How do you secure your online identity?

[Samson]

Our online identity is a vital part of our lives, and proving who we are to onlince services is a crucial part of this, and it is a hard problem.

We are all used to using a username and password to access a site, but it is a bad way to do it. We have found out recently about the problems that can lead to. There are lots of options, which do you use?

I quite rate KeePassXC, which does a lot of these methods in an open source program that is available on many platforms.

I have listed a load of options and variants in the poll, selelct all those you use. Here are my thoughts on them:

• Username/password in your head
  • Even if you can think of one that is hard to guess, it basically means you need to reuse them. That is about the worst option, and I think we shoudl do all we can to reduce its use.
• Username/password written down
  • I do not think this is too bad, I am sure it is better than reusing them and I think better than storing it unencrypted on your computer and phone. Still not great though.
• Username/password on password manager on multiple devices or removable media
  • This is the recomended way, but it seems to me it is no easier than doing it properly and using encrytion like passkeys in KeePassXC,
• Username/password provided by site
  • From a servers point of view this is the solution to people using weak passwords and reusing them, but from the users point of view it is again not really eassier than KeePassXC
• TOTP stored on a single device (eg. MS/Google Authenticator)
  • I am not at all convinced by the value of these tools. They are vunerable to losing your phone without a great increase in security over passwords.
• TOTP stored on multiple devices or removable media
  • This is at least a definate improvement over passwords, and it does not have the system requirements of passkeys
• Third-party Sign in with OAuth
  • I do not like giving big tech that power over my online life
• Out of band password via SMS
  • I really hate these, espesially when banks use them. SMS's are about the most insecure method of digital communication, and are hard to improve because of legasy limitations. I do not get how they are so popular.
• Out of band password via email
  • This is better, but it clearly should be combined with PGP and only pushed the problem one level up (which sis fine for most servers)
• Passkeys on a hardware device (eg. Yubikey)
  • This is clearly the most secure, but has the inevitable problem of losing the device, so it cannot be ones top level authentication
• Passkeys stored with a third party
  • Again this seems to be givig big tech so much power over my life
• Passkeys stored on multiple devices or removable media
  • I think this is the best general purpose answer. The main problem with it is tech adoption, as in I cannot register for any site I know with a passkey, and OS/browser/keestore integratin is not where it should be.

 

[amadeus]

Wouldn’t you like to know?

I write all my passwords down in Japanese, translate them back to English, run them through an Engima machine for which only I know the correct plugboard and rotor configurations, then sew that into the inseam of my pants in braille. I do this for every site, so I can only join as many sites as I own pants.

 

[Snowygerry]

Username/password in your head

• Even if you can think of one that is hard to guess, it basically means you need to reuse them. That is about the worst option, and I think we shoudl do all we can to reduce its use.

Even on a gaming board like this ? There is no valuable data to mine from my account here - other online IDs are obviously better protected, I wouldn't/couldn't use the same password I use here at work for example...

 

[Arwon]

For lower usage sites, I just go to forgot password every time i need to log in

 

[Samson]

Even on a gaming board like this ? There is no valuable data to mine from my account here - other online IDs are obviously better protected, I wouldn't/couldn't use the same password I use here at work for example...

It is the problem that the password database getting compromised gives up your identity on all sites you use that password. Sire, you only lose your identity on those sites, which is not the same as your work getting compromied. It may not be all that bad, but it I think it is still about the worst option. It is both difficult and insecure.

For lower usage sites, I just go to forgot password every time i need to log in

This is efectively using Out of Band Authentication via email. Then it is a question fo how do you secure your email?

 

[Gori the Grey]

My real name is Gori the Gray, but I tell people it's Gori the Grey.

That way, they think I'm British and enter "theatre," rather than "theater," as the password.

Oops, I think I might have slipped up there.

 

[Kyriakos]

"You should use at least two numbers"
Bruteforce programs: ( ͡° ͜ʖ ͡°)

 

[Samson]

I decided I had beter practicae what I preach, and set up authentication here. It is quite easy with KeePassXC, I can set up passkeys for my primary browser, TOTP for a backup and backup codes for a final backup. All stored in convieniently and safely. I would encourage anyone who is interested to give it a try.

 

[Birdjaguar]

I like sentences as passwords and include numbers, etc.

“Going2market2day4grapes!”

 

[bene_legionary]

I remember multiple complex passwords – usually the ones used to log in the computers I use, I have several different user accounts over those computers and each has a unique password. Some of those computers I use very infrequently, but I don't have much trouble recalling the passwords for them since I've used them over such a long time.

But almost every other password I have for online accounts has slowly made its way into Apple Keychain over time. Not that I'm a fan of this situation, but I'm too lazy to change it now and it's at least more secure than using the one single password like I used to. It will be a significant consideration once I've made the attempt to jump ship from Apple, though.

The best defense is to have as few points of attack as possible. That's not really feasible when you have any sort of online presence now, though.

 

[Ajidica]

Passwords for important sites like banking and tax? Physically written down using a very different structure than my other passwords.
Passwords for other sites? Chrome password manager or "stay logged in"; evenly split between a randomly generated character string and one from my standard pool.

 

[Samson]

Whatever you are doing, it could be worse. You could just use 1234 like the city government of Seattle and others who got their crosswalk signals hacked.

Hacking US crosswalks to talk like Zuck is as easy as 1234

Crosswalk buttons in various US cities were hijacked over the past week or so to – rather than robotically tell people it's safe to walk or wait – instead emit the AI-spoofed voices of Jeff Bezos, Elon Musk, and Mark Zuckerberg.

The controls are made by Polara, who made the app public. They all have a password, which is set to 1234 by default. If you leave it like that anyone can set it up as they like.

They flaw was on youtube 8 months ago and they still had not fixed it.

Spoiler Examples on youtube :

 

[Samson]

This is the biggest problem with passkeys, it relies on a third party, SSL.com in this case, to validate the server. They should have made it symetrical, so after handshake the server can authenticate itself with the confidence the client can.

Bug hunter tricked SSL.com into issuing cert for Alibaba Cloud domain in 5 steps
10 other certificates 'were mis-issued and have now been revoked'

Certificate issuer SSL.com’s domain validation system had an unfortunate bug that was exploited by miscreants to obtain, without authorization, digital certs for legit websites.

With those certificates in hand, said fraudsters could set up more-convincing malicious copies of those sites for things like credential phishing, or decrypt intercepted HTTPS traffic between those sites and their visitors.

And since learning of that flaw, SSL.com has revoked 11 wrongly issued certificates – one of them for Alibaba.

The hole appears to be as simple as this: As part of the process of verifying that you control a domain name – and thus allow you to obtain a TLS certificate for that domain so that it can (for instance) support encrypted HTTPS connections with visitors – SSL.com gives you the option of creating a _validation-contactemail DNS TXT record for the domain, with the value set to a contact email address.

Once that DNS TXT record is present, and you request a certificate for the domain, SSL.com emails a code and URL to that contact address. You click the link and enter the code, and establish you are a controller of the domain and can get the certificate for your site.

Unfortunately, due to a buggy implementation, SSL.com would also now consider you the owner of the domain used for the contact email. If you put in vulture@example.com, provided you could pick up mail to that address and follow the link, SSL.com would be happy to issue you a certificate for example.com. It doesn't matter what domain you were actually trying to verify ownership of.

Swap example.com for a webmail provider, and suddenly this becomes a bit of a scary situation.

 

[Thorgalaeg]

Where is the 'all the above' option?

Frankly I am very tired of all this crap. Miss the times when passwords were a thing for James Bond, Gandalf and similar people only.

 

[Samson]

Where is the 'all the above' option?

Had I thought I would have added it. Mods if you wanted to you could? Perhaps make the usernamed hidden as well?

 

[Evie]

A hybrid of the first two with some twists of my own, and the occasional use of other options in lower-security situations

(Essentially it's the reminder sheet, except the reminder sheet uses a cypher, and that cypher is stored exclusively in my head - which usually means that before long, the actual password will be in my head too because the cypher double as a mnemonic device allowing me to remember a *lot* of distinct passwords. At least, for important passwords. For trivial-risk, trivial-interest accounts, I won't run the risk of exposing my method more than I have to - then either I'll just let my password manager handle it (because if the machine messes up, nothing of value is lost), or absent that use a throwaway passwords).

(This is also an approach that's tailored to play to my strengths - long-term memory recall, pattern recognition and symbol-meaning association. Probably wouldn't work as well for someone without my specific skillset.)

 

[Birdjaguar]

“All of the above” added to poll.

 

[amadeus]

Whatever you are doing, it could be worse. You could just use 1234 like the city government of Seattle and others who got their crosswalk signals hacked.

I find it bizarre even to begin with that they would find it necessary to install something other than a simple beeper with preinstalled tones to let people know it is safe to cross.