🔒 Online security 101!

I’ve been living on (and off) the internet since 56k modems, netscape, IRC, … and I’ve been creating accounts for various websites ever since. Most (if not all) of my passwords were written down on a piece of paper or later in a small notebook. I felt that my passwords were SUPER important, that I should never lose them and I took care of them properly! At the time most people only had to keep track of their ISP, mail, fora accounts credentials…

Today we use a multitude of services and they feel more critical than ever before. Strangely though, we don’t put a lot of effort in them. With the rise of social media the general public got a lot more involved in everything that was happening on the internet. People started creating more accounts online and because people are lazy they started reusing the same password for several websites. Despite all password policies, a website can’t enforce you to not reuse a password from another website. You might have come up with an easy to remember, complex and long password but if you’re using that same password everywhere your online security is at risk. Imagine you register on a small website with the same password you used on all other websites and that website gets hacked, all your other accounts are also affected!

If you go to haveibeenpwned.com you can check which accounts have been compromised and you should update those passwords immediately! As in, NOW!

Best practices for securing online accounts

I’ll be giving some simple basic tips on how to sharpen your online security like a japanese damascus steel knife! There’s more to tell about securily enjoy what internet has to offer but the next tips are a very solid basis.

1. Use a separate email address for every account you create.

This is something few people know but you can create an alias for every email address you have. It’s called sub-addressing or plus addressing. The best part is that you don’t have to configure anything on your mail provider.

stanny+somedomain@nuytkens.com is a perfectly valid email address to give to somebody!

Every mail sent to this address will end up in my inbox but you can use the +somedomain to set filters and because that is the email address used during registration, in case the website has a breach, only this email address will be known to the hacker. And since we’ll be using a password manager you don’t even have to remember that!

2. A unique, long, complex password for every account.

length > complexity
Size matters

Yes, for every account!
No, you won’t need to come up with a clever password for every account you create.
No, you won’t need to remember or write down that password.

You can use services like

Most of these services also offer a browser extension so you can easily auto-fill user + password when logging in.

Next blog post I’ll show how you can host one yourself! 😉

3. Enable MFA (Multi-factor authentication)

MFA

Most popular services allow (and sometimes enforce) the user to enable something called MFA. MFA is generally more known as 2-factor-authentication. This will give you an extra layer of security over your user + password combination. MFA enables the user to verify the login through SMS, email with verification code, a token in an app, …

Enabling MFA will require the hacker to not only have your credentials but also the token to verify the login and we don’t want to make it easier for him now don’t we!

Enable MFA for:

4. Use OAuth where possible

OAuth

OAuth will delegate the sign on process to a well known service like Microsoft, Google, Facebook, Twitter, … This way you can authenticate yourself through their login so basically you won’t need to create a new account for the website you are trying to access, you just need to grant them access to read personal information from the provider. Of course you need to make sure that the account used for the OAuth provider is also well secured.

A list of notable OAuth service providers.


To a safer 2022!!