The best way to secure your online Crypto world is not to remember your passwords, but rather remember just 5 accounts passwords and be able to reset the rest of the passwords of your other accounts.
Which account passwords you should be able to memorize?
- Your primary email account password.
- Your first password manager password.
- Your offline password manager or password-protected zip/rar file (Backup).
- Your personal computer operating system login password.
- Optionally some of your personal wallet passwords/passphrases (You may need that as a third paranoid backup for store of value funds i.e. BitCoins).
Contrary to popular online (probably unintended) brainwashing belief, you do not need to choose one best online password manager. You have to choose one and an offline/online backup. I will provide you my choices, but feel free to decide your preferred service. Most importantly, understand the significance of having a backup plan and redundancy options just in case one of them is no longer accessible or functional.
Primary Email recommended security specifications:
- Your email password should not be less than 12 characters (Recommended: 24), it should include a minimum of one Capital letter (Alpha), numbers (123), and characters (#$!_).
- You have to enable 2-Factor authentication on your email account. This requirement is no longer a luxury, you will get hacked if you decided to ignore this. You can choose to use the original Google Authenticator, but I highly recommend using Authy, because it allows you to recover all your authentication accounts if you happen to lose your physical phone, which would be very time consuming in case you have lots of exchange/cloud accounts. https://authy.com/
- Contrary to popular opinion, you can still create very strong passwords without having to use meaningless combination of characters like aX93%*!rALk#. The reason these kind of passwords are mainly recommended is to avoid dictionary attacks. Namely, if your password is PeaceHarmony123, a brute force dictionary attack may be able to crack it faster by guessing only known words rather than all character combinations of the same password length. However, I think that it is better to write a strong password that you can memorize, rather than a strong password you will keep forgetting and therefore it becomes useless.
Suggestions for long and memorable passwords:
Password length is more important than character combination complexity. Therefore your password better be a phrase, or a sentence. Theoretically, using a well known quote of preference may undermine the quality of your passphrase and increase the chances of predictability.
Well known quote Passphrase Example:
Thekingdomofheavenisinsideyou99%#
Personal Quote Passphrase Example:
Thereisaninfinityofloveinsideyou99%#
A quote that you have assembled yourself will less likely be guessed by your enemies. I prefer that you do not use bad language in your passphrases, because you are the one who will repeat it, and it will have a self affirmation impact on you.
As you probably noticed, I have used a Capital letter, small letters, characters and numbers. The beauty of this technique is that the password length can easily go above 24 characters and still be memorable.
Why are cloud password managers recommended?
- Your Desktop, Laptop PCs are many more times hack prone than the cloud password manager services.
- Most cloud/online password manager have browser extensions that auto-fill in your passwords automatically on website login-forms. Otherwise you will have to manually write your passwords repeatedly which increases the risk of "key-logger attack". Such that, a hacker injects a malicious software on your operating system that records all your keyboard input and therefore easily know your password.
- If you are like me and you have more than 20 online accounts including banking services, concurrency exchanges and so on and so forth, then you will have a few traditional choices. Either you will create one password for all (i.e. Mymasterkeypassword123*#) and losing it you compromise all of your accounts, or create different passwords with same pattern of of prefixes for remembering (i.e. exchBitfinex99#%, exchBittrex99#%) and if one is compromised the hacker will be able to guess the rest, or you will create completely different passwords and be much more likely to forget them. Isn't it much better to have completely different and random, utterly complex passwords for your online accounts and not need to remember them?
That is exactly why cloud password managers are a safe haven and reduce your personal security risks. As previously mentioned, there are a maximum of 5 long passwords/passphrases you need to remember. Your primary email password, your first cloud manager password, your backup cloud manager password, and your wallet passphrases/passwords for your significant store of value funds (optional but recommended). All the rest of your accounts can be complex passwords easily generated by your cloud password manager like this one:
n_cywhf1c4y7X#q5E+1?06j2pJ$4r4aa
If you are haunted by the fear of having passwords you don't remember for most of your accounts, let me tell you the only requirement is to be able to reset your account's passwords when you choose to. Most online concurrency exchanges and banking portals will require 2-Factor authentication. It is highly recommended to know the serial number that generates your temporary 2FA token numbers and store it in your cloud password manager.
The following example of 2-factor authentication is from Gate.io. If you scan this QR Code with the popular Google Authenticator App your 30 second token numbers will automatically be added in the app but you will not be able to recover the serial number that generates it. I believe Google has intended this on purpose for security reasons. Unfortunately though, in most cases if you lost your phone for any reason it will be harder to regain access to your account (or reset your access credentials) because if it was that easy it would have no purpose.
Therefore, as a recommended practice always have a copy of the 2FA serial number in your cloud password manager in their respective fields. If you have old accounts, you can reset their 2FA authentication only to save the newly generated 2FA serial as a backup just in case you lost your phone. Notice, if the 2FA serial is not written on the same page of the 2FA feature, scan the QR code with an app like QR Droid then extract the serial number from the text and save it on your cloud password manager.
In case you decide to use Authy, you may not need to save the 2FA serials generated as a backup, because if you lose your phone you can still recover all of your 2FA accounts saved on Authy cloud.
What if I can't afford or don't want to have 2 cloud password managers?
Another option is to use the free KeePass software as a backup for your primary cloud password manager. This will be a safe offline alternative because your KeePass password manager will be encrypted on your hard drive based on your Master Password.
Your third option to create a backup/redundancy plan namely just use one cloud password manager and export its' contents every months in the form of an Excel.CSV file, use the free 7-zip tool to archive the .CSV file with a strong memorable password as mentioned earlier, then upload your .7z file to your Google Drive or whatever cloud storage you are using.
WARNING: This technique requires a lot of caution because you may forget to delete the generated .CSV file from your computer. If you remember to delete it (while you're on Windows) then it is still not deleted and an intruder can recover it from your hard disk even when you remove it from the Recycle Bin. If you're on Linux and your Home directory or hard drive is encrypted, it's ok.
Therefore you should use a program like Secure Delete to delete the .csv file by overwriting hard drive blocks that contain the data. As for the 7-zip archive of your .csv file a long and strong password will prevent it from being easily accessible and you can store it on your computer. But it is more secure to just store it on your cloud service of preference.
You can also format your .CSV file on Excel and print it as a backup. But that depends if you have a secure physical location to store that paper.
For smartphones I highly recommend SafeInCloud they have an app for Android + iOS. It is a free app, but if you will decide to sync the data on your cloud, you have to make a one time payment for SafeInCloud Pro which I highly recommend, which at the time of writing is around $5 USD. I believe that's very cheap for a hassle free auto-fill functionality on your smartphone and it's highly valued security features such as clipboard clearing, fingerprint access etc.
As for Desktop/Laptop PCs and as an all-in-one solution, I am currently using Bitwarden on Google Chrome (Note, if you are a fan of Brave browser Bitwarden comes as an extension pre-installed on it you just have to enable it. However as a personal experience Brave is still buggy and not as mature as Chrome & Firefox. Bitwarden It is a free service, very neat interface, and the auto-fill capability is working flawlessly.
What if I can't afford or don't want to have 2 cloud password managers?
Another option is to use the free KeePass software as a backup for your primary cloud password manager. This will be a safe offline alternative because your KeePass password manager will be encrypted on your hard drive based on your Master Password.
Your third option to create a backup/redundancy plan namely just use one cloud password manager and export its' contents every months in the form of an Excel.CSV file, use the free 7-zip tool to archive the .CSV file with a strong memorable password as mentioned earlier, then upload your .7z file to your Google Drive or whatever cloud storage you are using.
WARNING: This technique requires a lot of caution because you may forget to delete the generated .CSV file from your computer. If you remember to delete it (while you're on Windows) then it is still not deleted and an intruder can recover it from your hard disk even when you remove it from the Recycle Bin. If you're on Linux and your Home directory or hard drive is encrypted, it's ok.
Therefore you should use a program like Secure Delete to delete the .csv file by overwriting hard drive blocks that contain the data. As for the 7-zip archive of your .csv file a long and strong password will prevent it from being easily accessible and you can store it on your computer. But it is more secure to just store it on your cloud service of preference.
You can also format your .CSV file on Excel and print it as a backup. But that depends if you have a secure physical location to store that paper.
For smartphones I highly recommend SafeInCloud they have an app for Android + iOS. It is a free app, but if you will decide to sync the data on your cloud, you have to make a one time payment for SafeInCloud Pro which I highly recommend, which at the time of writing is around $5 USD. I believe that's very cheap for a hassle free auto-fill functionality on your smartphone and it's highly valued security features such as clipboard clearing, fingerprint access etc.
As for Desktop/Laptop PCs and as an all-in-one solution, I am currently using Bitwarden on Google Chrome (Note, if you are a fan of Brave browser Bitwarden comes as an extension pre-installed on it you just have to enable it. However as a personal experience Brave is still buggy and not as mature as Chrome & Firefox. Bitwarden It is a free service, very neat interface, and the auto-fill capability is working flawlessly.
Caution: After using Bitwarden Duo security feature I do not recommend using it, and use just Authy instead because at one time I was stuck and was unable to log-in to my Bitwarden account when Duo cloud service stopped sending responses to my phone. Therefore, I deem it unstable and not worth the risk on their cloud service. The default 2-factor authentication using Authy or Google Authenticator are time based and do not rely on a cloud service to be functional (Authy uses cloud just for recovering your account, with minimal risk).
General Precautionary Measures:
1. My default password character length of preference is 24, but services such as PayPal require a maximum of 19 characters. Be sure to know the maximum supported character length of the online account you're changing the password, because some websites will automatically crop the pasted password (i. Mylongpasswordisthisone99#% but when I pasted it from the password generator to the form it was cropped to Mylongpasswordis), in which case it may cause you trouble in the future if you had to write the password manually thinking it is the long password. No doubt some websites have bad UI-UX design, that's why PayPal respectfully notifies you its' maximum character length when you exceed them, other websites may not. 20 to 24 password character length may look like a safe bet most of the time and make a brute-force dictionary attack look naive.
2. Consider complete hard drive encryption. It's easier if you're using Linux. The easiest Linux OS for that purpose is Linux Mint, and my preference is Lubuntu (less services/processes less security risk for online breaches).
3. Always use the auto-fill password services from your cloud password managers. This will minimize clipboard copy-paste usage that hackers can sniff to determine your password, or key-logger attacks if you will decide to repetitively write your password manually each time. SafeInCloud has a great feature to automatically clear your clipboard. Amazing! :)
4. Try to minimize the number of times you will write your Master Password on your keyboard. You can do this by increasing the time it takes for the cloud password manager to automatically lock, or lock it manually when you are finished.
5. Consider researching on Cold Storage wallets (my preference for BTC is Electrum) or use hardware wallets like Ledger Nano S, high reliability and ease of use. For your info, cold storage is not big tech deal. You simply have 2 wallets, one on your offline PC (which includes your valuable private key) and the second is your online watch-only wallet (which processes the transactions that you signed with your offline wallet private key). The idea is to simply not expose your private key in its raw form to the Internet.
6. Install a strong antivirus on your PC. Luckily BitDefender & Kaspersky both have free versions for personal use you can enjoy without paying a dime. But my personal preference for extra security features is Kaspersky Internet Security.
7. If for any reason you doubt your online communication is not secure, use a private VPN service to encrypt the data between you and the online entities. I personally do not trust much in TOR network due to the breaches that have been reported recently. Thus, I cannot recommend it as a secure option.
Thanks for your time. If you think this info added value to you by any means feel free to donate to the below addresses. Additionally, please let me know your opinions in the comments, your suggestions and preferences. I will probably keep updating this post as I learn more and more from you and educate myself further about this topic.
ETH:
0x17cc8645b83dab26ff8fbef418b732ef95980013
BCH:
qqlucz5lllt2mww5m2vd3jfxgyedppahrvu3f698p5
LTC:
ltc1q0tmste84hwhpz2sx3y85vspjlx3rr76udq058q
Dogecoin:
D8Bd58hkhmt8pW5vF4JJfQHYifJYMXKqjd
Comments
Post a Comment