Benefits of password managers#

• You can create strong, unique passwords for every account you make
  • Your other accounts are safe if your login info is ever compromised on other platforms
• There’s no burden to try to remember your passwords
• Your passwords are encrypted and the encryption is so strong that it can’t be realistically cracked with current computing.
• Helpful for preventing you from accidentally logging into a phishing site. Password managers won’t fill in your password if the URL is incorrect and will catch invisible URL characters that you may not be able to see.
  • There are website portals that access the real website when you go to their URL. They act as a buffer between you and the real website. These portals will snatch your login info when you login in to your account.
  • There are duplicate websites and they can even emulate the real URL with imperceptible characters.

Risks of password managers#

There are some risks with using a password manager but the chances of these things happening is very low and password managers are still significantly safer than the alternatives.

• If you lose your master password, you’re locked out of the manager and there’s nothing you can do about it.
• If the password manager’s servers get hacked, a malicious update could be pushed to your client. No encryption will keep your passwords safe. This is unlikely and the worst case scenario.

Browser Password Managers#

Browser password managers have a reputation for being bad. They have got better over the years but dedicated password managers tend to have stronger encryption and can be used across multiple browsers. I’m personally trying to lower the amount of Google in my life and I’m of the opinion that Firefox as a whole is full of overpaid incompetents. So I’m not going to be using the browser’s password manager anymore but feel free. It’s better than nothing.

KeyPassX#

I’d like to briefly point out that options like KeePassX are available. KeePassX creates and encrypts a local database that stores your passwords. While this is probably the most secure option available, it’s got some downsides to usability. Since this guide is intended for the average user, I won’t go into a ton of detail but I’ll give you an idea on why I decided against using it.

• You are responsible for backing up the database.
• You are responsible for the hosting if you want to access it across multiple devices
• You must use third party apps to use on mobile

Bitwarden#

Alright, now lets talk about Bitwarden. While Bitwarden is hosted on servers for the sake of device syncing and usability, this password manager has got a lot of things going for it.

Conclusion#

You need to be able to trust a password manager with your sensitive info and Bitwarden seems like the best option for the average user. Their transparency and yearly audits indicate that they take their job very seriously. Bitwarden’s business practices are consumer friendly by offering a fully functional free tier while the paid option is cheap and offers some decent bonus features. They ethically handle your data unlike most modern tech companies. The software is on multiple platforms and isn’t a burden to use, which discourages shortcuts that may not be very secure. There are technically more secure options out there but we, as average users, aren’t committing espionage and don’t need to inconvenience ourselves with an overly paranoid security setup.

Creating a Master Password#

When you’re creating a password for your password manager, it should be a string of random words you can remember but not something linked to your identity. Bitwarden has a password generator that lets you generate a phrase of random words. We’re bad at being truly random, so it’s best to let the generator do the work, but you do have the option to modify the passphrase to make it easier for you to remember. It should be at least 4 words. You’re also going to want to write down the password. More on that later.

Different passwords#

I’ve mentioned this several times already but one of the best things to do is have a unique password for every account you have. If that service’s servers are hacked and your password is exposed to the internet, bad actors won’t be able to get into other accounts with the same password.

Password Peppering#

The practice of password peppering will help add an extra layer of security to your most important accounts. Here’s how you pepper your passwords:

1. Let your password manager generate a strong password
2. Save that password into your password manager
3. Add some extra characters at the end of the password inside the account you’ve created
4. DON’T save these extra characters into the password manager

There are some best practices to password peppering:

• Use the same pepper every time
• Make it something you can remember
• It’s extra useful if it fits into the random string of characters that the password manager generated
  • Example: You choose D2069 because you really like DnD and 69’ing. It’s easy to remember and it doesn’t look out of place in a generated password like Baconhuffer666 would
• Only pepper your most important accounts like your bank or business passwords

Password peppering is helpful if your password vault is ever accessed by someone who shouldn’t. If they try to login to your bank account, it won’t work because you never saved the pepper inside your password manager. They won’t be able to login and they’ll assume you changed the password.

Security Questions#

The best practice with security questions is to use random words that don’t have anything to do with the questions. You can store these answers inside your password manager.

Two Factor Authentication (2FA)#

Two factor authentication is helpful with keeping your accounts secure but a lot of implementations are flawed and can be sidestepped through phishing. So don’t use two factor authentication as an excuse for lazy passwords. Two factor authentication is still worth using to avoid being low hanging fruit but it’s not a free pass to use password123 as your password and click every single link that comes your way.

Email and SMS authentication are the worst of the bunch. The 6 number code that’s sent to you is too basic in the modern day. This can easily be brute forced with modern computing if there are no brute force protections in place or there’s an exploit to get around the brute force protection. There are websites that don’t offer any other form of two factor authentication, so if you have to use it here are a couple of best practices:

• Use a texting app that encrypts your texts
• Set up a Google Voice number and use it exclusively for 2FA
  • If there are data breaches, your real phone number won’t be leaked on the dark web
  • You can’t be SIM swapped
    • More info on SIM Swapping

Time-based One-Time Password (Authy, Google Authenticator, Bitwarden OTP) are better options and you should opt for this authentication method if possible. They are still susceptible to certain types of attacks but they’re infinitely better than SMS authentication. Also, make sure you use Authy or the built in Time-based One-time Password function in Bitwarden because you can actually restore your access to your account if you lose or break your phone. Google authenticator does not allow this.

Physical security key is the best 2 factor authentication option we have today. It’s a key that you plug into your devices to prove you are the owner of the account. It’s the best defense against common phishing attempts. Pair this key with a password manager and it’s not going to be likely that you’ll be hacked unless one of your devices is infected with malware, but nothing will keep your info safe at that point.

You don’t HAVE to buy a security key but I thought I’d mention it for the people who are truly want to level up their account security. Yubikey is the most popular brand if this is something you want to look into and it’s recommended to buy two security keys. One for daily use and the other is stored away safe just in case you lose the original. Unfortunately, every service supports this type of authentication, so you won’t be able to use it for everything.

Keep a Master Sheet#

If you lose access to your Bitwarden vault, you lose access to everything. So you need to write down all the important information that allows access to your password vault and store it somewhere safe. You need to record the following:

• Email address used for your password manager
• Your email password
• Master password for your password manager
• 2FA recovery code
• Your pepper If you have any other recovery codes for important accounts, it’s probably worth writing on this sheet of paper too.

Safe Storage#

It’s a good idea to establish a safe place to store your important documents and physical objects. So your master sheet with all your password manager login info and potentially a backup security key are things you’re going to want to keep safe. For most people, this is going to be fire protection, so you’ll to store these things in a ziplock bag and put that inside of a fireproof bag. The reasoning is the ziplock bag will protect your stuff from water, which is often a part of the equation with fire and fireproof bags aren’t waterproof.

If you have the means, a bolted in safe is another option to store your important documents and stuff. It doubles as theft protection and fire protection, so if you have a lot of people coming into your house then you’ll want to shell out for a safe. Don’t buy a cheap safe that can be lifted out of your house because that won’t do anything for you.

The last and most affordable option is getting a safety deposit box at your bank. You’ll be able to keep your stuff safe from theft and a house fire. It’s cheaper than you think too. It could be a pain to have to drive down to your bank to access your paper, though!

Antivirus#

You can usually keep quite safe with some common sense, Windows Defender and using Malwarebytes free version to scan your computer occasionally.

If you feel better knowing you have real-time virus protection or aren’t comfortable with technology, feel free to get virus protection. Recommendations:

• Bitdefender
• Kaspersky - non US users PC Security Channel has some videos that stress test these programs: Kaspersky vs Bitdefender Test vs 2000 Malware Best Antivirus vs Unknown Ransomware II

Keeping Your Devices Malware Free#

• keep windows up to date
• keep browser up to date
• Use Windows Defender
• Do the occasional scan with the free version of Malwarebytes
• Use uBlock Origin or another adblocker

Internet Browsing#

Don’t click on links sent in emails or texts that are sent unsolicited. AI has made phishing attempts more sophisticated, so adopt a zero trust policy. Don’t trust links in emails that look like they’re from an official source either. Go straight to the website that was supposed to have sent that email and check your messages or account notifications. Also, don’t click the porn and gambling links DMed to you on Twitter.

If you really feel that you may need to click the link in the email, you can also have the links verified here:

• https://opentip.kaspersky.com/
• https://www.phishtank.com/
• https://www.virustotal.com/gui/home/url

Another thing to avoid is clicking the “Ad” link on a search engine. Sometimes it can be a phishing scam that hasn’t been removed yet.

Downloading and Installing Files#

Have file extensions turned on so you know exactly what type of file you’re opening. It’s not super common but a malicious file could be named “notAVirus.pdf.exe” where it’s posing as a pdf file but it’s actually an exe. I’ve also encountered “notAPiratedMove.exe” before as well.

Avoid installing pirated software, operating systems and PC games. This is a practical tip, not a moral point. I’m a huge believer in media piracy as a way for consumers to take power back in an increasingly anti-consumer landscape. Movies, TV shows and music are typically pretty safe to pirate, especially if you stick to more popular uploads and check the comments. Installing pirated software is a whole different ballgame though. It’s far easier to hide something malicious inside of software that you willingly install. You can never know the uploader’s intentions.

Often there’s some sort of key generator or crack to get past DRM as well. Due to the nature of how they function, these cracks and key generators will usually trigger false positives from Windows defender or any 3d party antivirus software even if they’re innocent. So you never truly know if the program is malicious or not. So your best bet is to stick to software that’s, free, reasonably priced and/or open source. Luckily, there’s enough software that fits that category nowadays that software piracy isn’t really needed anymore. The same goes for games. There’s enough sales that you can find games for very cheap and if you hate platforms like Steam that function as DRM, you can always use GoG.

It’s a good choice to avoid software from less reputable or sketchy sources too. Game mods have been known to have malicious software packaged inside of them recently. So stick to the popular and well reviewed mods, and avoid mods that don’t have high download numbers and a good reputation. Same goes for browser extensions, though, it’s more likely that they have glaring security issues instead of being straight up malicious.

Surface Area#

You also want to reduce your surface area of infection. This means use only the software and browser plugins you need. The less software you use, the less possibility a security exploit or a server breach has an effect on your computer’s security.

Conclusion#

I’ve been following these practices for years before I did any kind of dedicated research on avoiding malware and like I said in the beginning, I’ve managed to avoid getting hacked for the most part. AI has empowered fraud and it’s going to get worse, so it’s going to be even more important to follow these practices in the coming years. The security rabbit hole is endless and the “what ifs” can be scary, but I think this guide outlines reasonable precautions the average user can take to keep their accounts safe on the internet. Nothing is perfect and you can’t account for everything, but if you make a dedicated effort towards your account security, you’ll be miles ahead of most people.