This guide was developed based on part 2 of the blog post series Protecting against a password manager breach. More context can be found in both posts about why certain apps and technology are recommended over others.
Setup 1Password for storing passwords and password equivalents, such as security question answers
- Use a unique passphrase for logging into 1Password
- Setup MFA with YubiKeys only
- Store your 1Password passphrase in a secure place (fireproof safe = better security, Apple Keychain = better usability)
- Your 1Password Secret Key can be stored in the same place since it's designed to be an entropy-boosting addition to your password
These are accounts that, if compromised, could be used to reset account passwords or access Passkeys.
- Ensure email account has a strong password and MFA setup with YubiKeys
- Use Gmail (Google’s security is top notch). If you're extra paranoid, use Protonmail
- Ensure Apple ID has strong password and MFA setup with YubiKeys
Some of your accounts may still only support SMS MFA codes (and any form of MFA is better than no MFA). Similarly, some sites and apps, such as Authy, use mobile phone numbers for account creation. Hardening your mobile phone number and account is essential in these contexts.
- Create a strong password for your mobile carrier online account
- Setup MFA on your mobile carrier online account
- Setup a mobile carrier PIN to protect against SIM hijacking (here are guides for Verizon, T-Mobile, AT&T, Sprint, Cricket)
- Setup Google Voice number to be used for SMS MFA (you can disassociate it from your mobile phone number later on for added security)
- Ensure Google Account has strong password and YubiKey-only MFA enabled
Use Authy whenever time-based one-time passcode (TOTP aka “Google Authenticator”) MFA is the most secure option available. If you’re extra paranoid and are willing to make some usability sacrifices, try storing your MFA codes in a YubiKey and use Yubico Authenticator to access them
- Setup Authy using your Google Voice number
- Enable Authy Backups and create/store a randomly generated Backup Password with 1Password
- Disable Authy Multi-Device access and only re-enable when you're setting up Authy on another device
- If you are able to, install Authy on at least two devices so you don't have to go through a painful account recovery process if your only Authy-installed device breaks, is lost, etc.
NOTE: Because computer OSes are more at risk of being affected by various kinds of malware, you should only install Authy on iPhones and iPads.
Setup BitWarden for storing TOTP MFA recovery codes and MFA recovery code equivalents such as seed keys.
- Setup a BitWarden account using an email address from a different provider
- E.g. if you used Gmail for your 1Password account and other accounts, use Protonmail for your BitWarden account
- Use a unique passphrase for logging into BitWarden
- Store your BitWarden passphrase in a secure place (fireproof safe = better security, Apple Keychain = better usability) butnot in your 1Password vault
- If you're already paying for BitWarden, setup MFA with YubiKeys only. Otherwise, setup TOTP MFA codes using Authy
- Use 1Password Watchtower to identify accounts that support MFA and ensure MFA is setup on all of them
- Explore 2fa.directory to identify additional accounts that support MFA and ensure MFA is setup on all of them
- Use 1Password Watchtower to identify passwords of yours that have been caught up in past data breaches
- Change each compromised or vulnerable password
- Use 1Password Watchtower to identify weak and reused passwords of yours
- Change each weak or reused password
- Replace passwords with Passkeys (WebAuthN) where possible
- Setup email rules for new device login, suspicious login, password reset, and MFA change notifications
- Start treating rogue SMS MFA codes and push notification MFA prompts with suspicion, changing passwords when benign cause of rogue codes/prompts can't be identified
- Especially if you receive a message from someone who claims to need your MFA codes or for you to approve push notifications. If this happens, change passwords and report to your account provider ASAP