/online-account-and-password-manager-hardening-guide

A guide containing a checklist for hardening online accounts and password managers used to store credentials for said accounts

Hardening your password manager and online accounts

This guide was developed based on part 2 of the blog post series Protecting against a password manager breach. More context can be found in both posts about why certain apps and technology are recommended over others.

Personal password vault reference architecture

Securely setup 1Password

Setup 1Password for storing passwords and password equivalents, such as security question answers

  • Use a unique passphrase for logging into 1Password
  • Setup MFA with YubiKeys only
  • Store your 1Password passphrase in a secure place (fireproof safe = better security, Apple Keychain = better usability)
  • Your 1Password Secret Key can be stored in the same place since it's designed to be an entropy-boosting addition to your password

Harden foundational accounts

These are accounts that, if compromised, could be used to reset account passwords or access Passkeys.

  • Ensure email account has a strong password and MFA setup with YubiKeys
  • Use Gmail (Google’s security is top notch). If you're extra paranoid, use Protonmail
  • Ensure Apple ID has strong password and MFA setup with YubiKeys

Protect against SMS MFA code theft

Some of your accounts may still only support SMS MFA codes (and any form of MFA is better than no MFA). Similarly, some sites and apps, such as Authy, use mobile phone numbers for account creation. Hardening your mobile phone number and account is essential in these contexts.

  • Create a strong password for your mobile carrier online account
  • Setup MFA on your mobile carrier online account
  • Setup a mobile carrier PIN to protect against SIM hijacking (here are guides for Verizon, T-Mobile, AT&T, Sprint, Cricket)
  • Setup Google Voice number to be used for SMS MFA (you can disassociate it from your mobile phone number later on for added security)
    • Ensure Google Account has strong password and YubiKey-only MFA enabled

Securely setup Authy

Use Authy whenever time-based one-time passcode (TOTP aka “Google Authenticator”) MFA is the most secure option available. If you’re extra paranoid and are willing to make some usability sacrifices, try storing your MFA codes in a YubiKey and use Yubico Authenticator to access them

  • Setup Authy using your Google Voice number
  • Enable Authy Backups and create/store a randomly generated Backup Password with 1Password
  • Disable Authy Multi-Device access and only re-enable when you're setting up Authy on another device
    • If you are able to, install Authy on at least two devices so you don't have to go through a painful account recovery process if your only Authy-installed device breaks, is lost, etc.

NOTE: Because computer OSes are more at risk of being affected by various kinds of malware, you should only install Authy on iPhones and iPads.

Securely setup BitWarden

Setup BitWarden for storing TOTP MFA recovery codes and MFA recovery code equivalents such as seed keys.

  • Setup a BitWarden account using an email address from a different provider
    • E.g. if you used Gmail for your 1Password account and other accounts, use Protonmail for your BitWarden account
  • Use a unique passphrase for logging into BitWarden
    • Store your BitWarden passphrase in a secure place (fireproof safe = better security, Apple Keychain = better usability) butnot in your 1Password vault
  • If you're already paying for BitWarden, setup MFA with YubiKeys only. Otherwise, setup TOTP MFA codes using Authy

Enable MFA everywhere you can

  • Use 1Password Watchtower to identify accounts that support MFA and ensure MFA is setup on all of them
  • Explore 2fa.directory to identify additional accounts that support MFA and ensure MFA is setup on all of them

Change compromised and vulnerable passwords

  • Use 1Password Watchtower to identify passwords of yours that have been caught up in past data breaches
  • Change each compromised or vulnerable password

Change weak and reused passwords

Detect account compromises as they happen

  • Setup email rules for new device login, suspicious login, password reset, and MFA change notifications
  • Start treating rogue SMS MFA codes and push notification MFA prompts with suspicion, changing passwords when benign cause of rogue codes/prompts can't be identified
    • Especially if you receive a message from someone who claims to need your MFA codes or for you to approve push notifications. If this happens, change passwords and report to your account provider ASAP