Not your Keys not your Anything! Be Warned.
What if your banker says that you lost access to your money and they ain’t giving you any penny?
Well that’s how you will feel when someone else takes over your account, I mean any account. ofcourse losing a goodread account that you don’t even remember creating doesn’t hit the same nerve as loosing your 10k follower account but its about making habits that will serve you in the long run.
Thanks for reading BowTied Anon! Subscribe for free to receive new posts and support my work.
Passwords are like keys to the digital property you own but the catch is, most of the time you can’t prove the ownership except with an email and a password, and maybe a phone (not recommended for low-to-mid priority accounts - sms is insecure). Pretty different than a house I must say, where you can just get in, even if you lost the key, through a window or a back door (and your neighbors won’t call the police, hopefully)
Sold you enough on “why passwords matters?”
We need some system to manage our passwords, find other ways to access our accounts and recover when we have lost the access.
Bitwarden is the best service that comes to my mind, It will sync with all your devices and its E2EE (simply meaning IF the company doesn’t know your master password, they can’t access any of your stuff whatsoever - false for most companies).
You can try their official site, self-host or can just give a test drive by making an account here ( This is one of the few European orgs that provide a basket of privacy services so that you don’t have to self-host - pretty useful )
Another option is to create a Database of accounts by using a desktop client called KeepassXC, It won’t sync with all your devices but you will have all your accounts saved securely in a file - pretty handy. If you are a techie you can sync the file with something like syncthing.
Now I am gonna talk about hardware keys. They are basically passwords but are stored in a physical device (think pen drives but only for unlocking your accounts). I recommend nitrokey. There are other products in the market and nitrokey is nowhere a leader but you just have to trust me on this.
Multi Factor Authentication - It basically adds further protections over your account, think a safe that can only be opened by having multiple keys AT once. I use authenticator pro (switch on automatic backups plz), the privacy community seems to like aegis too. If you are on iphone you can give Raivo a try. Don’t use sms for this, SMS is very unsecure, people can just snoop in and look over your stuff.
And talking about Multi Factor Authentication, you may want to read this fabulous article about being locked out of your digital life. And you may want to think about Single Point of failure.
How many passwords to remember?
Memory is your last defense and mostly depends on torture tolerance if you are exposed to that kind of a threat (most aren’t), so memory will serve you good in most cases.
I’d say memorize atleast 6-7 types of passwords and revise them by SRS (the more you repeat them, more likely you will remember them, highly recommend using Ankidroid for revision of certain information).
Banking Accounts - these should all have different passwords and you shouldn’t use these passes anywhere else.
High-stake Accounts - Main email, Twitter, and the likes, just like banking a/c, have different passwords.
Master passwords - your bitwarden and keepass passes go here.
Throwaway passwords - these are passwords you use where you won’t be needing the accounts after you used them once ( use it with temp-email1 ). You can have a pattern in your head like <some phrase>#<number> (these patterns are not secure but for throwaway passwords they are quick). You can use something like pashword for this use-case.
Codes - whatsapp 2fa, phone passwords, ATM pins ( just rote learn a few and rotate them )
Don’t create accounts that you will not be needing, use temp mail and throwaway passwords for stuff that asks to create an account but you are not interested in creating one (but need the stuff anyways).
If something is out their on the internet, chances are, it will stay forever. There are services that automate deleting info off the internet but we don’t even have access to the good ones (and others seem sketchy). I may or may not write a guide on finding a good service for the same.
How strong the passwords should be?
Use password phrases, they are more difficult to crack and easy to remember - I have no idea where the fad of using something like <personal-info>@<numbers> came from but that’s easy to crack by someone who knows you or possibly a cracking software by using custom wordlists.
Websites these days will make you add upper case, number and special character. So you should just use a password phrase, make the first character upper case and add ‘#’ at the end with some numbers.
The sections below maybe too advanced for normies, be warned. Just switch on ADP on Apple devices and you will be just fine without reading the below sections. Don’t forget to print the backup key and update your recovery contacts. Use Proton for email, contacts, calendar and you are golden.
Math is the last frontier of human progress that the government will regulate so trusting math is the best strategy. If you encrypt stuff, nobody can have access to it even if they have a warrant. The caveat ofcourse is that if you forget the password, nobody can help you.
Turn on ADP on your Iphones, print the backup key and store it somewhere safe AND update your recovery contacts. Email, contacts and calendar are not encrypted, you should only use Proton for that anyways.
Turn on full disk encryption on your desktops NOW (Bitlocker on windows, Filevault on Mac, LUKS on Linux). Mobile device are encrypted by default and they are more secure than desktops by far. Don’t use face or thumb unlocks, they are convenient but they are just not secure enough.
Don’t use cloud providers (cries in gdrive) directly, use cryptomator. If you prefer IOS, switching on ADP is the best thing you can do as it encrypts the Icloud. If you want to encrypt a single file, this web service is pretty handy. If you want to encrypt stuff and manage keys on android, it doesn’t get better than openKeychain.
Encrypting Emails (PGP)
Download the public key and import it into the "keyring" of whatever PGP software you're using (GnuPGP cli, Kleopatra, OpenKeychain, etc).
In Thunderbird, check "Encrypt (PGP/MIME)" and it selects the keys for each recipient. In gmail and the likes, you need to first encrypt the message with an external application and paste the encrypted stuff in the body.
From OpenSSH 8.2, you have support for FIDO/U2F.
This release adds support for FIDO/U2F hardware authenticators to OpenSSH. U2F/FIDO are open standards for inexpensive two-factor authentication hardware that are widely used for website authentication. In OpenSSH FIDO devices are supported by new public key types
ed25519-sk, along with corresponding certificate types.
ssh-keygen(1) may be used to generate a FIDO token-backed key, after which they may be used much like any other key type supported by OpenSSH, so long as the hardware token is attached when the keys are used. FIDO tokens also generally require the user explicitly authorise operations by touching or tapping them.
Generating a FIDO key requires the token be attached, and will usually require the user tap the token to confirm the operation:
$ ssh-keygen -t ecdsa-sk -f ~/.ssh/id_ecdsa_sk Generating public/private ecdsa-sk key pair. You may need to touch your security key to authorize key generation. Enter file in which to save the key (/home/djm/.ssh/id_ecdsa_sk): Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in /home/djm/.ssh/id_ecdsa_sk Your public key has been saved in /home/djm/.ssh/id_ecdsa_sk.pub
I use veracrypt for storing govt id pics and banking details and sometimes backup keys of digital accounts.
Crypto wallets are different in the sense that they need to produce more keys to sign stuff so you need a different kind of hardware. I recommend setting up a cold multi sig wallet with Coldcard and Cobo vault (now Keystone Pro). you can use seedsigner as a backup (and if you are broke).
Suggestion to Auth Providers
Please add the ability to add password hints and directly signing in with an email link without password. People shouldn’t write their whole passwords as hints but just one word can tell them which password they used. This is a great strategy in my opinion.
If you know what to do with this below link, you probably should - its pretty cool.
P.S. I have tried to keep the info as updated as possible but internet moves too fast for my silly human brain, If you encounter something outdated please let me know in the comments and I will update the post after doing my due diligence. I tried to “dumb” some stuff to make it accessible to a wider audience and may have reduced the accuracy in the process.
just search google for “temp email”, use whatever that comes up.