Advent Calendar #4 - My turn on cybersecurity
Cybersecurity has become very important over the years. More powerful computers force you to have increasingly longer passwords. This post shall give you a rough introduction to how I handle cyber security and the products I am using for it (this is not sponsored. / unfortunately :D)
I have dozens of accounts, just like you. To manage the credentials for all of them, I use a password manager (Bitwarden) with multiple factors, to be sure no one will get into it. (I will come to them in just a bit)
Please do not go the wrong way and use the same password over and over again.
2FA is a requirement
Having a second factor is more than just recommended to have a safe browsing experience. It makes getting into your account much harder because the second factor is not just a password that you enter on some site and that stays the same. It is a constantly changing code depending on the current time that can not be reverse calculated.
Even if somebody found out you entered the 2FA code with the exact time of your login, it's very unlikely that somebody can reverse calculate the secret of it.
Storing 2FA on the smartphone or even in the cloud - a bad idea
The most common way of approaching 2fa is with Google or Microsoft Authentator app. While this is in general better than not having a second factor, it's not great.
The best case to handle the TOTP token storage is on a hardware token, that you carry with you. In my case:
Yubikeys are hardware tokens from the manufacturer Yubico and allow besides TOTP storage WebAuthN authentication which is a synonym for passkeys
You're not storing anything in the cloud and even if you lose your smartphone you're good to go.
If you want to use a Yubikey, buy two.
I struggled a lot with the thought of "what happens when I lose my Yubikey?" Well, you're basically fucked then, just to make this clear.
You will need to purchase two of them to be on the safe side and add both of them to your accounts. I carry one with me and the other one is stored in a very secret dark place, that nobody has access to.
With Yubikeys the doors for safe WebAuthn are open and you should utilise it wherever you can. Websites that allow passkeys don't require you to enter your password. Just the password from your Yubikey
Always enable 2FA
You can store your secrets on your smartphone, but most preferably...
Get a hardware token and a backup hardware token to save your secrets.
Utilise WebAuthn everywhere you can