2023-07-13

Equivalent domains in password managers

Equivalent domains is a feature of most password managers that you should be using, both for your security and your convenience.  (1Password notably does not support this feature.)  I'll reference Bitwarden below since I consider it the best password manager for most people.

Go to Account Settings in the Bitwarden web vault (but not in any of the apps) and you'll see a page called Domain Rules.  It lets you configure equivalent domains.  The top of the page is for equivalent domains you add to your account while the bottom other page shows equivalent domains that are built into Bitwarden.

As an example, these are some of the equivalent domains that I have loaded into my Domain Rules page:

  • canadiantire.ca, sportchek.ca, marks.com
  • expedia.ca, expedia.com
  • opentable.ca, opentable.com
  • pinterest.com, pinterest.ca
  • microsoft.com, bing.com, hotmail.com, live.com, msn.com, windows.com, windowsazure.com, office.com, skype.com, azure.com, onenote.com, onedrive.com, microsoftonline.com

Each row is two or more domains that you're telling Bitwarden to treat as equivalent for autofill.

Why is using equivalent domains good for security?  Let's say you do not have this row configured: <hertz.com, hertz.ca>.  If you have created a Bitwarden login for hertz.ca and you later want to use the hertz.com website, BW won't autofill for you, because the domains don't match.  So you'll be forced to manually copy and paste the password, which is always a very dangerous thing to do.

Be very careful adding when new rows, or new domains to existing rows!  If you add a row <mybanksite.com, evilsite.com>, bad things will happen: if you are on an evilsite.com page, BW will happily autofill your userid and password for mybanksite.com!

2023-03-31

World Backup Day 2023

Today is World Backup Day.  

Data backup is incredibly important today given how much of human activity is online.  Here are a few suggestions to reduce the risks of losing your important data.  (Data is "important" if losing it would negatively impact you.)

  1. Ensure that all your important data is backed up to at least two different places, at least one in the cloud and at least one local (e.g., an external hard drive).  
  2. Manual backup -- weekly at a minimum -- can work if you're diligent and set a reminder in your calendar, but automated daily backup is much better.
  3. For data that lives on your computer or an external drive, your first backup should be to a cloud provider.  Your second backup can be cloud or local.
  4. Have an offline local backup.  Offline means that the storage device (e.g., external drive, flash drive) is physically connected to your computer only during the actual backup operation.  This provides protection against corruption, deletion by mistake, and ransomware. 
  5. If you have data that lives in the cloud, you need at least one backup too, which could be on your computer or an external drive.  Your password manager falls under this: export its database occasionally -- but only if your computer drive is encrypted; see below.
  6. Cloud sync (often free, e.g., Google Drive) is not the same as cloud backup (usually paid, e.g., Backblaze).  True backup will keep deleted files and old versions of your files for at least 6 months (and ideally longer), supports point-in-time restore, and lets you choose which folders to back up.  Cloud sync providers usually keep these for no more than 30 days, don't support PIT restore, and often only back up files you place in the single fixed folder.
  7. For sensitive data you're backing up to the cloud -- or if you don't want to have to think about which data is sensitive or not -- use a cloud provider with end-to-end encryption (E2EE), also called Zero Knowledge.
  8. For local backups (e.g., to external drives), ensure that the data is encrypted.  (Critically, also ensure that your computer's drive is encrypted.  Windows Home doesn't do that and Windows Pro doesn't do it by default; so if someone steals your computer they'll get all your data.)
  9. For mobile devices you can reduce data backup concerns by ensuring that all important data on your device actually comes from (is synced from) the cloud, or, say in the case of new photos not yet transferred to your computer, is automatically backed up to the cloud.  Don't leave any unbacked-up data on your device for too long.
  10. A backup is not useful if the restore from it fails when you need it, so run test restores on your data occasionally.  This applies to both local and cloud backups.
  11. Manage your backup process: keep a list of all your data sources and where each source is backed up to and how often.  This will help you identify gaps in your backups.
  12. Looking at the broader picture, you can reduce the cost, effort, and risks for data backup by reducing the amount of data you have.  Don't keep data longer than it's useful to you for.
  13. Organizations: The larger the organization, the more stringent their backup requirements are, for both technology and processes.  One small example of the latter is that the organization's security policies should include detailed requirements for backup of the organization's data.
This is an update of my World Backup Day 2021 post: World Backup Day, and suggestions.

2023-03-21

Key security measures for a small organization

A small non-profit recently asked me for recommendations for improving their password security.  They wrote:

Do you make recommendations on password security software for businesses?  We are looking to increase our security and password protection, but are getting so many different opinions on best options.  Last Pass was popular and has been recommended in the past, but apparently has had some security breaches as well.

 My reply was as follows.  (This would apply equally to a for-profit organization.)

Bitwarden and 1Password are the password managers I tend to suggest.  Because of the LastPass data breach I no longer suggest LastPass.  Organizations should typically use the Teams version of their chosen password manager so that the service can be managed for the organization.

 For a bit more background you can see my blog post on the LastPass breach:

The big LastPass data breach and what to do about it (gsharratt.com)

This is a good article with more info: 

The 2 Best Password Managers of 2023 | Reviews by Wirecutter (nytimes.com)

Two-factor authentication (2FA) is the other critical part of security for account credentials.  My blog post has more info, including lots of info on Authy:

Set up two-factor authentication (2FA) - another nice COVID-19 project (gsharratt.com)

A core third leg of security is device security, including strong passwords/PINs for all devices and full-disk encryption (FDE) for all computers, so that no data is compromised if computers are stolen or lost.  If you have Macs they likely already have FDE, but if you have Windows PCs they would need BitLocker in order to support FDE.   Search for “BitLocker” in this blog post:

Core security advice for general users [aka security hygiene] (gsharratt.com)

Hopefully you have an IT person or an IT managed service provider, and they can help you set up FDE for all computers.  They might possibly also be able to help you set up a password manager and 2FA.

This blog post contains an overview of other security controls that you could consider:

Security hygiene for a small professional office (gsharratt.com)

Note that the above are just generic suggestions that are typically suited to small organizations, since I know little about your organization and so can’t give advice.

2023-02-04

How to export from Authy

If you ever want to export your TOTP seeds from Authy, this page shows how to do it:

https://gist.github.com/gboudreau/94bb0c11a6209c82418d01a59d958c93

You could use that method move your seeds to another (TOPT) authenticator app.  

However, I continue to believe that Authy is the best authenticator app, as long as (a) you choose a strong Backups Password (its master password), e.g., 16+ random characters, and (b) you store the Backups Password somewhere other than your password manager’s vault.  

Why (b)?  If you store the Backups Password only in your PM's vault, you are in a spot of trouble if you ever need to reinstall both apps (PM and Authy) at the same time, because you can't log into either app until you've logged into the other one.  (Of course, there is no reason not to also store the Backups Password in your password manager's vault.)

There should be no need to export TOTP tokens from Authy on a regular basis because every cloud account that offers 2FA should also offer a recovery mechanism in case that 2FA fails.  The mechanism is usually a set of one or more 2FA recovery codes.