My FULL Account Security Strategy Explained (you can copy)
HTML-код
- Опубликовано: 27 июн 2024
- My online security strategy can be distilled into 7 simple laws that you're welcome to copy. These rules will help you easily make decisions about how you use passwords, password managers, passkey, 2FA and more. Get 20% off DeleteMe: www.joindeleteme.com/allthing...
▶ Not in the US? Try the international site: international.joindeleteme.com
If you care about your personal security and privacy online, download my free security checklist here:
✅ Security Checklist: www.allthingssecured.com/secu...
🔹🔹What to Should Watch Next🔹🔹
We've got a lot of great privacy- and security-related content here on the All Things Secured RUclips channel (although we admit we're a bit biased). If you're wanting to increase your online cybersecurity, here's what's next:
✅ Change these 7 Facebook Privacy Settings NOW! • How to Change Your Fac...
✅ STOP Using VPNs! (here's why): • Don't Use a VPN...it's...
✅ Are spy apps safe? • DON'T USE MOBILE SPY A...
🔹🔹Support All Things Secured🔹🔹
If you enjoy this kind of practical security and privacy content, one of the best ways you can help support this channel is by using these affiliate links to our favorite products and services. When purchasing through these links, you not only get the best available deal, the companies will also pay us a small commission. Thank you for your support!
✅ Recommended Password Manager: www.allthingssecured.com/yt/1...
✅ Recommended Identity Monitoring: www.allthingssecured.com/try/...
✅ Recommended 2FA Security Key: www.allthingssecured.com/yt/y...
✅ Recommended Secure Email: www.allthingssecured.com/try/...
✅ Recommended VPN: www.allthingssecured.com/try/...
*********************
Video Timestamps
*********************
0:00 - My Account Security Strategy
0:53 - 7 Laws of Account Security
3:13 - The Biggest Account Security Mistake
4:01 - Why I Use DeleteMe for Privacy
4:39 - 4 "New" Laws of Account Security
5:56 - Controversial Thoughts on Passkeys
*********************
Account security is more than just a password and maybe an extra form of authentication. If you really want to upgrade your online security, it requires an intentional security framework. Listen as Josh shares his 7 laws for account security that help determine how he creates passwords, uses password managers, sets up passkeys and even physical 2FA keys.
#passwordmanager #onlinesecuritytips #onlinesecurity 
Наука
How does my strategy compare to yours? Let me know in the comments. And be sure to take advantage of the 20% off DeleteMe to get more privacy online: www.joindeleteme.com/allthingssecured
Consider this: Should your biometrics data end up being compromised, you're F'ed. It's not something you can change, and once it's out in the data world, that's final. Probably not a wise decision to use biometrics for this reason.
Hi, Josh. I really enjoy your channel!! I have a friend that followed your advice and purchased a Yubikey to secure her Google account. She created a google number and only uses it for financial institutions. She then created a new email address only to be used for her financial accounts.
The problem is if my friend was sim swapped the google number would forward to the phone the fraudster took over and they could reset the bank passwords. If she doesn't have the google number forwarded to her regular number, she may not receive timely texts from her bank.
Other than using Efani, is there any way to protect against this? Thank you for your response.....
I have a request/suggestion. When you mention another video in your videos, please leave a link in the description in addition to the popup within the video.
This has happened to me several times while watching one of your videos. I am wanting to watch the content you refer to, but am not finished watching the current video. So I either have to write down the time stamp, or click the new link, save it to watch later, then go back and finish watching the first video.
Leaving the link in the description is more efficient for your watchers.
Thank you for all you do.
Thanks for the suggestion! I’ll definitely try to do that.
@@AllThingsSecured I'm not sure if you've since added them or if it's automatic, but I've always expanded the "more" section and scrolled to the bottom of it to see anything that was linked in a YT video. I can see all the videos you mentioned there (I want to watch the aliasing one)
It's the reason why I never watch a suggested video because I haven't finished the video yet.
1 don’t keep all eggs in one basket
2 long passwords
3 always use 2FA (with Authenticator codes NOT SMS)
4 Security Key
6 separate Authenticator apps
7 except for common accounts like Pinterest
Bonus:
A) Email Alias
B) Secure apps with biometrics
C) Private number
D) Passkey if security key not available
A law I'd add is to have a physical safe. Store recovery codes in here, or use it to store passwords you don't want in your password manager, such as the password to you're email where password reset requests get sent. And for people who find an online password manager too complicated, this is where you can store your passwords.
That’s a great suggestion. It’s a threat model slightly higher than mine, but valid nonetheless.
This was a very valuable comment! I will keep it in mind should I ever need a higher safety model.
I appreciate this simple video format.
Thank you!
I do it only slightly differently because I mostly focus on making iCloud and Google accounts maximally secure with security keys, passkeys and in iCloud E2EE almost all of it.
Then less important accounts can (preferably) Sign in with Apple or the slightly less secure Google.
Greetings from Sweden. 👋
Very interesting and very useful video. I always enjoy your videos.
Thank you!
Another awesome video josh! Thank you again! I’ve been following you religiously now for right at a year’s time as I’ve been navigating my way through a horrific stalking situation that is the makings of a PsyOps Horror Novel. lol 😂. Because of this channel, I’ve gone from knowing zero things about cyber security to feeling very knowledgeable and empowered about all of my online privacy and security. I’ve made massive shifts in 2023 towards extreme privacy and safety. Because my *literal* life has depended on it. Thank you so much!!
Glad it’s been helpful!
Holy cow!! It’s Josh from the Xinjiang channel! I have your PDF book from way back when.
Haha! Yup, that was me, back when I had hair 😂
@@AllThingsSecuredcongrats on your success! Didn’t know our interests would cross. Easy sub
Great video! I have also stuck with passwords and 2FA rather than passkeys because I still feel that the added convenience of passkeys ultimately degrades security and I'm also waiting to be convinced.
Thanks for sharing!
Passkeys are still superior, overall. How convenient they are is up to you. If you store your private key on a physical security key (yubikey etc), and require biometrics to unlock, this is the strongest option out there. 1) Your private key is not stored in the cloud 2) It's passwordless, and as such cannot be stolen, or leaked in a password dump (another of which we just saw) and 3) It's phishing resistant. Example scenario: I want to login to my bank. I have to physically be present at a computer, with my yubikey which requires biometrics to unlock. My private key is stored locally on my yubikey and none of that ever leaves the device. Only then I can login. I cant have my password stolen. I cant have my password leaked. I cant be phished. I cant be SIM swapped.
@@kungfu5150 I have a few credit card accounts that still use email or SMS to send a code. My main bank however I have a small keypad device to general OTP to logon and it also generates a code before a new payment is setup for either an individual or company online
I really like your advice. I like that you don't go too extreme and still use gmail or facebook like normal people. However taking a few steps towards better security and privacy.
Thanks so much, Eric! Glad it was helpful.
Thank you for the video. I still haven't started using e-mail alias and I couldn't find a decent way to implement that virtual phone strategy in my country (maybe I'm not doing a proper research), but one thing I use in addition to long passwords, password manager and 2FA is the double-blind method, where you only store part of the password in the password manager, but the other part is some special characters that only you know. So when you are signing into an app, you generate and store a password from password manager + your own password
I do that for important accounts only, but that gives me more security that, in case my password manager ever got hacked, the hacker still won't have the full information to log into my accounts
Yes! I didn't even talk about that here, but that's a big part of my own strategy as well.
That's how I do it too. Also, I use physical security key as my 2FA to my password manager.
Thanks for the video! I will stick with physical hardware keys for now. Also, it's often said that the main security vulnerability is education, and I just can't understand Passkeys... And if someone as knowledgeable as you also struggling to see it's merits, then it is evidence that passkey proponents have a problem with the education part...
Thanks. To be clear, I see its merits, especially for those who don’t want to spend money on a physical key, but since I value the offline key…I’m just not sure it’s as useful to a person like me.
@@AllThingsSecuredUnderstood :). On the different subject I would love you thoughts on this matter please!: There is a website I use which I rely on for many things. They allow 2FA hardware to be used. While logged in I tried to disable the hardware key and it allowed me to do so without asking for confirmation using the hardware key. As I understand this is how many RUclips accounts got hacked by malware disabling the 2FA. I contacted the website to report this security vulnerability saying that if a malware attacked their website they might exploit this vulnerability.
In the answer they said that they do not consider this as security issue and when malware is involved all bets are off... In short they completely ignored it. What do you think? Thank you
Authy is planning to shut down its desktop authenticator app in August 2024. They still will have their mobile apps on iOS and Android
Yes, I just read about that.
2fas is apparently working on a desktop app but as of right now all they have is a browser extension but it still requires a phone to confirm
@@AllThingsSecuredAuthy Desktop seems to still be fully functional, it just pesters you about EOL every time you open it. Also the download links got taken down from the website.
ente auth is superior anyway, it's free and open source
Really appreciate your videos. You speak in a way anyone can understand and that is why I am able to send these to friends and family who unlike me are not in the IT world. Have a happy new year btw!
I appreciate that! Thanks for sharing the video...and happy New Year to you as well :)
Do you recommend insurance?
There are 2 kinds of passkeys: device-bound and synced. Device-bound passkeys can't be replicated; they're like physical security keys in that way.
Very interesting. I obviously still have a lot to learn about passkeys.
So your bonus law number 4. Only use physical keys and not use passkeys if both options are available. I was in this camp until recently. There is something going on with iOS and MacOS recently where Google does not recognize my Yubikeys via Safari anymore. I was able to bypass this by using an old out of date Mac, reregister one of my Yubikeys and then switched back to my modern hardware to reregister all of other keys. So it’s hard to tell if it is Google or Apple, but someone f’d up and almost locked me out of my Google accounts.
Sounds like a Mac issue
It's one of the reasons why you should always generate one time pass codes as back up. Those will always work in case something changed with your keys. I usually re-generate mine at least once a year to make sure I get fresh codes in case something changed on the system side.
To use a new phone, they ask you for a Google account as the main account. Does this have to be created separately from the personal one? How do you handle that? what account do you put?
Do you suggest logging out of certain apps on your iPhone to allow for entering credentials like the 2FA?
That's up to you and your threat model. Some people set their internet browser to close all windows every time they close their computer or lock up their phone. Those kinds of settings depend on what and from whom you are protecting.
can you explain what you mean at 06:11 what each category is
Can you talk about outlook firewall. (Security policies)
Thanks for the suggestion.
People keep misunderstanding what passkeys are for. They are not 2 factor, they are a replacement for passwords. It's understandable why people think this, since most websites are doing trials of them by treating them like 2 factor. Still, can't wait for them to actually start replacing passwords
Interesting rules.
I would like to know how fast it is to search for the backup Yubikey every time you want to register 2FA for a new account.
What if you are away from home? Do you register and when you get home you look for the two keys and then activate 2FA?
A video about the logistics of operation and day-to-day use would be interesting.
Thank you.
Thanks for the idea, Manel. Very helpful suggestion.
If you have 2 yubikeys, then you should always carry one on your keyring. Then you won't ever have to search for one, unless you lose your keys while away from home.
What’s your go to tax software turbo tax? Or free tax USA? I like how turbo tax is 100% accuracy guarantee and free tax USA isn’t
So, in terms of not having all your eggs in one basket or not trusting a company with all your info, would you suggest against subscribing into a companies ecosystem for example, proton or Nord
Many services/accounts offer 2FA, but not all require it to be enabled. I would recommend enabling it on all your accounts
Exactly what I said :)
So you're saying you prefer the password/hardware key combo over using a Yubikey for passkeys? it seems the security level would be the same in this case.
The way I see it, using a Yubikey as a passkey is exactly the same as simply using a 2FA key, right? My issue with with the software-based passkeys.
How do you feel about storing 2fa codes in a PM that's only accessible via a hardware key? My password manager can only be accessed via someone that has one of my two hardware 2fa keys, and once it reached that point I started consolidating all of my 2fa codes into my password manager as I felt the hardware 2fa requirement was enough to warrant that level of confidence.
let me know if you get an answer to this question lol, cause that's how i have my PM too, only way to access it is if someone has my yubikeys.
Is it a good idea to put the master password in the password manager itself ?
I mean to be honest if they get into your password manager to see the master password, then the master password is rendered useless as they already have access to every other password. At that point I would change all passwords including the master, even if not in the pm.
Hello. Do bank accounts accept 2F physical keys?
Some do. Many don't.
Is it dangerous to use passkey on Android device if this device encrypt synchronisation with a static key (instead of google account) ?
I keep my 2FA codes in my PW manager, too. But, I lock my PW manager with a 2FA code that's NOT in the app.
Facial recognition or fingerprints don't matter if there's an option to use a pin instead. It seems that a pass key is the wiser option.
Any form of authentication is only as strong as the weakest form.
@@AllThingsSecured That's true of any co-dependent scenario.
How do you make a private vitual number (in the EU) ?
Depends on the country. I think it’s easier for some than others. I’d check Hushed and other such providers to see which countries they offer. I can’t remember off the top of my head.
Should i use password manager or key chain ??
You can. I prefer not to.
I may have missed it but can you do a video on 2FA when you don't have a US phone number? As in if you are overseas and using a different sim card and need to access your 2FA codes if SMS is the only allowed method.
You can purchase a US number from a provider like Hushed and use that for SMS codes. Same goes for IronVest or MySudo…they offer the same service.
@@AllThingsSecured Thanks.
Is it worth using 2fa physical key for non sensitive things like tiktok or youtube?
For me, yes. RUclips is connected to a Google account, so it's worth having a 2FA key there. Honestly, it's up to you, but as I said in the video, my rule is this: "If a 2FA key option is offered, USE IT".
So I pretty much hew to these and similar privacy polices. BUT… today I opened Yelp and it asked me for a review of my experience at a medical specialist I’m setting up a procedure with. WTFFF? Can you do some videos focusing on how businesses (e.g., Yelp) get this kind of info? Otherwise I feel like I’ve built unscalable stone walls with a moat, but there’s a huge tunnel from beyond the moat that comes up in the scullery behind my back.
I’ve noticed more of those instances where you have a conversation on an odd topic and start seeing ads or articles about it, but attention bias makes that impossible to really gauge. But the Yelp example is different. They have affirmative data showing that I’m dealing with this medical specialist, and I really want to track down where they got it, because I expect to find at least one tunnel in that way.
I don’t use Alexa or have Siri turned on to listen, and stay as far from Google as I can, though I have Chrome and Maps installed for occasional use.
I use yours listed except (1) I do keep MFA codes separate from the Password Manager - no exceptions; (2) I did go back and change the user ID to unique ones (email aliases where possible) for every account I could; and (3) I won't upload my Beimetrics to any websites as I don't trust they won't get hacked and loose it.
Segregation of activities between devices and VPN providers is what I aspire to and is a difficult habit to develop. I may just configure the firewall to route traffic to specific VPNs so I need not worry about it. That takes some thought and effort to implement.
You didn't mention secure DNS or maybe even using a secondary ISP at the firewall to route the DNS call through a different carrier.
Thanks for sharing! For what it’s worth, I don’t know of any websites where you “upload biometrics”. Biometric verification is done at the device level.
@@AllThingsSecured - The irony! The posting of your videos UPLOADS your BIOMETRICS to the web! Biometric data captures physical attributes of a person such as fingerprints, face, or voice. Your video contains both face and voice. Banks are using voice authentication when you phone them. Avoidance can be a challenge. Cameras, such as Ring, use biometrics in the form of facial recognition. Even if YOU don't self identify your face to Ring, your friend with a Ring camera probably already has.
The weakest link for security conscience people watching your videos is generally not themselves. It is the companies we have to give data to like Equifax's and Banks of the world. Hackers are now calling the bank via VoIP and tricking them to think it's you while using data from these breaches. To get through voice verification, the hackers call you to get your voice, and then use AI to trick the banks into thinking it is you.
Obviously it's impossible to live life and also duck your biometrics from being captured. But, I'm certainly not going to help it along.
Note: Even self checkout like at Walmart are capturing your biometrics. They use cameras to capture you scanning the items and then link it to your person through the Credit/Debit card used at checkout. This is done in the name of shoplifting prevention security.
I understand the use of email aliases for non important accounts, but for important accounts don't you think it presents a major risk?For example, if we create an account using a custom alias (with custom domain) and after a while we lose access to that alias (let's say we forgot to update the domain, etc.) don't we lose access to that account?
@@PaulNecsoiu Great critical thinking skills. Actually, when web apps use the email address as a user id, you can still login using that ID even if the email address is no longer valid UNLESS you need the forgot your password function. If the website allows it, it would be best to change the user ID to your new email address (alias would be good). Optimally, you OWN the domain name for your email address and would know if you're going to no longer renew it. And, if you let that expire, you likely have a bunch of accounts (all known to your password manager of choice) to then go update your credentials to match your new plan.
@@InfoSecGuardian Thank you! You have totally right. I have made some testing and if the email is not valid you can still use that email as a login ID. More than that if the account allow other recovery methods (recovery codes, security keys,etc) I think that with a good management we can say it is pretty safe to use email aliases for all accounts.
My one issue with any security is the backdoor, the "forgotten password" button. How do you, stop this backdoor way into an account?
In many cases you can't stop it, but if you use an email alias that points to an address other than your primary email account, that's one step you could take.
By removing phone on file whenever possible (use other 2fa), or using two numbers. One number, untraceable sim for sensitive accounts, and one known num for accounts nobody will sim swap you to steal...
Question thah I have never seen addressed amywhere, how many accounts can be protected by a single yubikey?
As a 2FA key? Unlimited. One key works on all accounts. If you’re storing one time passcodes on a Series 5, though, it can only hold 32. Does that make sense?
And 25 passwordless passkey.
All thiings 😃
Thanks for watching and commenting.
Sounds like you use things you don't trust...For me trust is very important in my security strategy. I have to have full trust in what I'm using and doing - no half-baked I don't really trust _this_ so I'm gonna mitigate it with _this_
Why does a Spotify still not have any of these options
Why do you need so much security for your music streaming service?
SMS is the least secure of all the 2FA methods. Some people might not want to give out their cell phone number
That is correct.
Answers to throw off security questions: Ex, Q:"Where were you born?" A: "Mercedes Benz"
Yup, that’s a great way to do it.
👍🏻
🙏
Sad that most financial institutions don’t allow 2FA.
I know, right?!
I would add another law.. don't use your phone as a passkey. Very easy for muggers to get you to empty out your bank accounts when you carry the keys to your kingdom with you at all times on your phone.
I wear wrinkled shirts too. 😜
Ouch 😜
The Back up codes is the biggest unnecessary thing that ever been made in history of security.
it's lazy guy who just throw a suggestion and an idiot approves it.
instead of backup codes (incase your physical key broke or lost) they should let you set a what we call it Recovery Location.
a physical location where you can set it in the security setting by opening your GPS.
you can choose to stand on a train station. set it as your recovery location.
when your yubikey got broken and you need to recover your account.. go to your designated location.
open you GPS and recover your account. it doesn't need to be EXACT GPS it can have margin of error like 5 meter radius.
That sounds great, but I literally have a program on my computer that allows me to spoof the GPS location on my phone to be anywhere in the world. That's a huge security loophole there.