How do I keep my account safe and secure?
Keeping your accounts safe and secure is an important aspect of being online, but with some simple tools like a Password Manager and Two Factor Authentication, you can keep your accounts safe and secure.
Password Manager
To prevent re-use of the same passwords over and over, Password Managers use a single Master Password, to securely store all of your Saved Passwords. That Master Password acts as a level of encryption for all of your other accounts, which should use randomly generated, long, and secure passwords. There are many available Password Managers, including one likely already built into your device like the iCloud Keychain, but other popular examples include 1Password, LastPass, Dashlane, etc.
As such, your Master Password is really important that it be secure. Here are a few recommendations:
Avoid using any personally identifiable information. Here's a list of some of things that hackers will try to use when attacking your password (there are scripts which can automate this, including the information gathering). This list isn't exhaustive, but should give you an idea of the kind of things hackers are looking at.
Birthday digits (month, day, year)
Social Security Numbers (especially the last 4)
Anniversary dates for anything
Year you graduated
Pet names
Any of the above for family members or significant others
The best passwords are really long. Using whole words or even sentences is a great strategy. It helps you remember the password while making it really tough to bruteforce. For example a solid password might be
SomeBODY 0nce told me the Pa$$word is g0nna roll me!
. Notice how this example still used symbols, numbers, and a mixture of upper/lowercase letters to make the password more secure? Like almost everything, there's an xkcd comic for this.
The best practices for then saving a site-specific password are pretty simple:
NEVER use the same password for different websites or logins
Always let the password manager generate a password. If your password manager is storing a human readable or human created password, then it's not very secure
Ideally, this password would be the maximum length that the website allows, such as 64+ characters
This is what we recommend if you're using a password to login to Nodecraft.com. Use a password manager with a randomly generated password of sufficient length. We support passwords up to 128 characters long, with no other limitations.
Two Factor Authentication
This security strategy is extremely useful because it combines with something you know, like a password, with something you physically have, like your phone. This way if your password gets compromised in a third-party data leak, a hacker still needs to have extra access to you to get into any of your accounts. There are many different types of 2FA strategies. We'll cover a few of the most prevalent examples below:
SMS (Phone) โINSECURE
This is the most common type of 2FA, and most people have already used this with their bank, online shopping, or other services. The design behind it is really simple: you have your phone and no one else should be able to read your texts. This philosophy is flawed unfortunately though, as it's really easy for someone to trick your mobile phone carrier into giving away your number to an attacker, and has been seen before countless times. If you use an online VOIP service like Google Voice it can be a little more secure, but this strategy should be avoided unless there are no other 2FA strategies offered.
Time-based One Time Password (TOTP) โ SECURE
This strategy is becoming a lot more popular and is typically offered as an alternative to SMS based 2FA. When used with a mobile app like Google Authenticator or Authy it makes your phone a more secure second form of verification.
Rather than have the code sent to you on your phone, it generates a code every so often that both your phone and the service you are securing knows (it's a little more nuanced than this, but that covers the basics). These codes do not require internet or phone service to use, as they are generated cryptographically using math and time. The only drawback these have is that you have to transfer them if you buy a new phone or lose your old phone. Apps like Auth simplify this by storing your codes with an online backup.
Hardware Based Authentication โ MOST SECURE
Rather than depend on your phone, its service, or the apps installed, this strategy relies on you simply keeping this device on you, like a set of digital keys. You'll need your car keys, house key, and office key to get to work, so why not have a security key as well? These work by simply plugging into a USB port on your workstation and pressing the key to generate a code.
For example, with a popular hardware-based authenticator known as a YubiKey, it'll look something like this:
abcdefghijklvntefhvdtnlhekbcghirrgkhbrhenveg
This might look like gibberish to you, but that's because you're most likely not a computer. The service you're securing and your security hardware both know how to verify these codes based on time and the unique signature of your YubiKey; the first 12 digits of the code (which is why subsequent codes can look similar).
We highly recommend that you enable 2FA on your Nodecraft.com account via your profile -> two factor auth settings. We currently only support TOTP 2FA, but support for Hardware Based keys is coming in the future.