DEV Community

loading...
Cover image for Outsourcing security with 1Password, Authy, and Privacy.com

Outsourcing security with 1Password, Authy, and Privacy.com

Victoria Drake
Director of Engineering. I lead development of cybersecurity products and technology teams. Core maintainer, OWASP Web Security Testing Guide. https://victoria.dev
Originally published at victoria.dev on ・5 min read

We've already got enough to deal with without worrying about our cybersecurity. When humans are busy and under stress, we tend to get lax in less-obviously-pressing areas, like the integrity of our online accounts. These areas only become an obvious problem when it's too late for prevention.

Cybersecurity can be fiddly and time-consuming. You might need to reset forgotten passwords, transfer multifactor authentication (MFA) codes to different devices, or deal with the fallout of compromised payment details in the event one of your accounts is still breached.

Thankfully, most of the work necessary to keep up our cybersecurity measures can be outsourced.

Here are three changes you can make to significantly reduce the chances of needing to fiddle with any of these things again.

1Password

I've historically avoided password managers because of an irrational knee-jerk reaction to putting all my eggs in one basket. You know what's great for irrational reactions? Education.

To figure out if putting all my passwords into a password manager is more secure than not using one, I set out to see what some smart people wrote about it.

First, we need to know a thing or two about passwords. Troy Hunt figured out almost a decade ago that trying to remember strong passwords doesn't work. In more recent times, Alex Weinert expanded on this in Your Pa$$word doesn't matter. TL;DR: our brains aren't better at passwords than computers, and please use MFA.

So passwords don't matter, but complicated passwords are still better than memorable and guessable ones. Since I've next to no hope of remembering a dozen variations of p/q2-q4! (I'm not a chess player), this is a task I can outsource to 1Password. I'll still need to remember one, long, complicated master password - 1Password uses this to encrypt my data, so I really can't lose it - but I can handle just one.

Using 1Password specifically has another, decidedly obvious, advantage. I chose 1Password because of their Watchtower feature. Thanks to Troy Hunt's Have I Been Pwned, Watchtower will alert you if any of your passwords show up in a breach so you can change them. Passwords still don't completely work, but this is probably the best band-aid there is.

One last bonus is that using a password manager is a heck of a lot more convenient. I don't need to take a few tries to type in a complicated password. I don't end up spending time resetting passwords I've forgotten on sites I only rarely use.

When tasked with remembering all their own passwords, people typically create simpler passwords that are easier to remember -- and easier to hack. This occurs most frequently on sites that are considered unimportant. Using 1Password and generated passwords, those sites are now also first-class citizens in the land of strong passwords, instead of being half-abandoned and half-open attack vectors.

So, yes, all my eggs are in one basket. A well-protected, complex, and monitored basket.

Authy

Okay - so it's more like one-and-a-half baskets. 🤷🏻

Authy, from the folks over at Twilio, provides a 2FA solution that's more secure than SMS. Unlike Google Authenticator, you can choose to back up your 2FA codes in case you lose or change your phone. (1Password offers 2FA functionality as well - but, you know, redundancies.)

With Authy, your back up is encrypted with your password, similarly to how 1Password works. This makes it the second password you can't forget, if you don't want to lose access to your codes. If you reset your account, they all go away. I can deal with remembering two passwords; I'll take that trade.

I've tried other methods of MFA, including hardware keys, which can make accessing accounts on your phone more complicated than I care to put up with. I find the combination of 1Password and Authy to be the most practical combination of convenience and security that yet exists to my knowledge.

Privacy.com

Finally, there's one last line of defense you can put in place in the unfortunate event that one of your accounts is still compromised. All the strong passwords and MFA in the world won't help if you open the doors yourself, and scams and phishing are a thing.

Since it's rather impractical to use a different real credit card every place you shop, virtual cards are just a great idea. There's no good reason to spend an afternoon (or more) resetting your payment information on every account just to thwart a misbehaving merchant or patch up a data breach from that online shop for cute salt shakers you made a purchase at last year (just me?).

As a bonus, a partnership between 1Password and Privacy.com lets you easily create virtual credit cards using the 1Password extension.

By setting up a separate virtual card for each merchant, in the event that one of those merchants is compromised, you can simply pause or delete that card. None of your other accounts or actual bank details are caught up in the process. Cards can have time-based limits or be one-off burner numbers, making them ideal for setting up subscriptions.

This is the sort of basic functionality that I hope, one day, becomes more prevalent from banks and credit cards. In the meantime, I'll keep using Privacy.com. That's my referral link; if you'd like to thank me by using it, we'll both get five bucks as a bonus.

Outsource better security

All together, implementing these changes will probably take up an afternoon, depending on how many accounts you have. It's worth it for the time you'd otherwise spend resetting passwords, setting up new devices, or (knock on wood) recovering from compromised banking details. Best of all, you'll have continual protection just running in the background.

We have the technology. Free up some brain cycles to focus on other things - or simply remove some unnecessary stress from your life by outsourcing the fiddly bits.

Want to give the gift of cybersecurity to someone you know? Get them started with a cybersecurity starter pack.

Discussion (5)

Collapse
chadundrwood profile image
chad.

I adopted 1Password a long time ago and since gotten to get my wife to join me. An advantage you didn’t mention is the ability for couples to be able to share strong logins with no interaction. For my family this has been a huge time saver. Thanks for spreading the word to more people.

Collapse
victoria profile image
Victoria Drake Author

That's great! Thanks for adding, @chad !

Collapse
savagepixie profile image
SavagePixie • Edited

Here's a question about password managers that you might be able to help answer. I have read that using the password manager that comes with your browser isn't secure enough. But why is that?

I imagine that if you get a product whose whole purpose is to serve as a password manager, it'll do a better job at it than if you get an additional feature of a browser. But is it just that they use better encryption algorithms, or is there something else that makes browser password managers unsafe?

EDIT: Great article, by the way. As usual, I really enjoyed reading it and found it highly informative.

Collapse
victoria profile image
Victoria Drake Author

Thanks @savagepixie ! And thanks for raising the question. I think @rob is on the right track. Browser password managers used to be a lot less secure than they are now (2013) but even recently, I've seen some claim they're not very well thought-out. I haven't tested them myself, so I can't confirm or deny.

I'll note, though, that not all browsers continue to pay the same level of attention. Firefox has Lockwise, which is sort of a browser-based password manager, but one much more similar to 1Password than any other I've seen. It has standalone apps, and uses your Firefox account to encrypt your synced data using your password with (they say) 256-bit encryption. Mozilla also has a partnership with Have I Been Pwned, so you'll get alerts if it detects previously breached credentials. As a bonus, it's open source.

Sounds perfect; so why am I not using Lockwise? I'm a Mozilla fan in general; open source, even more so. Unfortunately, in the world of password managers, Lockwise is relatively new. Even apps built by excellent people need some time to work out the kinks. I'll probably check back in a couple years and re-evaluate.

TL;DR: depends on the password manager.