Ask HN: Please critique my personal digital security strategy

[toocool]

Hi

After the latest events, I thought I'd share with HN what I do to protect myself from identity theft, and ask for suggestions. I'll try to be brief. The goal is to be in a sweet spot between convenience and security:

- Froze my credit on the 3 agencies

- My personal Google account is the central hub of my online identity: all accounts are hooked to my gmail, and I keep sensitive documents, including financial statements and contracts, on Google Drive. The Google password is complicated and as a MFA I have Google authenticator on my phone and printed backup codes. No recovery phone/email address set.

- I keep all my passwords in Lastpass. I really love the app and how well it works on mobile. As a MFA I have Google authenticator on my phone.

- My phone is secured with touch id and long pass code, and automatic data deletion after 10 failed attempts

- I use a lot of services, I just counted 430 online services. Each one ends up hooked to my gmail and a random password that I don't remember and store right away in Lastpass (including various bank accounts). Whenever available, I always enable the following MFA methods in order of preference:

* Google authenticator on my phone (e.g. Facebook)

* Email verification on my Google email (e.g. bank accounts)

* Text verification on my Google Voice number (e.g. bank accounts). I don't use my non-gv phone number because of how easy it is to trick call center operators into transferring the number away from a given SIM card. Seems very sad.

What do you think? It seems pretty secure to me. If I were to lose my phone, I'd recover Google via the backup codes, and all the other accounts via the google email.

Thanks!

[philiphodgen]

And if (God forbid, because it could never happen) Google arbitrarily froze you out of your email account and you could not talk to a human at Google to remedy the situation . . . ?

[toocool]

Thanks for your reply.

That is a possibility, I might be naive but I consider it on the very unlikely side. What I would imagine in that case is that I would reset the important other accounts such as the bank ones by showing up in some physical office with my passport, or something similar, while waiting to solve the situation with Google.

What alternatives would you suggest? Spreading the accounts over different email addresses? Letting aside the privacy issue, to be honest I don't think there is another mail provider that I'd trust better than Google from a security point of view.

[philiphodgen]

Yes I would hedge my bets.

I have seen businesses die because they only had one bank. You and I have both seen, from time to time, people complaining that something went wrong with a Google account with no apparent way to obtain recourse.

Always have a backup. And a contingency plan in case the backup plan fails.

I'm with you on LastPass. I am utterly reliant on it, and it bothers me greatly. I have hedged my bets a bit by backing things up with 1Password. But what a collosal pain in the ass that is. Friction leads to sloth, and sloth leads to system failure.

[BjoernKW]

A simple alternative would be using an existing email address on a domain you own as a POP3 account within GMail. That way you get all the benefit of GMail without being dependent on it in case something at Google goes awry.

[j_s]

Bare minimum: regularly scheduled 'take out' backups.

https://www.google.com/settings/takeout

There are lots of open source utilities to work with the data, but most are one-offs. Here's one that didn't appear to be:

https://github.com/jay0lee/got-your-back/wiki

[jklein11]

You could set up for gmail with a custom domain. That way you get all of the benefits of hosting with google but if they decide to lock your account for some reason you have a back out strategy

[j_s]

Any consideration given to a hardware security token? The Yubikey NFC edition (~$50?) can even work with your phone.

https://helpdesk.lastpass.com/multifactor-authentication-opt...

At the very least, consider securing Lastpass with U2F (fairly cheap) once they support it.

https://cognitionsecure.com/u2f-otp-google-lastpass/

Be sure to get at least two hardware tokens in case of failure.

--

PS. Some more exotic options even store actual passwords rather than encryption keys.

https://www.tindie.com/products/stephanelec/mooltipass-mini-...

[johnpython]

Overall you have a great security posture. I would not recommend using LastPass due to the service having a history of really bad security vulnerabilities. If you must use a cloud-based password manager, 1Password is the most secure choice, otherwise use KeePassX. As others have mentioned, less reliance on Google will do you some good. Look into using Duo MFA. Migrate high-security accounts like banking to a separate email account. Don't store credit card details with shopping sites. Disable Touch ID.

[elops]

Storing seed for 2FA on your phone (google authenticator) leaves you vulnerable to anyone who compromises your phone. If someone compromised your phone, your likely would not know they are generating the same 2FA codes as you do. To tackle this problem you could store your 2FA secrets on secure device (e.g. Yubikey NEO) and use phone as display.

Lastpass is cloud service and they had some issues in the past, I consider more offline/app approach for password manager as bit more secure alternative.

[netvarun]

Just a word of caution on google Authenticator - the iOS version didn't seem to be maintained and it didn't have any sort of export or backup feature. I lost all my codes due to a factory reset of my phone. I've ever since (dec 2016) switched to using Authy for my codes.

[Top19]

Furthering this, I would use "Duo". It's such a better MFA app. It has lots of better usability features, and should you want they just added iOS back up.

By having just your one Gmail account you are making yourself vulnerable. Google does allow up to 99 character passwords, but still your laptop might be left open and things like that.

I would suggest starting to use email aliases such as those offered by 33mail or Blur which forward to Gmail. Basically instead of using the same username everywhere you now have say 10 or 20 usernames. A lot of people forget that usernames can be as effective as passwords, they in a sense are credentials to.

Also read any of the books by Michael Bazzell.

Also also going all the way here I would get a VPN service for your phone. Then I would go to FladhRouters.com and order a DD-WRT router and embed that VPN (easy to do) in the router, or even better another VPN service.

[toocool]

Oh wow that would be really bad (not catastrophic since again I could recover Google with backup codes and from there email recovery for the other accounts).

I heard good things about Authy but I've been a bit cautious to add yet another service (which sounds ironic considering the 430 accounts I originally mentioned) just for what it seems like a simple TOTP client, and I don't need any other fancy feature such as cross-device sharing because of the above mentioned recovery procedure always being available in extreme cases.

Plus I was under the assumption that Authenticator data was backed up via iOS backups or iOS keyring, but I admit I've never tried it so I'm just speculating.

[afarrell]

For your more critical passwords, enable the setting where lastpass prompts you to re-enter your master password. This ensures that:

1) you are less vulnerable to leaving your laptop unlocked.

2) you have to enter your master password frequently, preventing you from forgetting it.

[beckler]

I've never used lastpass', but is there a way to backup your data? That seems like the biggest point of failure for me. I dislike purely hosted solutions for critical info because they become a bigger target as more people join.

[toocool]

Thanks for your reply.

Yes, with Lastpass you can export all your data to a csv that is generated at runtime using your master password. Although, to be honest, why would I need that? Assuming every important service in that list has some sort of MFA via Google authenticator/gmail/google voice number and a recovery option via the gmail address, what would a backup be useful for?

Essentially, the only passwords I really need to memorize in my head are the lastpass and google ones.

The biggest point of failure to me seems some bank account that I tried to recover in incognito mode which apparently just asks social security number plus some other idiotic information instead of relying on sending a recovery email. And there doesn't seem to be any way to change that, beside changing bank that is.

[pmlnr]

I always wonder what has higher risks: me, hosting my own mail, maybe getting hacked, or a gmail user, risking being locked out forever due to posting something inappropiate in a youtube comment.

[akulbe]

I'm all in with Google. All my business email and services are as a paying G-Suite customer. I have my business email pull in email from all my other non-biz accounts.

The experience as a paying Google customer seems to eliminate the oft-repeated complaints people have about Google. ¯\_(ツ)_/¯

I get technical support, with a real person, should I need it. (and I've needed it) The experience was fantastic. YMMV, of course.

I keep a backup copy of my email, off of Google infra, should any of the worst-case scenarios take place.

It's orthogonal to this discussion, but if I could do all of my coding from a Chromebook, the experience would be complete. I've had issues in the last 24 hours with both a Mac, and a Windows machine and it was Chromebook to the rescue. It just doesn't have the same level of functionality, as you already well know.

[toocool]

Haha I hope you're not being serious. If I had to estimate the probability of Google ever blocking my account over my life time I'd say 0.01%, whereas the probability of someone successfully attacking my mail server/dns records/... if I really became a target would be easily 100%.

[pmlnr]

Oh, I'm completely serious. Random bots attacking my server, sure, but that's not what I meant, the real problem is targeted attacks and spearfishing. The difference is: I can move my domain, I can move my server to another system, build defenses, if needed, whereas who's gmail address gets blocked or reused (though this latter is more frequent with tumblr and instagram handles), there are no options.

Also, I wasn't asking for chances, but for risks.

[j_s]

Google Developer Account Wrongly Terminated NO MEANS OF DISCOURSE | https://news.ycombinator.com/item?id=15197357 (flagged, 44 comments, Sep 2017)

Don't ever do a chargeback! (This is actually a great way to shutdown an account you don't want...)

[roarktoohey]

all your base are belong to us