How to securely manage online accounts

Management of online accounts is burdensome in today's digital age. Online accounts never cease to increase in number.  Each account requires ledgering of username/password credentials, as well as security questions/answers. I felt hopeless in maintaining a grip over such IT challenges, so I decided to take a stand to better it. Below were my pain points, strategies, and solutions exercised in bettering the management of my online accounts as well as securing them in hopes for to as well.

Pain Points

  • Services get hacked all the time

Accounts' accumulation in number over the years made their maintenance and rememberance difficult. To better maintain an account you ought regurlarly changes its password. Why? Because there's a fair chance the service has gotten hacked, or another used service did that is using the exact same password. In checking Have I Been Pwned?, discovered 11 of my accounts were breached at some point.

Screenshot of Have I Been Pwned listing my data breaches.
  • Security questions are insecure

At times when signing up to a service, you're tasked in answering various security questions as means to identify you later on.  While these questions' answers may be intimate to you as well as a few close to you, it's a wise to never place accurate answers. The reason being these answers are often not saved as securely as passwords are. These questions too are often reused across different sites, making 1 breach a free for all to the rest. Krebs on Security has an archive of articles pointing out why it's a bad idea to use security questions.

5,000+ people answered this common password reset question on Facebook.
  • Notebook logging credentials is inefficient

"I can log random passwords & security question answers on a notebook to circumvent remembering them all." While a good start, brings problems of its own. In personally doing so I hardly updated passwords, which is not good. I too needed be at home to access  accounts. I found the harder it is to access an account, the less useful it'll be, which as as a result diminishes its utility.

  • SMS one time codes are insecure

Two-factor authentication, 2FA, is a security feature that adds an extra layer of protection to your account by requiring two or more pieces of evidence (or factors) to sign in. Two factors may include password + answer to security question, or password + 1 time passcode SMS to phone for example.

While opting for SMS passcodes sounds like a better alternative to security questions, it too unforatuntely poses problems. It's vulnerable to SIM swapping. SIM swapping is where one can claim your number by simply going to your service provider and stating they're you having lost your phone. Not too long ago, my father lost his phone. In going to T-Mobile to get him a new SIM card, staff did not ID him.

SMS is vulnerable to hackers spoofing cell towers that they're you, however roaming, which in turn allows them to receive your SMS messages. Phone numbers in general weren't made as a form of identification. Krebs as such goes as far as removing phone numbers entirely from accounts whenever possible.

Solutions

  • Get a password manager

Password managers are 3rd party services that generate, store, deliver passwords for you. They automatically detect reused passwords, & too can replace old passwords for new automatically for you. NordPass, DashLane, & 1Password have great reviews. I went however with Dashlane, as Ali Abdaal, as well as other Youtubers recommended it. I've been very happy with it! Signing into my accounts on web & mobile has been an absolute breeze.

  • Get 2FA

When it comes to 2FA, it's preferred to use time code generating applications such as Authy or Google Authenticator instead of SMS & security questions. In doing some online research, I found Authy as the clear winner:

Screenshot of Authy in action.

First, set up Authy on your phone & have it sync up with your online applications that support 2FA.

Second, back up your phone's accounts to Authy's desktop version. This is to cover grounds should you loose your phone.

Third, to cover grounds should you loose access to both phone & desktop, which is to download recovery codes for your accounts that act as one time passwords. Preferably backup these codes to an external hard drive & never use them unless need be, as they expire in usage.

  • Use different emails for different accounts

Bonus points is to create different email addresses for different important online accounts. It makes your account that much harder to hack into as your username can't be guessed as easily, also should your email be compromised, hackers can't easily reset your password too. This however requires you to own the domain your email address uses. See "How to replace Gmail" for more details.

This concludes the upping of your online account management game. We went through the pain points of passwords, security questions, & SMS. Then discussed solutions including usage of password managers & 2FA. If you have comments, or better tactics, let me know and shoot me an email.