasons a
password manager can be useful on a phone.
Don't let Windows store passwords and apply them automatically.
If someone cracked your Windows password, they would get automatic access to those things.
I set my backup application to not "remember" me, so I have to log in to it manually
every time I run it. If you have an encrypted external hard disk, don't let Windows
hold the password and apply it automatically (auto-unlock); you should type it in manually each
time you plug in the disk drive.
Don't let your browser store passwords and apply them automatically.
The quality of their security is unclear, and that method works only inside that browser.
Not sure how backup and restore would work.
Much better to use a dedicated password manager application.
Passwords, from article by Jacob Bernstein in The New York Times, June 24 2012:
... it is less clear to cybersecurity experts that having a password with extra numbers
or special characters actually makes customers safer.
"People's choice of passwords is not the real problem today", said Dr. Joseph Bonneau,
a University of Cambridge researcher who studies cyber security. "The real problem
is typing in passwords to the wrong Web site, which is stealing them."
So why are Web sites suddenly requiring users to add special characters or numbers ?
"It's security theater", Dr. Bonneau said. "So people feel safe.
It makes the Web sites seem like they're taking things more seriously, when in fact most of them
have no control if you have malware. In absence of a way to tackle bigger problems, it's easy to add restrictions.
They don't want to seem less secure than competitors."
Some sites offer two-factor authentication, where you can't log in
unless you possess both knowledge (password) and
your registered device (phone or dongle or token). When logging in to the site,
you have to type in your usual password, plus some one-time passcode
you get through the device.
Forms of 2FA, from best to worst:
Hardware device that connects to computer via USB or NFC or something, and talks
crypto to the server (e.g. U2F).
Hardware device that gives you a time-limited number (TOTP) to type in.
Software app that gives you a time-limited number (TOTP) to type in.
Site uses custom app on your phone to send you a time-limited number (TOTP) to type in.
Site uses SMS or voice call to your phone to send you a time-limited number (TOTP) to type in.
Site uses email to send you a time-limited number (TOTP) to type in.
No 2FA: just username and password to type in.
No 2FA: just username and password to type in, and username is your email address.
If you have to use a phone-based method, I would choose one that doesn't depend on the cellular network,
which can fail or be unavailable. Also, I'd rather not give my phone number
to all of these web sites. Instead of SMS, use a TOTP app such as Google Authenticator, if supported.
Save the secret seed (the long string you type in at the beginning) and any recovery codes,
so if you lose the phone, you can install them on another phone.
All of the TOTP apps are compatible: Google Authenticator, andOTP, Authy, Authenticator Plus, more.
I switched from Google Authenticator to andOTP because andOTP is open-source and not-Google,
and Google Authenticator is specific to the phone (number) it is installed on.
Also andOTP has a password protecting the app. Still I don't put sitenames and usernames and passwords into the app,
so if someone gets the database they don't have enough info to find the accounts.
Some systems call themselves two-factor but really are just two-step, they don't require that you have a device such as a phone.
They just send a code to your email or ask you more questions or something.
With two-factor, check ahead of time to see what happens if you lose your device (or it dies, or the battery runs out),
or have to change your phone number,
or have to reinstall the security application (which
may change the security ID), or want to log in through some other computer (if using the no-phone option),
or the security app vendor (such as Google) disables your account.
In some cases you'd have to contact each site/company and answer security questions to get them to
set a new password and security ID on your account. This could be a real pain if you change phone number or upgrade to a new phone or
laptop; you'd have to contact all of the sites/companies you use. Some systems have a way to print out verification
codes to use if your device fails; don't skip this step when turning on two-factor security.
(Found these instructions for VeriSign VIP Access: "You need to save the VIP.tok from \Application Data\VIPAccess.
You also need to save the registry keys
HKLM\Comm\Security\Crypto\UserKeys\Microsoft Enhanced Cryptographic Provider v1.0\VipAccessKeyContainer
None of the phone-number-specific solutions seem to work for cases where multiple people would be sharing the same account,
or where you switch around a lot and carry only one of your multiple devices (phone, tablet, laptop) at a time.
If you use a computer (non-phone) app, how would that work with multiple computers (home desktop, work desktop, laptop) ?
Note that any two-factor that requires the user to type in a code still is vulnerable to phishing or scamming.
A keylogger could record the code as it is typed in, or the user could be typing it in to a bogus web page,
or the user may be fooled into reciting the code to a "tech support" scammer on the phone.
Time-based two-factor is less vulnerable, since the thief would have to use the code within 60 seconds or so.
Tokens or software that connect directly (USB, NFC, etc) to the computer/phone probably are less vulnerable than typed codes.
Note that software TOTP two-factor still is vulnerable to a breach at the server.
If the company loses its database of passwords and two-factor secret starting codes,
the hacker can get into your account. But software two-factor TOTP does defend against
you reusing passwords across multiple sites, and against a keylogger listening to your typing (the
hacker would have to use the code within 60 seconds or so), and against brute-forcing.
[I'm a Windows 10 Home user, a normal home PC user.]
How do I recover from a lost YubiKey ?
Easiest way is to have a second YubiKey. But it has to be registered to all the same accounts
and logins as the first key. No way to just clone a YubiKey, or declare two YubiKeys to always have equal credentials.
If you don't have a second YubiKey, you'll have to exercise whatever "account recovery" options there
are for all of your accounts, one at a time. There are no "emergency codes" or "recovery codes"
you can save and use to generate a new YubiKey
that is equal to the lost one, or bypass the requirement to have your YubiKey.
But many accounts will use your email and/or phone as primary means of recovery,
and if those are locked by the lost YubiKey, you're stuck.
Can a YubiKey be required for my PC's system/BIOS login ?
But this wouldn't really protect my information on disk, if that disk is unencrypted. A thief
could just take out the disk and attach it to another PC to get access to the data.
Answer seems to be no, unless you install some custom boot-loader.
A YubiKey can be required for my Windows 10 user login, in addition to the password.
But this wouldn't really protect my information on disk, if that disk is unencrypted. A thief
could just take out the disk and attach it to another PC to get access to the data.
Would the Yubikey protect upon login when waking up from sleep or hibernation, or only upon initial user login ?
Can a YubiKey be required for my Android phone's system login ?
I have a Samsung Galaxy S4 I9505 (does have NFC) running LineageOS 14.
Can a YubiKey be required to mount a hardware-encrypted WD Passport Ultra external hard disk onto my computer ?
Answer seems to be no.
Can a YubiKey be required to mount a software-encrypted container (using Veracrypt or Bitlocker, for example) onto my computer ?
Answer seems to be no (except in a few Linux configurations).
Apparently there are two ways to use YubiKey with Windows login:
If you use YubiKey for Windows Hello app, the YubiKey enables login
without entering the Windows user password:
Does not operate with system/BIOS login, only Windows user login.
Works with a local Windows account or a cloud account.
Uses CCID mode on the YubiKey.
If you use YubiKey with Yubico's Windows Logon app, the user must have both the password
and the YubiKey to login:
Does not operate with system/BIOS login, only Windows user login ?
Works with a local Windows account only.
Uses challenge-response using HMAC-SHA1 mode on the YubiKey.
Important places to use two-factor authentication:
Downsides of two-factor authentication:
If you lose your authentication device or it dies or it runs out of battery charge,
now you can't access email etc through your computer too.
Unless and until you have some emergency method, and it's close to hand.
If you take your laptop somewhere, you have to take your phone with you too.
Some carriers charge for SMS messages.
Login is slower.
There may be a charge for the authentication device or service.
If the authentication device plugs into a USB port, some places (internet cafe, library, etc) may not allow that.
My experience with Symantec VIP hardware token starting 2/2018:
Got it for free from my main bank. Push a button, it generates a 6-digit number, which changes every 30 seconds or whatever.
This is called a Time-based One Time Password (TOTP).
For my bank, activated it online by logging in, going to a Security page, and then giving serial number of token and current 6-digit number.
Then when logging in, just add the current 6-digit number to the end of the password.
If I lose the security token, I can call the bank and answer lots of questions, and they'll deactivate it for login.
The Symantec web site says one of the sites that uses "Symantec VIP" is PayPal, but the PayPal site seems
to say only SMS is supported, not the hardware token. Same thing with EBay USA, Symantec claims support but
then token is not supported by the site.
Fidelity funds does support this token, but the Fidelity retirement unit where I have an account does not support it.
My credit union does not support two-factor of any kind.
None of my three email providers support this device; 2 of 3 support no hardware devices at all. Facebook and reddit don't
support this kind of device. Transferwise doesn't support hardware devices. IDrive doesn't really do two-factor.
Veracrypt doesn't do two-factor.
Maybe login to the KeePass password manager can be set to use TOTP, via "OtpKeyProv" extension ?
But I don't want to do this. If I lost the security token, I'd have no way to recover, other
than having previously saved a copy of the database that did not require the security token.
The "This credential expires on this date" feature is worth noting.
Couldn't get it to install properly,
using "sudo pip install .".
Then did "sudo apt install docker.io" and that seemed to work.
Did "docker run --rm kayvan/vipaccess provision -p -t VSST", and got "Command 'docker' not found".
Dev said do "pip install setuptools". Got further, to some error about "oauth bdist_wheels".
Did "pip install wheel".
From home directory, did ".local/bin/vipaccess provision -p -t VSMT". Worked !
Put info (including expiration date) into my Keepass password manager, went to PayPal and activated
TOTP using Symantec VIP 30-second, logged out of PayPal and back in using TOTP, worked !