Uff da.

What else can you say after you read this fellow’s account of what happens after his phone number is stolen? The domino effect it causes as he loses control of his online communication, social media, and bank accounts is both incredible and yet completely plausible for many people. I recently used a similar technique (Chrome sync’d passwords) to bypass my brother’s password manager. As I read the comments, these were my thoughts about how I keep my passwords and my second factor codes under physical control. It’s advice I give to lawyers a couple times a year.

The TL;DR is: aim for an environment where you have to have physical control of the password manager and 2FA apps to be able to use them.

It’s really that simple.

Password Manager

One reason I don’t use an online password manager is that anyone with internet access to that site has potentially the same access that I do. If, for example, your online password manager is hacked, your passwords may be accessed by people other than you.

Saving them in your browser doesn’t seem much smarter to me. While I am a heavy user of the Firefox Sync feature, I don’t sync passwords. The sync is a great productivity tool if you want to continue a research window on multiple devices. But it’s a lousy way to save secure information.

This is what my Firefox sync looks like (it’s under Settings > Sync)

Firefox synchronization settings. Do not sync Logins.

and, although I’m moving away from Google Chrome as much as possible, I have that sync configured as well.

Google Chrome settings page for synchronization

If you have privacy concerns, then I’d avoid synchronizing history and so on. But as I say, it’s useful for me to be able to get back to my browser history if I’ve forgotten to save my research in OneNote.

My password manager is KeePass for Windows because:

  • it’s free
  • it’s open source
  • it is an app that resides on my device, and so does the password file. I can move that password file to any device.

The password manager helps me have unique, strong passwords for each site. When a kid asks me to use my PayPal account, I don’t give them the password. I type in my password from my password manager on their PC – and don’t save the credentials – each time. No password sharing.

You need to get access to that password file to access my passwords. There is no perfection in security. But I feel more confident knowing that someone would need to access my device or online backup (yes, it could possibly be done remotely) to access that file.

I use KeePass2Android on my phone and tablet because it can read KeePass password files. Synchronization of files would help but I try avoid it by:

  • changing passwords on my Windows PC and saving them to the password file
  • transferring that file to each device from my Windows PC

All security involves balancing convenience. I keep a backup of my password file in an online storage service, secured by a password and two factor authentication. It’s a risk but, for me, having a backup of the file makes me sleep better.

Two Factor Authentication

One lesson that is perhaps easier for me to take on is the no texting rule for your second factor. I don’t text much anyway and am not a fan of sites that send me two factor authentication by text.

On sites like TwoFactorAuth, you can see which services support something other than text or email. I think those services are immediately preferable over those using SMS. And don’t get me started on the ones using security questions, which are not 2FA in any event.

I’ve posted before about Duo Mobile, the two factor authentication app I use, and easy enough for my mum to take to after someone tried to access her online social media account. It’s not better than Google Authenticator, but I decided to switch because of Duo’s support for WordPress, which is what this site is. I was tired of having unknown people knocking at my blog’s administration page and knew 2FA was part of the answer.

Some of the commenters to the original article were extolling the virtues of one authentication app over another. I think if you’re using Duo, or Google‘s, or Microsoft‘s, that’s good enough. Whatever bells and whistles the others offer are just extra noise on what is essentially just a secure app for generating time-based codes.

But the app lives on my phone. Nothing texted for my primary accounts. Many sites understand the inconvenience of two-factor, so they allow you to remember the device. It means, the next time, you only need the username and password if you’re on that device. In general, I don’t have my accounts remember my computer.

Uncheck the little box that says “Don’t ask again on this computer”. Make it ask again.

Nothing’s perfect. Google 2FA fobs were found to be subject to hijacks because they transmitted information to a device. My phone could break (one reason to consider downloading and saving backup codes) or be lost or stolen. But it gives me some confidence to know that someone would need physical access to my phone to get a code.

I felt terrible for the author of that article. Having just gone through the process of changing all the passwords for my brother’s accounts that had been stored in Chrome, I was thankful that none of his accounts had been taken out of his control. When we incorporate tools – SMS, email – that others can remotely control, I think we’re adding an unnecessary level of risk to password management and multi-factor authentication.