Multifactor authentication is important.
People who thought they were safe lose their family photos, documents, legal ledgers, and other stuff all day long, every day.
often being the one that fools their friends to do the same by letting hackers send things to their friends from their accounts.
Being entirely safe is not easy. Enabling Multifactor authentication is a big step along the way.
What are Multifactor authentication and passphrase managers and why should I care? (also called 2FA and MFA by some)
There is an invisible storm surrounding you right now.
There is a relentless onslaught on all your accounts, your internet router, and home computers that never stops.
Imagine not being able to logon to your computer, your phone, and realizing that now you might have lost all your documents for work and you have to tell your spouse and kids no one of you has any photos at all from your time together. Not to mention that your name and accounts were just used to do the same to your friends, coworker & boss.
You get hit even as an innocent bystander. Protecting yourself against a targeted attack is really hard and these two steps are not enough. Taking the first step to mitigating the risk as a bystander really makes a huge difference for you personally though. Don’t wait! Every second counts!
Also using the same password on multiple places is also dangerous. If they get in anywhere they know the combo saying you are you so its EASY to try that in all the websites that exist and make a list of all the places they work at.
Multifactor authentication is just a fancy word for something you know and something you have. That matters because if you only use something anyone can type or send to tell someone you are you. Others can too. This means that someone from the other part of the globe can pretend to be you. Its next to free to try to get this information from accounts. Its also a big market selling this information and with ransomware gangs usually make millions of $ on a success giving great incentives to try. The ONLY way to protect yourself from someone trying to pretend to be you is by adding another factor. My recommendation is an App on your phone that proves you have the phone physically and you know what you know. Some tools pretend that sending a text is multifactor but in this case it’s not. Fraud happens all day long with the phone provider being fooled to send a sim-card that the fraudster steals to impersonate you.
I wholeheartedly recommend YubiKey but since that requires you to buy and get delivered something this guide won’t cover them.
Just reading this article won’t save you. So let us get to the action with a plan to get your safer
Day 1
Todo right now. Commit to that this is important. Not just for you but you also don’t want to be a gateway for those hurting your family, kids, parents, company, coworkers
The coming week. Make a note whenever you use a tool.
Note down what you use on a list. Websites you log on to. Banks. Apps. Anything.
At the end, we want a list of services and email addresses you use to logon into them
Don’t bother with it when making the list if it slows you down. Make the list, we can add the account data later.
Just make the list.
Include userID for updating your own internet router or anything you think of that’s using an app, a web browser, or your physical snail-mail box
Day 7
1)
Sort the list of what would hurt yourself the most if someone stole what you are there for
or used that to send something malicious to a friend.Choose the top one of the list. Yes, just one is enough for your first step into this.
Imagine giving the keys to there to someone you will never find
2)
Install a passphrase manager on your phone (no the one built into your web browser is not safe)
This is an app that helps you ensure you don’t have the same passphrase in multiple places.
The passphrase of that app is critical you keep safe, because if someone gets that they get everything. While that’s a risk it’s easier to protect every website you use and don’t control.
I use Lastpass, I also like that they have a family option unlocking passphrases for your loved one automatically if you don’t log on in 60 days or something like that. I’ve also heard great about Bitwarden & Nordpass. All of them have free options.
It matters that you have one, but which is less important. Beware though, its a lot of scams out there so if unsure use the links in this text to get there.
3)
Back up your Auth code and the data proving this is your account and your app.
If you lose your phone, or this app, or this data you are in a deep problem.If it’s easy and convenient for you it’s easy and convenient for the attacker. Take the time to give it some thought about where you want to store this, and in a way that you will find if you use your phone. Meaning a print screen of the app is not enough for example.
Going forward you will NEED this app to use your other services. Don’t lose this app or its passphrase etc.
No-one can help you without this. It’s critical. Don’t save it just on your computer.
Printing it out and saving it at a second-place is recommended.
Note NOT with info of what it is though in case they get a burglar.
4)
Now install the passphrase manager on your computer.
Typically it is an extension in your web browser.
(Why the phone first? phones are usually less infected)
5)
Install a Multifactor Authentication App on your phone
I use these, depending on services. I prefer to use the app that’s associated with the services
Lastpass Authenticator
Microsoft Authenticator
Google Authenticator for Android or Apple
(remember your apple ID on your ios device of you use apple)
Like above. Backup your Auth code and the data proving this is your account.
6)
Set Multifactor Auth for yoru Passphrase Manager App
I use Lastpass Auth but use what works for you.
LastPass supports LastPass, Google Auth, Microsoft Auth and others
Bitwarden supports Microsoft Auth and Authy
This step is important. Your Passphrase manager is critical for you now so protect it.
7)
Test it a few times. Close the app on your phone, re-logon until you feel safe in how it works.
Play with the settings for when it shall auto-lock, and the delay before doing so
8)
Test it a few times on your web browser/computer
Log off and on a few times so you learn how the passphrase manager works for your website.
Also so you learn to trust it and how it works and doesn’t.
Day 8
1)
Go to the first item on your list on your computer.
Log in and verify that you have all the “recovery options” set so that primary or secondary email is correct, etc etc.
Change the passphrase to something unique using the passphrase manager’s recommendation.
From now on you need the Passphrase manager login, which is less convenient than typing something easy yet powerfully protecting you from the terrible pain of getting hacked via this website.
2)
Logoff and on a few times so you learn how the passphrase manager works for your website.
Also so you learn to trust it and how it works and doesn’t.
Breathe. How you’ve got thru it.
Use just for this one website for a while. Until you feel secure in how it works.
Then just add the top next item to the list to your passphrase manager, after verifying recovery options and resetting the passphrase. Then just continue marking of your list until you feel safer.
Now put a reminder in your calendar for when you will secure your second most critical.
Remember that its important that you
First verify the restore-ability emails, phone whatever it is so they are relevant (AND protected using this thing you’re setting up, if not add them to the todo-list)
change the passphrase to something unique
Store it in the passphrase manager
Enable multifactor auth for that account
todo:
* Disable remember passphrases on your we browser. Click “clear” or “remove” on them.
If you have ever used multiple browsers open them too and ensure nothing is saved there either
I also recommend you logon your internet router and
1) Update its firmware, now and often
2) Verify that remote management is disabled
Sidenote. Others are testing you over the internet relentlessly. if you want to do a small check yourself try this
check your IP by visiting for example here nordvpn.com/what-is-my-ip
Paste your IP into the search field here shodan.io and see what they say about your status
As a friend if what you see don’t make sense. Make a note if it changes
A note on restoreability & backup. Do you know what your backups are for?
Don’t trust OneDrive and such to protect you against ransomware. They are great but for other things
Invest in tools like carbonate
Some links on storage & encryption
NextCloud + help with operations
The relentless onslaught is from scary smart. They are NOT stupid people.
NAS/Backup tools currently known to be hacked
Asus Storage recently
Play this for your youngster in the family and your coworkers
2021-01-22, 2min
https://twitter.com/racheltobac/status/1352409636792492035
or Youtube - is this the org?