It's time…what does The Nerdery suggest as priority steps to take while being 'easy' and integrated?
And as a start/minimum upfront, then can move to more advanced protection later.

The Mrs. and I have 'not' been taken advantage of yet (except Apple and Google do show a lot compromised sites/info). If you have reading/watch suggestion's to self-educate vs internet info overload, that would be great too…everybody is trying to sell (or scare) something it seems.

Fairly certain it's a combination of following, but again what's priority and what apps/approaches integrate functionality at a good cost/value balance:

- Setup 2FA on all individual sites and apps that require passwords…seems some don't have the technology yet (like utility companies, but could be wrong)
- Leaning to 1password vs Bitwarden (usability reviews seems better and can sync with wife, or do both do this?). And these also do 2FA as well??
- 2FA - via cloud (authy, google) vs hardware (yubikey)?
- what about Apples password manager and 2FA? I dont use safari much, but that seems essential

Password managers are great because they make it far easier to have a completely different and highly complex password on each site.

My absolute minimal password length that I use only on my internal networks is 13 characters long and includes lower case, upper case, punctuation, and numbers. For internet sites, it is normally at least 20 characters and can much, much longer.

I prefer passwords that are nonsense sentences. For example, I used to use one that was "He went to the desert seeking fine woolen roses but all he found was a goose and six trucks.": It was easy to remember but made no sense and about impossible to guess.

I use the protonpass that is part of my protonmail account.

One thing that I highly recommend is to create a special e-mail addresses for banks and credit card numbers and never share the e-mail address elsewhere. If you get an e-mail from an attacker that purports to be from your bank, they would not know banking e-mail address you use and would target your normal e-mail address. This makes it very easy to identify whether or not the e-mail is really from the bank.

For example, you could use something like rose.outs.dog.busy.slow.ken@example.com for one credit card company and five.lob.cup.hero.ivan.word@example.com for another credit card.


Some people go so far as to create a separate e-mail address for every site. I do this more and more. I was doing it with '+' aliases but now use a company called simplelogin that can even do this for you and relay the e-mail to your actual e-mail address (it seems that more and more sites now use your e-mail address as a username to log in.) If you have a paid protonmail account, simplelogin is included with it.

For example, with simplelogin, you could create rattlesnakegulch.equipment899@silomails.com as an e-mail address for First National Bank of Rattlesnake Gulch and bankofamerica.backfield096@dralias.com for Bank of America. The e-mail goes to that address and is then redirected to your account. You can even create a domain with that, say puryearfratdaddy.8shield.net and create any e-mail address you want in that domain and have e-mail sent it be automatically forwarded to your regular e-mail address.

My ProtonMail and my MailFence accounts use a FreeOTP app on my cell phne. The Gmail, on the other hand, pops up a message on my cell phone asking if that is me trying to log in. I have several accounts that send an e-mail to my protonmail with a new six digit pin to enter.

Also for solid password generation, use diceware: it's a list of words, each one tied to a specific combination of 5 rolled dice. Makes great passwords, and an 8 word passkey is uncrackable, especially if you are also adding numbers and characters and punctuations.

heddleston said:

---

Also for solid password generation, use diceware: it's a list of words, each one tied to a specific combination of 5 rolled dice. Makes great passwords, and an 8 word passkey is uncrackable, especially if you are also adding numbers and characters and punctuations.

---

Remember that you would need a different set of passwords for each site.

There are still sites that store passwords in the clear. If someone breaks into the site and steals the password file, then all passwords in it are immediately available to them for attacking the user.

Absolutely. It's just a good tool to make lots of good passwords you might can remember and also are hard to reverse engineer(like if they had personal info and were guessing combos of kid/pet names and phone numbers and addresses )

Hi all, an update and thank you for the direction to get started. The Mrs and I made the jump and are setting up 1Password focusing on email/financial accounts. Aiming to do 2FA within it initially, through will look to doing a separate 2FA like Authy once gets rolling. Eric, I'm going to play with the password/email suggestions, didn't realize they could be that long (which fraudsters hate I am sure). Will look into Diceware, Duo as well.

Are there other suggestions? Seems I should delete my website and phone autofills (even those will become obsolete/dated now) and let 1password manage now.

A reservation in back of my mind…if a hacker cracks 1password (which seems virtually impossible), they basically have keys to your kingdom right? But guess they would go the way of Last pass…which seems a limited shelf life business as eventually a hacker will break it, though incentive is for them to keep ahead of it or destroys credibility quickly.

The big benefit of 1pass over last pass is that even if you knew the password for 1pass you need another authenticated device or the separate access key code. So a password breach won't let someone else in.

There are 4 methods of receiving 2FA codes. Ranked less secure to most secure, SMS, email, authenticator app, and hardware key. Two Yubikeys (one for backup) are definitely the way to go. Also, 1Password has a Watchtower feature that tells you when a site has been compromised, as you mentioned. Not sure if other managers do that or not.

I have several authenticator apps on my phone. Microsoft and Google for personal stuff, Duo for work.

saw em off said:

---

Also, 1Password has a Watchtower feature that tells you when a site has been compromised, as you mentioned. Not sure if other managers do that or not.

---

That could be useful.

I received a phishing e-mail this morning that purported to come from about the only service I use the address for. It will be interesting to see if they have suffered a recent breech. In the meantime, I'm going to change the e-mail used for that service. Outside of banks and credit cards, that service could have enormous impact if it has been breeched.

They did have a breech about five years ago, but nothing has been reported about a new breech.

---

The company is telling me that the e-mail was legitimate! It looks like someone is trying to steal one or more domains from me.