Skip to content

Authentication Checklist

Intro

Most reported data breaches are caused by the use of weak, default, or stolen passwords (according to this Verizon report). Use long, strong, and unique passwords, manage them in a secure password manager, enable 2-factor authentication, keep on top of breaches, and take care while logging into your accounts.

Checklist

Critical or Essential Activities

  • Use a Strong Password
    Priority: Essential
    If your password is too short, then it can be easily cracked through brute force or guessed by someone. Use a long, strong and unique password for each of your accounts (see HowSecureIsMyPassword).

  • Don't Reuse Passwords
    Priority: Essential
    Use a different password for each of your online accounts to prevent Credential Stuffing. If you reuse a password on one site and it is leaked, then a criminal could easily gain unauthorized access to other accounts.

  • Use a Secure Password Manager
    Priority: Essential
    Use a secure password manager, to encrypt, store and fill credentials, such as BitWarden or KeePass / KeePassXC. For most people, it is going to be near-impossible to remember hundreds of strong and unique passwords. A password manager is an application that generates, stores, and auto-fills your login credentials for you. All your passwords will be encrypted against 1 master password (which you must remember, and it should be very strong). Most password managers have browser extensions and mobile apps, so whatever device you are on, your passwords can be auto-filled.

  • Avoid Sharing Passwords
    Priority: Essential
    While there may be times that you need to share access to an account with another person, you should generally avoid doing this because it makes it easier for the account to become compromised. If you absolutely do need to share a password — for example, when working on a team with a shared account — this should be done via features built into a password manager.

  • Enable Multi-Factor Authentication
    Priority: Essential
    2FA or MFA is where you must provide both something you know (a password) and something you have(such as a code on your phone) to log in. This means that if anyone has your password (e.g.,through phishing, malware, or a data breach), they will still not be able to log into your account. Download an authenticator app like Bitwarden Authenticatoronto your phone, and then go to your account security settings and follow the steps to enable 2FA. When you next log in, you will be prompted for the 6-digit code that is displayed in the app on yourphone (it works without internet, and the code usually changes every 30 seconds).

  • Keep Backup Codes Safe
    Priority: Essential
    When you enable multi-factor authentication, you will usually be given several codes that you can use if your 2FA method is lost, broken, or unavailable. Keep these codes somewhere safe to prevent loss or unauthorized access. You should store these on paper or in a safe place on disk (e.g., in offline storage or an encrypted file/drive). Don't store these in your password manager as 2FA sources and passwords should be kept separately.

Optional Activities

  • Sign Up for Breach Alerts
    Priority: Optional
    After a website suffers a significant data breach, the leaked data often ends up on the internet. Firefox Monitor, Have I Been Pwned, and DeHashed allow you to sign up for monitoring, where they will notify you if your email address appears in any new data sets. It is useful to know as soon as possible when this happens so that you can change your passwords for the affected accounts.

  • Shield your Password/PIN
    Priority: Optional
    When typing your password in public places, ensure you are not in direct line of sight of a CCTV camera and that no one can see over your shoulder. Cover your password or pin code while you type, and do not reveal any plain text passwords on your screen.

  • Update Critical Passwords Periodically
    Priority: Optional
    Update passwords for sensitive accounts annually. Database leaks and breaches are common, and likely several of your passwords are already somewhere online. Occasionally updating passwords of security-critical accounts can help mitigate this. Ensure that all your passwords are long, strong, and unique.

  • Don't Save your Password in Browsers
    Priority: Optional
    Most modern browsers offer to save your credentials when you log into a site. Don't allow this, as they are not always encrypted and could allow someone to gain access to your accounts. Instead, use a dedicated password manager to store (and auto-fill) your passwords.

  • Avoid Logging In on Someone Else's Device
    Priority: Optional
    Avoid logging in on other people's computers since you can't be sure their system is clean. Be especially cautious of public machines, as malware and tracking are more common here. When using someone else's machine, ensure that you're in a private/incognito session (Use Ctrl+Shift+N / Cmd+Shift+N). This will prevent the browser from saving your credentials, cookies, and browsing history.

  • Never Answer Online Security Questions Truthfully
    Priority: Optional
    If a site asks security questions (such as place of birth, mother's maiden name, or first car, etc.), don't provide real answers. It is a trivial task for hackers to find out this information online or through social engineering. Instead, create a fictitious answer, and store it inside your password manager.

  • Don't Use a 4-digit PIN
    Priority: Optional
    Don't use a short PIN to access your smartphone or computer. Instead, use a text password or a much longer PIN. Numeric passphrases are easy to crack (a 4-digit PIN has 10,000 combinations, compared to 7.4 million for a 4-character alpha-numeric code).

  • Avoid Using SMS for MFA
    Priority: Optional
    When enabling multi-factor authentication, opt for app-based codes or a hardware token if supported. SMS is susceptible to several common threats, such as SIM-swapping and interception. If a website or service requires an SMS number for recovery, consider purchasing a second pre-paid phone number used only for account recovery.

Advanced Activities

  • Consider Unique Usernames
    Priority: Advanced
    Having different passwords for each account is a good first step, but if you also use a unique username, email, or phone number to log in, then it will be significantly harder for anyone trying to gain unauthorised access. The easiest method for multiple emails is using auto-generated aliases for anonymous mail forwarding. This is where [anything]@yourdomain.com will arrive in your inbox, allowing you to use a different email for each account (see Mail Alias Providers). Usernames are easier since you can use your password manager to generate, store, and auto-fill these. Virtual phone numbers can be generated through your VOIP provider.