Sunday, February 8, 2015

An Online Security Methodology

I read this article today, and was inspired to share the following description of my online security methods.

I am surprised that the article did not mention the indispensable tool for online security: a password manager.  There are many of these, and they make creating and remembering strong passwords a breeze.

Here is one that is free and used by many people:

http://keepass.info/

But there are many others. Most importantly, the password database file created by the password manager is encrypted, so your passwords are safe even if the file is lost.

Using the password manager as the basis, here is my online account management methodology.

1. User name: if required, I use a email address as the user name, but if allowed, I will use a random string, which I can generate here. I never use my name, or anything else associated with me.  Why make it easy for an attacker?

2. Password: I use as long of a password as the site will allow, but never less than 32 characters. My password manager will generate this for me. I use as many different types of character (lower and upper case, numbers, punctuation, symbols) as the site will allow.

3. Security questions: Doug is correct when he says one should not use real answers for these because that makes one vulnerable to a social media attack. On the other hand it is good to use human readable and speakable answers in case one must speak with an agent over the phone.  I use a random phrase generator to get the answers. I then record the questions and answers in the Notes field of the appropriate entry of the password manager.

4. Banking Passwords: these warrant special handling. I use a separate password manager database, with the password to the banking database stored in my primary database.  This database is in turn stored on an encrypted USB stick. I NEVER leave my banking password database on my computer or anywhere online or in cloud storage.

5. I use this program for USB stick encryption.  I encrypt USB sticks if they hold any data that is sensitive, recording the passwords in my primary password database.  Even if the stick is lost, your data is safe.

Online security is achievable, but it requires some work. Luckily, a password manager do a great deal of the heavy lifting.

No comments: