Protect your accounts using strong passwords, pw managers, 2fa
Passwords
Passwords are your first line of defense against anyone who would like to hack into these accounts. They are what keep your information safe; they enable you to keep control of your data.
But preventing your accounts from being hacked requires passwords that are long, strong, complex, unique and practical; and you need to have a DIFFERENT long, strong, unique and practical password for each account.
Why do we need strong passwords?
The internet stores a lot of data about you. Your credit card information might be tied to your Apple ID or Android Device ID, as well as to your online shopping accounts. Personal photos, including of your family, children, and friends, might be stored on Facebook, on your phone and and on the servers of your cloud storage. Your email and messaging app accounts have all your conversations with partners, friends and family, as well as work-related discussions and other information.
Your passwords need to be strong enough so you can keep control of your accounts. Once an account is hacked, an attacker can:
- Access all the information in that account
- Lock you out of that account
- Impersonate you and communicate with, or send phishing emails to, your network
- Try to use this account to gain access to other accounts or use it to try to gain access to your financial information
A good password is the only thing keeping this information from being accessed. In short, it gives you control over your data.
No need to change your strong passwords once they are in place. Changing passwords regularly was a common recommendation until a couple of years ago. This is outdated now because if you follow this list of best practices, there is absolutely no need to change your passwords regularly. The reason why changing passwords is no longer recommended is the following: Researchers have found that changing passwords regularly does more harm than good as it encourages people to choose weaker passwords. Better choose a strong and unique password once, instead of regularly changing a weak one to another weak one.
Resources on creating strong passwords
[Online course] Totem's course about secure passwords (free) - Passwords are your first line of defence online, so it’s really important that these are long and unique. But how can you manage this for all your accounts? The course will guide you through setting up KeePassXC, a password manager that makes creating and storing passwords easier and safer. You’ll also look at Two-Factor Authentication (2FA), for added security. You should end the course with a solid password-management strategy that protects your accounts, without taking up too much of your time (or brain-power!). This course is available in: English, Spanish, French, Arabic, Russian, Farsi
[Guide] Creating strong passwords [by Electronic Frontier Foundation] - This guide is designed for human rights defenders and is available in English, Spanish, French, Arabic, Russian, and other languages.
Password managers
A password manager is a tool that creates and stores passwords for you, so you can use many different passwords on different sites and services without having to memorize them. You only need to remember one master password that allows you to access the encrypted password manager database of all your passwords.
[Video] Animated Overview: Using Password Managers to Stay Safe Online (by EFF) - available in many languages
Password manager: Bitwarden
Bitwarden is a free and open-source password management service that stores sensitive information such as website credentials in an encrypted vault. The Bitwarden platform offers a variety of client applications including a web interface, desktop applications, browser extensions, mobile apps, and a command-line interface. It is a popular password manager option among human rights defenders.
Bitwarden resources:
- [Videos] Getting Started with Bitwarden(English)
- [Guide] How to use Bitwarden to manage passwords on all devices, including phones. Free, open source software.
- [Guide] Get Started with Bitwarden (English)
- [Slide deck] Bitwarden for Beginners (English)
- [Guide] Install and Configure Bitwarden
- [Video] How to send sensitive info (files or text) securely to anyone, using Bitwarden (English)
- [Video] How to set up Bitwarden for your internet browser (English)
- [Guide] Getting started with Bitwarden mobile (English)
How can you trust Bitwarden to protect your passwords?
It's natural to feel a bit conflicted about putting all your important passwords in one place, online. It can feel like a vulnerable thing to do! This is a totally valid concerns and is a really good instinct. No company can ever guarantee that your information will be protected and accessible in perpetuity. That being said, there are things to keep in mind to mitigate against risks:
- According to their policies, Bitwarden cannot access your data. "Zero knowledge encryption: Bitwarden team members can not see your passwords. Your data remains encrypted end-to-end with your individual email and Master Password. We never store and cannot access your Master Password or your cryptographic keys."
- To further protect your Bitwarden account from hackers trying to break into it, you could use a Yubikey as multifactor authentication, which means that in order to access your account, the person trying to break in will also need to get your Yubikey.
- To mitigate against the risk of Bitwarden losing your information someday, or you losing access to it, you can export your data and keep it in a safe place (such as an encrypted folder on a device or in cloud).
Password manager: KeepassXC
KeePassXC is a free and open-source password manager. It started as a community fork of KeePassX. It is built using Qt5 libraries, making it a multi-platform application which can be run on Linux, Windows, and macOS.
KeepassXC resources:
- [Video] Manage your passwords using KeePassXC (by Justice and Peace Netherlands, English) [Guide] How to use KeepassXC (by EFF) - available in English, Spanish, French, Arabic, Russian and other languages.
Two factor (or multi factor) authentication (2fa or mfa)
Multi-factor authentication is an electronic authentication method in which a user is granted access to a website or application only after successfully presenting two or more pieces of evidence to an authentication mechanism: knowledge, possession, and inherence.(Source: Wikipedia)
Resources on 2fa
- [Video] What is two factor authentication?
- [Guide] How to enable 2fa (by EFF) - available in English, Spanish, French, Arabic, Russian and other languages.
Be aware of spear phishing attacks
Phishing happens to everyone, but most people only become aware of it once they have become a victim of an attack. Protecting yourself from phishing attacks starts with identifying an email or message as an attack before you click on the link or download the file. But even if you are careful, a phishing attack can still sometimes be successful. Don’t panic. If you have clicked on a phishing link and given an attacker access to your data, you can still reduce the damage - to yourself as well as to your colleagues, friends, and family.
Resources to avoid spear phishing attacks
- [Video] Very brief phishing overview by Renee McLaughlin
- [Online course] Totem online course on Phishing Attacks - In this course you will learn about phishing attacks: what they are, what they are used for, how you can identify them, and what you can do if you have been phished. Available in English, Spanish, French, Russian, Arabic, and Farsi.
- [Guide] How to avoid a phishing attack (by EFF) - This guide will help you to identify phishing attacks when you see them and outline some practical ways to help defend against them. Available in English, Spanish, French, Arabic, Russian, and other languages.
- [Toolkit] GCA Cyber Toolkit - The tools included in this toolbox aim to help prevent these types of attacks. Included are: DNS security (DNS, or Domain Name System, is the method by which you are able to navigate the internet) to help prevent you from going to infected websites; anti-virus software to help prevent viruses and other malicious software from getting into your systems; and ad blockers, together with correct filter lists, help prevent malicious activity and access to malicious websites while browsing the Internet.
- [Training quiz] Google Phishing Quiz - Can you spot when you’re being phished? Identifying phishing can be harder than you think. Phishing is an attempt to trick you into giving up your personal information by pretending to be someone you know. Can you tell what's fake?
- [Guide] How to reveal full URLs