It’s Time for a Personal Security Cleanup

Posted on December 28, 2021

The year’s end is upon us.  For most of us, this week between Christmas and New Year’s is an excellent time to clean things up and prepare for the new year ahead.  As you do that, I’d ask you to set aside a couple of hours and review your personal security posture.  Here are some areas to consider:

  • Local Passwords: If you haven’t rotated your workstation/laptop/etc passwords in the last 3 years or if you are using a weak password, it’s time to change it.  Hopefully, you are using an aggressive screen lock, which means between sudo and unlocking your workstation you are entering that password constantly, so make it an easy one to mindlessly enter, but go for a long one.  XKCD offered the right way to go about it a long time ago, but also consider the “bounce” of the keyboard to make it easy to enter without fumbling keys and risking a lock out.
  • Password Managers- Master Password: Is it time to rotate it?  Make sure it’s easy to remember and long.
  • Password Managers- Generation Strength: These days almost all services out there support passwords 50 chars or longer.  I’d recommend updating your password generation length to 50.  Hopefully, it hasn’t been any less than 20 in the past, if so, consider rotating those passwords.
  • Password Managers- High-Value Passwords: It’s also a good idea to rotate any passwords for high-value systems, such as your bank, trading or retirement accounts, etc.
  • SSH Keys: I know it’s something of a badge of honor to have a 15 year old SSH key but it’s time for that thing to go.  Better algorithms are available and that old key has probably been left in places you have forgotten about.  Consider generating a new one with ed25519 at 384-bits.  If you must still use RSA for a legacy environment, make sure you have a key strength of 4096 bits.  Also make sure you update Github, Gitlab, AWS, or wherever else you need that public key stored.
  • PGP Keys: What?  That old thing?  If you aren’t signing your Git commits you should be and likely will be required to do so in the near future.  Dust off your knowledge of GPG and generate yourself a new key (if you care to, sign it with your old key and then expire it) and configure Git to use it for signatures.  [Thanks to Fazal Majid for noting that there is now SSH Key Signing Support in Git, but I suspect it could be quite a while before this is supported by Github, Gitlab, et al. – PGP and X.509 work today.]
  • Your Email Provider: If you haven’t changed that password recently, you should.  Remember that your email account is (sadly) the single most valuable possession in your digital life.  Why?  Because almost every account recovery or password reset out there will require access to your email.  When people have left my companies before and didn’t hand over important creds, I had to hack their email to regain access… don’t underestimate the importance of your inbox.
  • Your Cloud Accounts: Especially the Root credentials for your personal AWS accounts, that old DigitalOcean account, etc.  If you don’t use any of those accounts anymore, close the accounts completely to avoid a compromise that costs you money.  If you do use them from time-to-time, rotate those root credentials and keys, then spend some time pruning your IAM users, group, and roles.
  • 2FA/MFA: Are you using MFA everywhere?  You should be and it’s super easy, it just takes a little time to go around and get it done.

In addition, consider some changes to your tool kit:

  • Switch to Authy for T-OTP: If you’re using Google Authenticator or Duo or something else for T-OTP’s, consider switching to Authy.  You can protect access with a PIN or FaceID, its contents are backed up with iCloud (etc) so you don’t lose all those OTP’s in the event of a reinstall, it’s visually appealing, and it’s maintained by Twilio, who I trust.  Unless you are sharing MFA with a team I do not recommend storing T-OTP in your password manager, it defeats the point.
  • Switch to BitWarden as a Password Manager: BitWarden isn’t pretty, it’s true, but it is much more secure than the alternatives thanks to it being open-source and publically vetted.  It has a lot of utility, it’s worth your consideration.
  • Adopt a YubiKey 5: The latest generation of YubiKey’s are incredible, featuring FIDO U2F and FIDO2 support, OpenPGP support, PIV (SmartCard!) support, traditional YubiKey OTP, OATH support (which allows you to store secure T-OTP & H-OTP on the device, which you can access on your phone via NFC!), and much more.  They really are incredible and when you pair USB-C with NFC you have a great solution that is portable between your phone and computer.
  • Got Duo?: OK, push validation is a little out of date, you’re far better off securing SSH with a YubiKey and SK keys, but Duo is free for 10 users or less, so if you love it, it’s worth a go.
  • Time to Go Passwordless?  If you have a personal Google domain or other personal/family SSO solution, there are some awesome solutions out there to dump passwords for good.  I love Hypr and Beyond Identity.  Did you know that Beyond Identity is free?  You have to talk with sales to get your account set up but the price is right.  If you want to get on the cutting edge, give it a try.

Most of all, ensure you think hard about the 3 most important passwords you have:

  1. Your Email
  2. Your Password Manager
  3. Your Workstation

Every other system is protected ultimately by those 3, so be sure to take good care of them!