Securing Your Crypto World
The best way to secure your online Crypto world is not to remember your passwords, but rather remember just 5 accounts passwords and be able to reset the rest of the passwords of your other accounts.
Which account passwords you should be able to memorize?
- Your primary email account password.
- Your first password manager password.
- Your second password manager password (Backup).
- Your personal computer password.
- Optionally some of your personal wallet passwords/passphrases (You may need that as a third paranoid backup for store of value funds i.e. BitCoins).
Why? Email is one of our core Internet identities and most online accounts we create are tied to our personal email address. Therefore we are usually able to reset most online account passwords with "Forgot Password" through our email, and it should have the strongest security standards.
Contrary to popular online (probably unintended) brainwashing belief, you do not need to choose one best online password manager. You have to choose 2 of them. I will provide you my choices of preference suitable for me, but feel free to decide your preferred service. Most importantly, understand the significance of having a backup plan and redundancy options just in case one of them is no longer accessible or functional.
Primary Email recommended security specifications:
- Your email password should not be less than 12 characters (Recommended: 24), it should include a minimum of one Capital letter (
Alpha
), numbers (123
), and characters (#$!_
). - You have to enable 2-Factor authentication on your email account. This requirement is no longer a luxury, you will get hacked if you decided to ignore this. For google accounts check this link: https://www.google.com/landing/2step/
- Contrary to popular opinion, you can still create very strong passwords without having to use meaningless combination of characters like
aX93%*!rALk#
. The reason these kind of passwords are mainly recommended is to avoid dictionary attacks. Namely, if your password is PeaceHarmony123, a brute force dictionary attack may be able to crack it faster by guessing only known words rather than all character combinations of the same password length. However, I think that it is better to write a strong password that you can memorize, rather than a strong password you will keep forgetting and therefore it becomes useless.
Suggestions for long and memorable passwords:
Password length is more important than character combination complexity. Therefore your password better be a phrase, or a sentence. Theoretically, using a well known quote of preference may undermine the quality of your passphrase and increase the chances of predictability.
Well known quote Passphrase Example:
Thekingdomofheavenisinsideyou99%#
Personal Quote Passphrase Example:
Thereisaninfinityofloveinsideyou99%#
A quote that you have assembled yourself will less likely be guessed by your enemies. I prefer that you do not use bad language in your passphrases, because you are the one who will repeat it, and it will have a self affirmation impact on you.
As you probably noticed, I have used a Capital letter, small letters, characters and numbers. The beauty of this technique is that the password length can easily go above 24 characters and still be memorable.
Why are cloud password managers recommended?
- Your Desktop, Laptop PCs are many more times hack prone than the cloud password manager services.
- Most cloud/online password manager have browser extensions that auto-fill in your passwords automatically on website login-forms. Otherwise you will have to manually write your passwords repeatedly which increases the risk of "key-logger attack". Such that, a hacker injects a malicious software on your operating system that records all your keyboard input and therefore easily know your password.
- If you are like me and you have more than 20 online accounts including banking services, cryptocurrency exchanges and so on and so forth, then you will have a few traditional choices. Either you will create one password for all (i.e.
Mymasterkeypassword123*#
) and losing it you compromise all of your accounts, or create different passwords with same pattern of of prefixes for remembering (i.e. exchBitfinex99#%, exchBittrex99#%
) and if one is compromised the hacker will be able to guess the rest, or you will create completely different passwords and be much more likely to forget them. Isn't it much better to have completely different and random, utterly complex passwords for your online accounts and not need to remember them?
That is exactly why cloud password managers are a safe haven and reduce your personal security risks. As previously mentioned, there are a maximum of 5 long passwords/passphrases you need to remember. Your primary email password, your first cloud manager password, your backup cloud manager password, and your wallet passphrases/passwords for your significant store of value funds (optional but recommended). All the rest of your accounts can be complex passwords easily generated by your cloud password manager like this one:
n_cywhf1c4y7X#q5E+1?06j2pJ$4r4aa
If you are haunted by the fear of having passwords you don't remember for most of your accounts, let me tell you the only requirement is to be able to reset your account's passwords when you choose to. Most online cryptocurrency exchanges and banking portals will require 2-Factor authentication. It is highly recommended to know the serial number that generates your temporary 2fa token numbers and store it in your cloud password manager.
The following example of 2-factor authentication is from Gate.io. If you scan this QR Code with the popular Google Authenticator App your 30 second token numbers will automatically be added in the app but you will not be able to recover the serial number that generates it. I believe Google has intended this on purpose for security reasons. Unfortunately though, in most cases if you lost your phone for any reason it will be harder to regain access to your account (or reset your access credentials) because if it was that easy it would have no purpose.
Therefore, as a recommended practice always have a copy of the 2FA serial number in your cloud password manager in their respective fields. If you have old accounts, you can reset their 2FA authentication only to save the newly generated 2FA serial as a backup just in case you lost your phone. Notice, if the 2FA serial is not written on the same page of the 2FA feature, scan the QR code with an app like QR Droid then extract the serial number from the text and save it on your cloud password manager.
What if I can't afford or don't want to have 2 cloud password managers?
Another option is to use the free KeePass software as a backup for your primary cloud password manager. This will be a safe offline alternative because your KeePass password manager will be encrypted on your hard drive based on your Master Password.
Your third option to create a backup/redundancy plan namely just use one cloud password manager and export its' contents every months in the form of an Excel.CSV file, use the free 7-zip tool to archive the .CSV file with a strong memorable password as mentioned earlier, then upload your .7z file to your Google Drive or whatever cloud storage you are using.
WARNING: This technique requires a lot of caution because you may forget to delete the generated .CSV file from your computer. If you remember to delete it (while your on Windows) then it is still not deleted and an intruder can recover it from your hard disk even when you remove it from the Recycle Bin.
Therefore you should use a program like Secure Delete to delete the .csv file by overwriting hard drive blocks that contain the data. As for the 7-zip archive of your .csv file a long and strong password will prevent it from being easily accessible and you can store it on your computer. But it is more secure to just store it on your cloud service of preference.
You can also format your .CSV file on Excel and print it as a backup. But that depends if you have a secure physical location to store that paper. Are you convinced yet why it's much easier to use 2 cloud password managers instead? So let's get to my current choices of preference for Cloud Password Managers.
For smartphones I highly recommend SafeInCloud they have an app for Android + iOS. It is a free app, but if you will decide to sync the data on your cloud, you have to make a one time payment for SafeInCloud Pro which I highly recommend, which at the time of writing is around $5 USD. I believe that's very cheap for a hassle free auto-fill functionality on your smartphone and it's highly valued security features such as clipboard clearing, fingerprint access etc.
As for Desktop PCs & Laptop usage, I am currently using Bitwarden in combination with Brave Internet browser. Luckily Bitwarden comes as an extension pre-installed in Brave, you just have to enable it. It is a free service, very neat interface, and the auto-fill capability is working flawlessly. I personally have paid for the 1 year premium features for BitWarden because I believe that their 2 factor authentication based on Duo security feature is very easy to use, secure and worth it.
I will not review Brave in details for now, but my experience with it so far is beating Google Chrome Big Time! Do not believe me, just try it feel the speed, performance, automatic ad blocking and password manager integration, neat interface. The only downside of this browser is that the Torrent download management is still not polished (crashed for me). Yet, it is the privacy/security centric browser of choice. I love it :)
General Precautionary Measures:
- My default password character length of preference is 24, but services such as PayPal require a maximum of 19 characters. Be sure to know the maximum supported character length of the online account you're changing the password, because some websites will automatically crop the pasted password (i. Mylongpasswordisthisone99#% but when I pasted it from the password generator to the form it was cropped to Mylongpasswordis), in which case it may cause you trouble in the future if you had to write the password manually thinking it is the long password. No doubt some websites have bad UI-UX design, that's why PayPal respectfully notifies you its' maximum character length if you exceed them, other websites may not. 20 to 24 password character length may look like a safe bet most of the time.
- Consider complete hard drive encryption. It's easier if you're using Linux. The easiest Linux OS for that purpose is Linux Mint, and my preference is Lubuntu (less services/processes less security risk for online breaches).
- Always use the auto-fill password services from your cloud password managers. This will minimize clipboard copy-paste usage that hackers can sniff to determine your password, or key-logger attacks if you will decide to repetitively write your password manually each time. SafeInCloud has a great feature to automatically clear your clipboard. Amazing! :)
- Try to minimize the number of times you will write your Master Password on your keyboard. You can do this by increasing the time it takes for the cloud password manager to automatically lock, or lock it manually when you are finished.
- Consider researching on Cold Storage wallets (my preference for BTC is Electrum) or use hardware wallets like Ledger Nano S, high reliability and ease of use. For your info, cold storage is not big tech deal. You simply have 2 wallets, one on your offline PC (which includes your valuable private key) and the second is your online watch-only wallet (which processes the transactions that you signed with your offline wallet private key). The idea is to simply not expose your private key in its raw form to the Internet.
- Install a strong antivirus on your PC. Luckily BitDefender & Kaspersky both have free versions for personal use you can enjoy without paying a dime. But my personal preference for extra security features is Kaspersky Internet Security.
- Brave browser will automatically try to use the HTTPS (secure HTTP) version of any website, but if for any reason you doubt your online communication is not secure, use a private VPN service to encrypt the data between you and online entities. I personally do not trust much in TOR network due to the breaches that have been reported recently. Thus, I cannot recommend it as a secure option.
Thanks for your time. If you think this info added value to you by any means feel free to donate to the below addresses. Additionally, please let me know your opinions in the comments, your suggestions and preferences. I will probably keep updating this post as I learn more and more from you and educate myself further about this topic.
BTC:
16ddgeYF4LcLG72SHXCH4Wzsif4VR8UbaJ
ETH:
0x17cc8645b83dab26ff8fbef418b732ef95980013
LTC:
LZDzsFPrrJLkQEYxVX3eVVrhi126cFnZLn
Dash:
XfWnkxenF8Xj15TcXiYXib5EiqsFn3zvfS
Zcash:
t1WL5s12D57o2pAZXLAMHXZFZU4uRe1Ny1T
Dogecoin:
D8Bd58hkhmt8pW5vF4JJfQHYifJYMXKqjd
To listen to the audio version of this article click on the play image.
Brought to you by @tts. If you find it useful please consider upvote this reply.
You have been resteemed by @anik1632, courtesy of @robiulhasan
Want to increase your following? Read more about me here
interesting post .
Thank You.
lots of great info and advice in there!
Thank You!