Warning: This was written over a year ago as of this writing - although I still support the basic recommendations, your security research should always include a study of the latest techniques and recommendations.
The basics: Encrypted files cannot be read by humans. When you want to keep files from being read by bad actors, you encrypt them. This page teaches you how to encrypt and decrypt files, and how to use passwords.
A quick note: This page applies to all major desktop computer operating systems as of this writing, EXCEPT when I mention the "folder encryption application" - That recommendation is for users of Microsoft Windows (using windows 7, mostly). I wrote this for a windows user, but I am not a heavy user of windows, so this may not be state of the art when you read it.
If you want to encrypt files, you should first learn two things: 1) how to make a good password, and 2) how to use something called a "password database".
If you are certain that you already use a password database and know how to make an excellent password that you cannot forget, then you can just read the first section of this document.
Otherwise, you might start with how to use a password database.
No, seriously. If you don't know how to use a password database, there is no shame in that, but rest of it is probably the least of your concerns until you get that down.
Folder Encryption*
Rule 1: All sensitive files should stay encrypted as often as possible. Generally, you only want to decrypt while you are using them.
Most people just decrypt a folder at the start of the day, then encrypt it at the end of the day. This keeps things simple for multi-user environments. Depending on how much security you need, you might want to encrypt and decrypt more often.
Here's how your day goes when you encrypt and decrypt files.
9AM: Sit down at your workstation.
9:01AM: Type in a password to unlock your password database. (You never have to type another password that day)
9:01AM: Unlock an encrypted folder with AxCrypt (Your password database will type the password - you don't even need to know it)
9:01AM: Open up all of the applications and web sites you would like to use (Your password database types all the logins and passwords - you don't need to know them.)
THROUGHOUT THE DAY: You never have to type passwords - that is done automatically - you save tons of time.
4:59PM: Lock the encrypted folder with AxCrypt - shut down your password database, turn off your workstation. Any backup drives that are not locked in your filing cabinet should be locked up before you leave.
5:00PM: Head home, having typed one password and zero login usernames that day. Know that you have better security practices than 99.9999 percent of the world, and that no one is going to be able to reveal or manipulate your data in your absence.
My recommendation for Windows users who want to encrypt folders is: AxCrypt (NOTE: I am not a heavy windows user, so you may have find a better encryption system from someone who is)
Important: If you lose a password to encrypted data, then you lose your encrypted data forever.
Don't worry, I'll show you how to make sure that never happens.
The first thing that anyone who uses Axcrypt (or any encryption software) should learn is: how to use a password database, and how to back up a password database. Lets cover those two things for those who don't already have that down.
* The term "folder encryption" is not usually used. I'm specifically trying to get people to think in terms of encrypting folders instead of files so that they will establish a simple, well-understood process.
How to use a password database
Rule 2: Always use a password database to generate and store your passwords.
A password database (aka "password db") works by storing your passwords in an encrypted file. Most password dbs also make it one-click simple to open, and log into, websites - no need to punch in your username and password. They also generate passwords for you, and in some cases can update a password for you.
In the long run (after a week or so of using it) a password db will save you oodles of time and frustration. You will wonder how you lived without it, and you will never have to type another password. I'm not kidding, you will save hours per year, or more, and you will frown less often.
All that is required is that you use your password database for all your passwords.
Like anything else good in life, a little discipline and work up front yields massive payoffs down the line. This is the only decent way to live and to be productive. I will emphasize this - setting up will not be pain free. Password databases do have bugs and quirks and ongoing issues. They are, however, worth it.
As of this writing, my recommendation for a password database for windows users is: LastPass
LastPass will work in any browser or mobile app, it will sync across systems, and it is simple. You have to pay a monthly fee for it (except for free trials and such).
I'm not going to point to tutorials and videos on LastPass, because it has an excellent help site.
You will want to go through the LastPass instructions, learn how to:
1) Make passwords to websites, and control whether the password db automatically logs into that site.
2) Make secure notes.
3) Change passwords on websites and in your password db.
4) Back up your password database as an encrypted file.
It won't take too long to learn all this, maybe an hour or two.
LastPass is not perfect. It can't always automatically log you into a website, for instance. Sometimes it can be slightly annoying. But once you get used to it's quirks, like anything else, those problems tend to melt away and you work around them with muscle memory.
Next, I will tell you how to make a secure password, which is the one thing you need to know to get started with a password database. Don't worry, it's really fun to make a secure password, once you get used to it.
How to make a secure password
Rule 3: Always make a secure master password for your password database (and anything you can't put in a password database)
Think of a sentence that you will never forget. A complete sentence is preferable.
Now think of a date that you will always remember - hopefully one that you don't mind saying to yourself in your head once a day.
O.k. lets say the phrase is: "Compassion in action is paradoxical and mysterious."
And the date is: 12/25/1969
You now have all you need to make a secure password.
Take the first letter of each word in the sentence and write them down, along with the punctuation and capitalization.
In our case, that would be: "Ciaipam."
Now take the numbers from the date and combine them with the string in an easy way to remember. So you have: "Ciaipam.12251969"
If your password is less than 16 characters, well, you are probably still o.k., but the longer the better. A good length to shoot for is 16 or more characters (including punctuation and numbers).
Now you have a secure password that you can never forget and that no cracker can guess. Once you commit typing it to muscle memory, it will be the easiest thing to type in your vocabulary. Type it a dozen times. You will never forget it.
Use it for your password database. Some people write this down only once - to put in their last will and testament in a locked safe.
This method does quite well in algorithmic password guessing in competitions, and Bruce Schneier recommends a similar scheme as of this writing. Using words that you can find in a dictionary will not work well.
People who like to work on the command line can see instead: My favorite command-line security tools.
How to handle "Security Questions" with a password database:
Rule 4: Never answer security questions with information that could be found out about you online, or by tricking your friends, family, or co-workers.
****Short version: Never give the correct answer to "additional security questions" - instead, make a random answer and use your password database to remember that.
****Long version:
Some less sophisticated websites ask you to answer "Security questions" in addition to your username and password. They are usually quite simple questions with easy to guess answers, such as: "What city were you born in?"
Security questions, as implemented on most websites, are bad for everyone, except criminals, for which they are a source of income. A criminal will simply ask your facebook friends or google the answers to these "security questions", then email or call the support team of the website in question, identifying themselves as you and resetting your password, thereby stealing your data.
In order to handle these annoying questions, I recommend storing random answers to these dumb questions in your password database, which no criminal will be able to guess. This turns the liability of security questions into a useful second "login" for when you are speaking to customer service folks.
Here's how you would do that:
1. You reach a page on site x asking you for something stupid in order to retrieve your password over the phone - something like: Where were you born? Note the question it is asking.
2. Open your password database and find the password for site x. If no password for site x exists (probably because you are busy creating one when you got asked these dumb questions), then make a "secure note" in your password database named "site x questions". If an entry already exists for site x, we will simply add the questions and our answers to the notes section of the site x password entry in your password database.
3. In the notes section or the secure note, enter the dumb question you were asked. Now, generate a random password (this should be a feature on the menu of your password database), and enter that as the answer to the dumb question right next to it (maybe put a space after the question mark or a newline to separate it, whatever is clearest to you).
Your note might look like this:
Q: What city were you born in? A: 1209342utqio43qht4n;23r
4. Continue in this manner, wishing intelligence (in any colorful way you choose) for those who wrote site x, until all the dumb questions are answered.
5. Save the password entry for site x in your password database. Done!
6. If you had to make a secure note called site x questions, you can copy the contents of that note into the notes section of the password for site x, to make it easier to find them.
O.k., that was a PITA, and you can blame the designers of that login system for it. But you're done.
Now, when a bad guy calls site x, and is asked "Where were you born?" as a security question, he will not be able to just google you or message your Facebook friends for the answer, then steal your stuff (this happens about a bazillion times a day, BTW).
The employees of site x may still ask you a few dumb questions should you ever need to call them, but you will have the answers in your password database.
A note on Backups
Rule 5: Your backup media should be inaccessible to everyone when you are not backing up or restoring.
If you don't do this already, I recommend buying an external drive for backups. Most operating systems come with a mechanism for creating backups (windows-mac-linux) that is intuitive to users of that system. Apple has time machine, windows 7 has "backup and restore" in it's control panel, linux has rsync, bup etc.
What you want to think about before you choose a backup system is what will happen when your computer is compromised.
If your computer is compromised, and your backups can be accessed by the compromised computer, you're screwed - the attacker will delete, encrypt, or otherwise mess with your backups like everything else on that computer.
If your computer is compromised, and your backups cannot be accessed by the attacker, you're good - the attacker will encrypt or otherwise modify your computer, which you can then reinstall from scratch, update and configure to be more secure, and reload with your backup data.
So follow that rule up there. Unplug your external usb drive (if that's what you are using) when you are not backing up or restoring data. Lock it up in the filing cabinet or, take it with you, if an attacker might gain access to your computer.
Backing up a computer over the internet is fine, as long as the data is encrypted before it is sent to the cloud, AND a password that is not stored on your computer is used to retrieve backups.
Here's how I do backups over the internet:
1) I never store unencrypted data on other peoples computers (violates the rule above because the backups are accessible to the people who own that computer all the time.)
2) No one with a login to my computer can view or restore a backup without knowing a password that I do not store on that computer. I sometimes store recovery passwords in a locked filing cabinet offsite, or an encrypted file that I copy to a few places I know are hard to reach. I also usually memorize recovery passwords, but that's just me.
Most online backup systems that are popular support those two behaviors (jungledisk, carbonite, etc.) - you just have to be careful to test that they are properly configured to do that. Any online backup system that cannot demand a password to view or restore backups is not worth using.
Oh, and if you use the google stuff, you should back that up, too. I use: https://github.com/jay0lee/got-your-back/wiki, and backup to an external hard drive that goes in the safe. If you manage a lot of users there are better commercial solutions than that.
A note on 2 Factor Auth (2FA):
Rule 6: If you use 2FA, implement a 2FA backup plan.
Most companies these days will allow you to use an app on your phone to verify a login (Google Authenticator is the most popular), or to type in an SMS code they send to you to verify a login. That's called 2 factor authentication (2FA) - your password is one factor and your phone is another - both are required to login.
This makes it harder for attackers to gain access to your account. In general, 2FA is a great thing to use.
However, there are a couple problems with 2FA.
1) Almost everyone loses a phone, drops it and wrecks it, or gets one stolen in their lifetime.
2) Phone service providers are notorious for allowing criminals to manipulate them into porting the phone numbers of innocent people to the accounts of criminals.
Therefore, before you turn on 2FA for any site, you want to make sure you can recover from either of those situations.
Alternate second factors and other account recovery options for 2FA users:
1) Some sites offer to print you a list of one time passwords (OTPs) that can allow you to log in if your phone is stolen or damaged, or your number is surreptitiously ported to a different carrier. If you have that option, take it, print the list, and file it in a locked filing cabinet.
2) Other sites offer a set of security questions - essentially a set of passwords for customer service to check your identity. If you use these security questions wisely, and store random answers to them in your password database, then these are an o.k. account recovery mechanism a well. Don't use them as intended (see above: How to handle security questions with a password database)
3) If you are using Google Authenticator to set up 2FA, then you can keep printouts of all the QR codes you scan in a locked filing cabinet. This will allow you to set up Google Authenticator again if you lose your phone. If you can't print the QR code before you scan it with google authenticator, DON'T USE IT. (You would be surprised how many major web apps do not give users the opportunity to back up their 2FA QR code, or who don't even think about recovery and 2FA).
If you DO NOT have a backup plan like one of those, and you turn on 2FA, then you better hope you don't lose your phone. I don't use 2FA unless I have one of those options available.
Comments (0)
You don't have permission to comment on this page.