Hi all!
I’ve discovered this site some weeks ago and I’ve been trying to get onpar with privacy and security matters, since I was looking for some pw managers + authenticators due to a breach on my broker, but discovered much more and I am a little overwhelmed with so much information.
I’d like to enhance security first and I’m looking to go mostly on free plans. I don’t exactly have a threat model, just getting some steps.
I’m convicted to use bitwarden (android & windows).
Is it risky to have bitwarden to store your password for crucial accounts, such as financial and governmental? How much does deleting some characters and adding others (not saved on the pw manager) reduces the risk?
From what I’ve read, the most secure way of 2fa is yubykey.
I’m planning on having it for government, financial, password manager and email authentication, but until I have it, I might setup an authenticator app for this and use for the remaining accounts, such as social media and spam email (for newsletters and whatelse).
From my point of view, I thought about using Aegis for this, but I have some doubts for how secure it is to have password manager and authenticator on same device for now.
Is it possible to have the backup of Aegis secret codes on a flash drive as a backup of Yubykey?
Another thing that fashioned me was the email alias and my main question is: Is it viable to use alias to register on password manager and bank instituions, to keep the mail adress safe?
Overall, I’m open to recommendations for everything, but more specifically on this matter, because I’m without clear directions. I’m thinking about using Proton Mail and not clear about using Simple Login or Addy.io .
Already switched from Chrome and Google to Brave.
How fulcral is it to set up DNS and VPN for a basic improvement on security/privacy?
Most password generators have the code run on your machine, so it should be fine. If you’re extra paranoid, you can generate a Diceware Passphrase offline.
Yes, assuming that the service doesn’t block alias addresses.
Nothing is without any risk, but if you use a good master password it’s much more secure than using weak or forgettable passwords. If you’re really concerned you’re free to use an offline password manager, but it’s much less convenient and the responsibility of maintaining backups lays solely with you.
Malware on your device can already access the services you use once you log into them, so it kind of doesn’t matter?
Yeah if you setup TOTP and keep the seeds stored in an encrypted format, that’d work.
If they don’t block it, sure. But they know your identity so it wouldn’t be a bad idea to just have a “personal” email address to use for all of them instead.
It’s normal to feel a bit overwhelmed when you first explore this world. There are so many services you could change, and so much information to deal with.
Fortunately, though, most people aren’t risking their lives and can afford to not rush into everything.
One of the biggest risks at the beginning is feeling so overwhelmed by the information and the thought that it’s all useless because they already know everything about you, that it’s too late, or that it’s too much effort.
Yes, there’s a lot of information online about our past, both yours and mine, but that doesn’t mean starting today is pointless.
When you think about it, it’s also natural, we don’t grow up with the Proton or Linux ecosystem.
Unless someone talked to us about these things when we were kids, most people start from the same point: with a lot of personal information online, and yet we’ve started and continued on this journey.
Many pieces of information can be changed, like passwords, emails, and what we choose to share online from now on.
Tracking works because it’s constant and needs data continuously, data that, if old or limited, has less value.
Why does privacy matter and why does it make sense to keep going? This video from Privacy Guides tries to explain it.
Password Managers and 2FA
Even if you haven’t thought much about your threat model yet, you should already have a clear idea if you’re someone who wants to protect themselves from big tech companies’ tracking or if you’re at risk of life threatening situations.
If you don’t have a high threat model, you probably don’t need to worry about someone stealing specific information from you.
It would be more of an attack on Bitwarden itself, not specifically you, but anyone using their product.
Even if they had a data breach, they have very strong measures in place to prevent your data from ending up online.
If you really wanted to avoid cloud-based password managers, you could use KeePass, but at first, it might be inconvenient.
For most people, Bitwarden and Proton Pass are both very secure and convenient at the same time.
If I remember correctly, I also thought at first about saving passwords for important accounts in Bitwarden with different characters.
Then, I realized it would add too much complexity to my setup, and I didn’t have such a high threat model that I’d need to worry about that.
If there’s someone skilled enough to get into your device and specifically want the passwords for your important accounts, unless you’re particularly skilled, they can still hack you.
Not through the password manager, but through the device.
If an adversary has enough resources and wants to attack you specifically, they’d take everything, not just your important accounts.
In that case, I’d probably need to worry much more and have much higher security in general.
For an average person, the good security practices you find here, on the EFF website, on the yt Techlore channel, on the Naomi Brockwell yt channel and other sources are perfectly fine.
I, too, got two YubiKeys when I started because I knew they were the most secure form of 2FA, but I’ve never really used them.
Every time you want to access a service, you’d need to have it with you, and this would be for many years if you only use YubiKeys as 2FA.
Of course, using them for only a few accounts might not be uncomfortable.
For most people, though, passkeys and authenticator apps increase your security significantly. They’re not uncomfortable, and you’re ahead of most people.
The Proton Mail setup with aliases, password managers with different and long passwords, and 2FA like passkeys and apps like Aegis is no small feat.
The passkey and Aegis/ente auth combo is convenient and remains very secure for the average person.
Using YubiKeys, saving passwords in the password manager with different characters, saving aegis secret codes on a flash drive.
Doing all of this at the beginning adds a lot of complexity and inconvenience to your setup.
Of course, things like using YubiKeys would greatly increase security, but you need to ask yourself if you really need all that security, if you’ll be able to sustain this setup over time, or if you’ll eventually abandon it because it’s too inconvenient.
These are things you could do in the future if you want. No one is rushing you, and you can take your time. Small steps every day are better than trying to do everything at once.
The important thing is to inform yourself and not panic when people say you must do this or that to improve your online security, otherwise, you’ll definitely be hacked, without considering your threat model.
With a calm mind and being well-informed, it’s okay if your digital world is inconvenient but very secure, as long as it’s a choice you make carefully.
After all, it’s your world.
This is a Techlore video that shows a plan using privacy-respecting apps without spending money and one where you spend about $13, €13, or the equivalent in your currency per month on Proton Unlimited.
DNS, browsers, password managers, aliases, docs. many of these services you can find for free or at a reasonable price if you have a good strategy.
Alias and DNS
Regarding aliases, I use them for pretty much everything, and I’ve never had any problems, but my case isn’t the same as everyone else’s.
I use the aliases made by Proton Pass with Proton Unlimited. It’s essentially SimpleLogin, since it’s owned by Proton, but I can’t speak for the SimpleLogin app specifically.
I used the free plan of Addy. io for a few weeks, and I never had any issues, but again, my experience might not apply to everyone.
Regarding DNS, I’d recommend changing them on every device.
There’s a Privacy Guides guide on which ones to choose, and you don’t need to pay for many of them, like those from Mullvad or Quad9.
They’re very easy to set up, and they help a lot online by preventing you from connecting to sketchy or dangerous sites.
They don’t give you high control like apps such as NextDNS would, but for most people, they provide a great level of convenience and protection from malicious content.
In the future, nothing stops you from using alternatives that protect you more, though.
VPNs
Do you need a VPN to improve your privacy? Maybe yes, maybe no. The Privacy Guides article is helpful. There’s also this website that asks simple questions to help you figure out if you need one.
I’m only putting sources here and not explaining much, since the post is already quite long.
I’ll just say it’s important to choose a reliable one because, essentially, you’re shifting your trust from your ISP (Internet Service Provider) to them for your internet traffic.
As this website mentions, Mullvad, Proton, and IVPN are generally considered reliable, and they’ve proven it.
Proton is the only one that has a free tier with its VPN, with lower speeds and fewer features than the paid version, though.
There are some links and videos, but the videos and articles are not very long.
Try to think about it, it is genuinely useful. What you should do depend a lot on it. Who are you adversaries and how much are they motivated to target you specifically?
No. Bitwarden uses end-to-end encryption and does not have access to your password. What are the other options? Trying to remember a weaker password? Like @Moc said nothing is 100% secure though.
I think that this is overkill but it depends on your threat model.
… threat model. If world class hackers are trying to hack you, definitely put your 2FA codes on a airgapped GrapheneOS phone.
In general, Aegis and Bitwarden are secure so th answer is that putting them in the same device as secure as the device. If this is an airgapped device, you are good. If this is a 15 yo Windows device and you use it every day, you click on all ads and for torrenting, probaly not.
Yes, why not? I do it. Just be careful to not delete these aliases .
Take it easy. Every step improves your security and privacy. Don’t burn yourself trying to do too much too fast. It is a marathon, not a sprint. Thenewoil.org also has good recommendations and a generak guide with priorities. This might help you.
And don’t hear the privacy maximalists that think that everything is compromised/a honey pot, or that you’re stupid if you are not as maximalist as them.
My friends and I pitch in to share a domain hosted email. I use one alias per account. The cost is very low, and munges identity with more people using it. I am not interested it trusting an email provider I don’t control having been BADLY burned by yahoo and another.
Instead of having a manager retain passwords consider deriving passwords
Thanks a lot for all the explaining and the time dedicated to this topic @TheDoc ,@mangomango, @marthamp and @PaleCrow55
Special shoutout for @Moc for his insight, really begginer friendly and with great value.
Excuse me, but this will be a long text reply.
I think I should go back a bit with all of this information.
I started on this journey after some news of people that used the same broker as me got their account breached and lost all the money they had there, due to no 2FA or 2FA via text message. I was not affected by this attack, but it got my very concerned (I have almost every 2FA via text message and some password re-use as well, so I really want to change this asap but well structured) and, since then, I took my money off there and I am looking forward to join another broker but with already good security and privacy fundamentals. This had an higher impact because I’m looking to buy a house, and if this investments were gone, I would have my chances ruined, not that is a lot, but for me it is really important.
So my view of a threat model is based on this, mainly I want to protect my financials from a possible attack. I do not think it would be from a government, so, from any hacker I would say.
Of course the same steps I would take on this financial matters, I’m thinking to apply on governmental log ins.
Although this is my main concern, from what I’ve been learning, I w
ould like to add some privacy on other areas, such as adress and media files.
According to Common threats, I am trying to avoid passive attacks and public exposure
I understand I should go easy, but it is going like a snowball. I started looking for a Password manager and got into Authenticators, to find Mail + Drive options and after that Allias. So, now, I feel like I should define where to start and where to go next, but I keep searching and getting so much new info, that keeps me from starting the process.
I am much elucidated about Pw manager and Authenticators, not as much about email setup (provider and quantity) + alias. I might have misunderstood some points and have to recheck the PG guide to email.
I have not created an account on any service yet, but I was looking for Bitwarden specifically to have the cloud-based and have some convenience, specially between computer and smartphone. I thought of Aegis to have an additional “security layer” so I wouldn’t have a cloud-based authenticator and I feel that my phone might be safer than my PC. But if my phone gets compromissed, it’s pointless anyway I guess… I also need to verify how I had to proceed if I lost acess to my phone. Thus, my thinking about adding or removing some characters from the stored password, with the same pattern, on important log ins.
In general, Aegis and Bitwarden are secure so th answer is that putting them in the same device as secure as the device. If this is an airgapped device, you are good. If this is a 15 yo Windows device and you use it every day, you click on all ads and for torrenting, probaly not.
So I have a Samsung (Exynos) phone and a 5/6 years windows device. I guess I am careful on both its usage, but I don’t know how it works in matter of security vs a GOS and Linux devices.
I feel like this would be an extra depth matter, but it might be out of my reach for now. Maybe I could try to change from Windows to Linux, but it feels that you need to know a bit about coding and it is not in my plans to start learning it soon and I also don’t feel like changing my phone.
@Moc I will definely change my DNS, still have to do some search on VPN. Might reconsider buying Yubykeys, thanks a lot for your help!
From all the information you gave to me, I have to take this as the most important.
Sorry if there is any confused thought or incorrect technical processes, I’m not very into tech…
That doesn’t really help in the case that you need to ever change a password for a site. In general, it still requires you to remember the exact derived portion for each service.
Do you know if these people were attacked randomly, if they were targeted, or if it has anything to do with the broker?
The answer would change depending on whether you’re targeted or not.
If you are, the level of security required is generally higher than for the average person. But if you mentioned you’re interested in protecting yourself from passive attacks, maybe it was random.
2fa
SMS-based 2FA is the weakest among 2FA methods. It’s definitely better than not having it, but if you have the option, I’d prioritize securing financial and government accounts, even if you didn’t mention that.
All it takes is someone impersonating you, calling your carrier, and having the code sent via SMS.
This is called SIM swapping, and setting a PIN on your SIM card can help, but I wouldn’t rely on this method (if possible).
It has been declared insecure for more than 10 years. If possible, I’d also avoid email based 2FA and use authentication apps and passkeys instead.
Passkeys are very convenient and secure because you only need to use something like your fingerprint or your phone’s PIN, and they’re anti-phishing.
They will only work with the original website, which is where authentication apps are weak.
This is not something most people should be concerned about, though.
Passkeys are essentially the convenient version of YubiKeys, and the device they’re registered on acts like the YubiKey.
They can also be synced with a password manager, but it depends on which one you use. According to the Privacy Guides, Bitwarden should support them.
Regarding the choice between Aegis and Ente, both are great choices. Aegis is only for Android and is offline.
It’s a bit less convenient, and you have to manage your backups, but if you prefer to have files locally, it’s a great choice.
If you still want convenience and encrypted codes across multiple operating systems, Ente works well for most people.
Regarding YubiKeys, if your government and financial accounts support them, you might consider getting them and using them just for the most important accounts to avoid an overly complicated setup at first.
Username + password and 2FA with an authenticator app/passkey is already strong, but with a YubiKey, unless someone is specifically targeting you, it’s a setup that greatly protects the average person.
Regarding which one to get depends on the services you would use it for.
There are various models like the Security Key version, which supports fewer protocols than the YubiKey 5, and the more expensive ones.
If you’re not targeted, the above setup would already protect you from many potential attacks, but even if you’re not targeted and don’t mind a little extra inconvenience for some important accounts, it might be worth it.
I’d recommend the Privacy Guides article, or if you prefer a video, here’s one by Naomi Brockwell that talks about the different YubiKey models and explains what they are.
One very important thing is to have 2 YubiKeys, because if you use it as your only 2FA method and lose it or it gets stolen for any reason (like if someone steals your backpack where it was), you’ll be locked out of your accounts.
For 2FA, it’s important not to have too many methods for one account. If you have a passkey, authenticator app, SMS, and email for an account, an adversary will simply try to access the weakest method.
That’s why it’s important, if possible, to avoid the worst methods and only use the most secure ones.
Unfortunately, it’s not always possible, and you might only have SMS and email as options.
It’s better to have the weakest method than none at all, so if SMS is the only option, it’s better to activate it.
This website has a long list of what 2FA methods many websites use. There are services from many countries, so choose the one you prefer.
Having the right strategy
There can be a lot to do, but you can have a strategy that you work on over time. You could start with the most important accounts, like financial and government ones.
From there, change emails, passwords, and set up 2FA like Aegis and passkeys, or if you prefer, YubiKey for the most important accounts.
Once you’ve taken care of what you consider the most important, such as services with sensitive data, including social, healthcare, etc., you could continue with the less important ones and have many or all of your accounts with this strategy.
It may seem like a lot, but if you focus on the most important ones first, you can handle the less important ones at your own pace over the course of weeks or months.
This way, the initial workload is significantly reduced. You could also consider deleting accounts that you don’t need or old ones instead of worrying about protecting them.
Digital minimalism is also a good strategy. It’s about cleaning your digital life, which reduces the ways someone could attack you.
Do you really need dozens of apps that you think might be useful but never actually use? This can apply to many areas of our digital lives, but I won’t go too deep into it.
I’d go with Bitwarden, Proton Mail, Aegis if you want local 2FA, and Ente Auth in the cloud. That Techlore video I linked in the previous comment could be a good starting strategy for security.
You mentioned wanting to stay mostly on free tiers, and for most services, that’s doable. Think of browsers and apps like Aegis.
For services like VPNs, however, I’d avoid free ones because, in simple terms, you are the product. The only free one I’d recommend is Proton VPN, but you get lower speeds and fewer features.
I’d use Mullvad or IVPN if you decide to use something from Proton. This is just to avoid putting too many eggs in one basket and relying too much on one company.
Proton is a reliable company, but if possible and it’s not too inconvenient, I’d use other apps and not everything from Proton.
Of course, for the average person, Proton is better than the Google or Microsoft ecosystem, but there are many secure and still convenient alternatives.
Proton’s basic plans aren’t bad, but I think Proton Unlimited is not bad. It gives you 10 Proton emails, 500GB of cloud, unlimited aliases, VPN, Proton Pass, and so on.
Considering you want to use aliases and an email provider, you’ll usually go for Proton Mail or Tuta, and for aliases, Simple Login, Proton Pass (paid), or Addy.
I’d personally use Addy for free aliases. For important accounts, initially, Proton Mail could replace Gmail.
With Proton Unlimited, you could use aliases for your most important accounts at first, use Proton Mail, and the rest is mostly free. Unless you want to use a paid VPN other than Proton.
You might find people recommending self-hosting, but it’s not recommended for beginners, as it requires some skills and is less convenient due to the manual setup.
You also risk security holes, like with email, because you’re managing everything yourself.
Unless you’re specifically targeted, you probably don’t need to worry about your devices being compromised specifically by someone.
I’d say the same about changing a few characters in important passwords.
If you’re interested, this website gathers many recommended services for privacy and security in a single list to avoid getting lost in multiple articles and sources for reliable sites and channels.
Just in case you want a quick check or need a reminder.
The setup mentioned above is strong for most people, and initially, you risk complicating your setup without significant security benefits.
For those with a higher threat model, though, these tools wouldn’t be enough.
GrapheneOS, QubesOS/Tails (Linux), KeePass, and YubiKey would be a must, but fortunately, not many people need to worry about that.
Backups
Regarding losing access to your phone, backups are essential. A solid strategy is the 3-2-1 rule: Three copies of the backup, on two different media, and one off-site.
Make regular backups (like once a month) on a flash drive, external SSD, and HDD, whatever you have, and a cloud or physical copy not at your home.
It may seem like a hassle at first, but you can start simply by making a single backup on a physical device and uploading it to a cloud like Proton Drive, so you already have two extra copies.
In this case, we could talk about backing up files like password manager vaults or Aegis’ 2FA codes. After that, doing it once a month becomes a habit and shouldn’t take much time.
There’s a YouTube video from Explaining Computers that talks about this. It’s a bit old but still relevant (it’s short).
Check other sources
Regarding phone and PC security, it’s a vast topic, and there would be so many tips.
I’d recommend browsing websites and channels like this, Techlore, EFF, Naomi Brockwell, just to name a few, to search for topics like these.
That’s why I’m linking articles and videos.
There’s a lot to say, and while forums tend to allow for more writing than social media and groups, I can’t go into too much detail here, otherwise people will get bored (which is probably the case here).
That’s why, if you want to dive deeper, I’m pointing you to people who know more and can afford to go into much more detail.
The articles and videos I’ve linked aren’t long on purpose to avoid boring anyone who checks them out.
The only thing I’ll mention is that you don’t need to know how to program to use Linux, nor do you need to use the terminal.
I use Linux myself and don’t know how to program. Sure, it can be useful like any other skill, but for the average user, it’s not mandatory.
There was a time when the terminal was essential, but nowadays there are many applications that do all the heavy lifting for you.
Sometimes using a command is even easier and faster, though. Just read a little and avoid using commands randomly, and you can avoid a lot of potential problems.
If you’ll end up using linux steer clear of trolls who tell you to use the `sudo rm -rf` command, as it will literally destroy everything. I mean everything.
As far as I know, and I did not get an official communication from the broker, it was due to data breaches on other websites and no 2FA, even SMS. I don’t have any evidence, but I’ve read that it even happened to a guy who works in IT (so, he should know how to protect himself) with SMS 2FA.
I know that it happened majorly in 2 countrys and, in only one of those countries media (not mine), I found some information (not even in english) and only like 1 month after the first wave (there were reports of this in 2 different weeks). In this article, the ceo said it only affected 0,017% of the clients.
I lost my faith in this company, because it seems they only act after incidents (adding 2fa authenticator only after this episode and only had 2fa implemented in mid/late 2024) and, if there wasn’t action from the clients, they wouldn’t have acted to revert the actions taken by the hackers ( At first, they were accusing costumers of low security and wouldn’t take responsibility and leave people in big loss.
This was what happened: the hackers basically sold stocks and then bought another stocks and kept buying (high) and selling (low) this new stock, causing total loss, there people with 2k, others with 8k invested and they were left with less than 100, summing more than hundreds of operations in seconds (isn’t there a trigger to make sure this is intended???). The system only let’s withdraw money from the deposit IBAN, so no withdrawals happened.
Still, I guess they only revert the operations to people that actually reach the support after this news come out on that specific country and have to mention it (I might be not 100% right on this, due to lost of hope within the first week of attacks and, since then,not checked if there were actually news on another country besides mine and this one).
I believe this was a passive attack…
I have picked bitwarden for the convenience and aegis for a safer choice. I might be wrong on technical aspects of security but I believe my phone could be more protected than my pc, and having both PWM and Authenticator on PC, seems risky. (It sounds paradox, because I will be doing exactly this on my phone, but I feel that I have less risk on it. I play sometimes on my pc and connect to voice chat services and I feel like I’m more exposed there than with my phone, but again, I can be wrong).
I am aware of 2fa trough sms is the weakest, as needing 2 yubykeys, still not sure about whether purchasing it or not. I will try for now without it, and if I feel the need to have it, will do.
Thanks for this advice, very simple but super helpful!
I was planning on doing this at the same time as deleting accounts during email migration.
It was a nice video, great content. I have to watch his video about VPN, but I think I might not need one, maybe in very restricted and rare situations.
For Email, I really need some more time to research, but the techlore video on the previous comment led me to maintain like a Google account for “spam” accounts and Proton free for important stuff. I’d love to use alias for “a bit” important accounts, but I still have not fully understand how it works and what to expect from it (if an alias can stop working and losing access to something relevant). Again, I need to dedicate more time to this topic.
You were referring to not worry about this, right?
I will definitely check the links you mentioned later.
This is another area I need to research a bit more, but I think this one is easier to understand than all components of email.
This motivates me , but I think it’s important to prioritize email, pwm, auth and alias. This seems like a big change.
It is kinda frustrating checking your phone and pc OS aren’t recommended.
That’s great to know!
Again, great content and effort @Moc. Thanks for all the help so far!
You’re correct that using an offline mobile authenticator is a very secure way to do 2FA. But if you didn’t back it up, you’d have no redundancy and if you damaged or lost your phone you’d be screwed.
If you go that route, be sure to make encrypted backups onto a few other devices (such as a laptop and a USB flash drive), ideally one of which is stored in an off-site location like a friend’s house. That way if your phone is ever lost or destroyed, you can retrieve your encrypted TOTP database. So long as you keep your backups updated and remember the password, you’ll be prepared for disaster.
Ente is probably a better option over Aegis since it works on multiple platforms, whereas Aegis would require you to use a trusted Android device which is something you presumably won’t always have during an emergency where your phone is lost or damaged.
Well like I said before, if you’re signed into your bank on your phone (for example) it might not matter if it’s protected with 2FA on another device because the attacker has already compromised a logged-in authorized device and they can now pretend to be you.
This doesn’t make security measures like 2FA useless because compromising your phone is an entirely different and much more difficult feat for an attacker to pull off. We can’t assume all security measures are pointless just because it may be possible for some things to be circumvented in other ways. Account security is distinct from device security and both are important. At a minimum, refresh yourself on basic cybersecurity practices and keep your devices up-to-date. That’ll put you ahead of most people.
Additionally (if you can afford it), consider using YubiKeys. Their method of using TOTP is even more secure than a mobile offline authenticator app and they support FIDO2 which is much more secure and convenient than TOTP. Note that you cannot backup the YubiKey itself, so when you setup MFA with it you’ll need to also store TOTP seed codes in an encrypted database and maintain backups like I detailed earlier. For more convenience and redundancy you can even buy multiple YubiKeys (people usually get 2-3), but it isn’t strictly necessary.
You’re free to do this if you want, but don’t consider it a replacement for 2FA as it probably isn’t secure enough to depend upon. Using Ente (offline) or YubiKey is an excellent route to go, you just need to make sure you have enough redundant encrypted backups.
If this all seems too daunting, you should just use a cloud-based password manager like Bitwarden along with Ente (cloud), preferably with differing strong passwords. This way you have services which will keep backups for you and they’re protected by two separate companies, meaning you’d still be secure if even one of them somehow got compromised.
I’d still recommend making your own backups just in case Bitwarden or Ente somehow lose the data, but you won’t be as dependent on your own backups allowing you to relax how strict your backup practices are. This setup is what I recommend for most people.
About this, I would have to request (let’s say, monthly) the off-site location device to keep backups updated? And despite of wether I pick a cloud or offline 2FA and PWM, it’s a must to always have an offline backup, right?
This means, even with a backup stored, you can’t log-in in a new device without the trusted one, right? I have an android tablet, would that serve as a backup trusted device? (That was my doubt about needing to verify the recovery process).
I understand, but can’t exactly imagine a proper scenario of this, unless it is theft, lost, accident or a climatic disaster and the only one I can see to benefit from a multiple plataform 2FA would be theft and loss, which so far never happened to me, but never say never… (of course convenience is an advantage on Ente, but, again, I would take a more “secure” 2FA method over convenience).
This seems like a circle, to avoid this I would have to use the bank via browser, although the android apps are more secure than browsing, right? And there you mentioned that passkeys work better than 2FA. Otherwise, I’d need a second device fully dedicated to TOTP only, wether this would be an old phone for this purpose, which is dangerous if it just stops working and unconvenient to carry, or had to use yubykey with one spare with backup. Am I missing something here?
Dumb question: Is Ente and Bitwarden always logged-in, wheter on phone or PC, or I have to unlock them always each time I turn my pc on or unlock my phone? I think I might have underestimate Ente as it’s multi-plataform, while thinking it would be always open-access during device usage. But is something I need to get onpar, I just don’t have access to my desktop currently and can’t check how Bitwarden and Ente work. Is something you download or it works via website on the browser?
Thanks again @Moc for all your patience and dedication to me
From what you wrote, it doesn’t seem like a targeted attack.
You did well to switch. If possible, it’s better to choose services with decent privacy policies and at least support 2FA.
Even SMS-based 2FA is better than nothing, but if there are better options, it’s worth using them.
Mobile and desktop operating systems
Generally speaking, mobile operating systems (Apple and Android) were born at a time when security was taken more seriously, so they tend to have stronger protections compared to desktops.
There are exceptions like QubesOS, but it’s inconvenient to use, and most people use Windows or macOS.
It’s also true that Android’s security is much more variable compared to iOS because there are many manufacturers that can essentially do whatever they want (meaning both more or less secure).
You go from the high security of Pixel phones to devices that maybe haven’t received updates in years.
I don’t know the security status of Samsung devices in detail, but I’ve heard good things from the GrapheneOS community (they’re very serious about security), and maybe even on this forum. But again, it depends on the model.
In terms of numbers, malware is still more common on desktops, but it’s increasing on mobile too.
Windows is the most targeted desktop platform, but essentially, if you use browsers like Brave or at least Ublock Origin (adblocker).
Only download software from official websites, and don’t randomly click on links in emails, you avoid most attacks, unless you’re specifically targeted.
If you have a Windows version like Pro or Enterprise, you can feel a bit more secure, but even on Home edition, the classic security tips found here or from other reliable sources should protect you from most issues.
If you feel your computer might not be secure or you’re concerned about getting malware, you could keep your password manager only on your phone.
If you don’t have a high-threat model, you could still use it on your computer, it’s your choice.
VPNs
VPNs are primarily used to access content from other countries, protect you on public WiFi, help with torrenting, and prevent your ISP from seeing what you search online.
With HTTPS, they can see what webites you visit, but not what you do on those sites, since it’s encrypted.
Using different DNS servers can reduce this somewhat, but VPNs or Tor are needed if you want to hide it completely from the ISP.
If you’re in a country with strict internet controls, VPNs might be essential to avoid authorities knocking on your door. In freer countries, you can still use them to improve your privacy.
Many ISPs have already been caught selling user data, and they may store your browsing history for years, maybe even forever, depending on the country.
Something legal today could become illegal in the future, and I don’t want them to have a full record of everything I’ve searched.
Sure, you can use Tor like a VPN through Orbot, but it’s slow, and in some countries, using Tor too much might raise suspicion from your ISP.
The ISP can see you’re using Tor, but not what you’re doing with it. Websites also detect it easily and throw tons of CAPTCHAs at you.
These drawbacks aren’t really justifiable for the average user to deal with all day.
More than security, VPNs can enhance your privacy and serve a purpose in certain contexts, but they’re not the magical tool that solves every problem, as many companies like NordVPN advertise.
VPNs do a few specific things, they can be essential in a dictatorship or simply a helpful tool to boost your privacy.
But it’s important to combine them with other tools, since no single solution is magically effective against everything. This goes for everything, not just VPNs.
I use a VPN all day and it barely uses any battery or mobile data (if you’re out). Speed isn’t even an issue for me, but everyone’s case is different.
Email and alias setup
Starting to move your important accounts to Proton is already a good step.
You could also consider migrating your less important accounts (that you haven’t deleted) using aliases or separate emails for different services.
Like one email for banking, one for social media, and so on.
This is especially useful if you have the paid version of Proton Mail, which gives you 10 email addresses.
For more disposable accounts, if you want to stop using Gmail already, aliases are a good alternative.
For example, if a website asks for an email, open the alias app, generate one, and have any emails forwarded to your Proton Mail.
This keeps everything centralized, the site never sees your real Proton address, and you can disable or delete the alias if it starts spamming you, without having to delete your main email.
The point of aliases is to act as throwaway emails to protect your main one and keep it clean. They’re not necessarily throwaway, of course.
If something bothers you, just delete or disable the alias.
That way, the risk of your main email being compromised or showing up in a data breach is drastically lower, because you barely use it online or only on a few select services.
Even if that alias ends up in a breach, your main email wasn’t affected.
You can delete or disable it, and as long as you have strong passwords and 2FA, you have batter security than most people.
Ideally, the service is privacy-friendly and can protect your passwords, or at least they’re hard to decrypt if they get hacked.
Of course, it’s not always possible to use ideal services, whether due to time or work constraints.
I originally used this setup with Addy. io aliases forwarding to my Proton Mail.
Then I switched to Proton Unlimited and now I have unlimited aliases that I use for every service.
It might sound like a pain to have a different email for every service, but the hassle is mostly at the beginning, when you’re changing emails across your accounts.
Once you get used to it, it takes no time. You open the app, create the email in 10 seconds, paste it into the site, and save the password in Bitwarden, it’s all very quick.
Creating a passkey is almost instant, and for apps like Aegis or Ente Auth, you just scan the QR code and it’s done automatically.
Yes, it might feel like a big jump at first, but you can start with your most important accounts and gradually migrate others over weeks or months.
If you stick to aliases provided by Addy. io or Proton, they won’t suddenly stop working.
If you create your own custom domains like daniel78@beer. me, that’s different, but by then you likely have the knowledge and experience to manage them.
It’s more manual and not something you’d do by accident. So there’s no need to worry as long as you stay within the provided alias options.
I’ve never had issues with Proton aliases. I could say the same about Addy. io, although I didn’t use it much.
I switched to Proton because I felt better having all my accounts under a larger, more established company that’s less likely to disappear overnight.
Addy remains an excellent service, that was just my personal thought at the time.
Don’t know what to write as a heading here
Yes, at first it could be better to dedicate more time to these things (password manager, 2FA, etc.).
Changing operating systems is still a pretty big leap. It’s useful to first learn the basics of this world before jumping into more complex (or seemingly complex) things.
With Linux, it’s more about privacy than security. It’s true that Linux desktops are much less targeted by malware than Windows, but most Linux systems don’t have high security.
There are exceptions like QubesOS. macOS is generally more secure, but you have far less freedom and privacy.
The security difference compared to Windows isn’t even that big.
Of course, this kind of comparison would need to be more specific depending on which Linux distro you mean and how it’s used, but that’s not the point of this post.
As for phones, sure, I could say get a Pixel and install GrapheneOS, but not everyone wants to change their phone and OS.
If you follow good general security practices and your phone still receives updates, if it has good hardware security, that’s already good enough for most people.
Yes, Google and your phone manufacturer will still collect data, but we can’t expect everyone to use GrapheneOS.
Still, you can significantly reduce tracking by switching to more privacy friendly services and sharing as little personal info as possible on social media, and so on.
That’s probably the easiest and most foolproof method. Depending on how often you’re modifying or adding important accounts, once a month might end up being excessive so some people prefer every 2-3 months. I personally keep track of my important accounts and only bother to update my offline backup when I add or change anything important. The rest I could either live without or are recoverable via email verification.
I bet most users don’t bother doing it, but I strongly recommend it just so your digital life isn’t 100% dependent on a service.
With Aegis or Ente, all you’d need to do is import the encrypted backup and enter your password on a spare device. I only recommended Ente because it could be used on multiple platforms whereas Aegis only works on Android.
These events are unlikely but they’d be devastating if they happen. They’re the only reason to create backups in the first place. With Ente there’s no security trade-off. If you’re using it as an offline authenticator, it’s as secure as Aegis. They have the option to sign up for their cloud-syncing service but you don’t have to use it if you want to maximize security.
Mobile devices (Android, iOS) are better secured against malware compared to desktop devices (Windows, Mac, Linux) if that’s what you’re asking. I’m not sure if there’s really any benefit to only signing in to your bank on a browser in Windows while exclusively using your Android phone for TOTP codes. I wouldn’t overthink this part because we’d probably be splitting hairs and it’s needlessly inconvenient to implement.
If you want the most secure way to use TOTP, I’d recommend the YubiKey. If your phone were compromised after setting up the YubiKey, an attacker would not be able to access the seeds as they’re stored securely on the YubiKey. However, they would have access to the 6 digit codes you’d be generating to sign in so it’ll always be an issue if your devices are compromised no matter how you configure TOTP.
When it comes to Ente and Bitwarden there’s two distinct phases of accessing your data.
Signing in: This is where the service verifies you’re the legitimate user accessing the account by proving you have your password, 2FA, email verification, etc. This should only be done once per device, though sometimes you might get logged out for whatever reason. (Like if you hadn’t opened the app in x amount of time.)
Decryption: This is to decrypt your database stored locally on your device which is typically done every time you re-open the app by providing the master password. No 2FA or email verification is needed in this phase since you’re already signed in.
So to clarify, once you’re signed in, you can remain “signed in” but that doesn’t mean you simply open the app and see the data. Instead you’d have to decrypt it every time you open the app and this is done for better security.
Bitwarden and Ente work on all major platforms including Android, iOS, Windows, Mac, Linux, and web. For security reasons, using the locally installed app is preferred over using their website but it’s an option if you needed it.
Whoops, I’m actually @TheDoc.
I just have the same default profile picture as @Moc which I should probably change to avoid confusion.
.