The Importance of Online SecurityAugust 21, 2019 - 5 min read 🍵🍵🍵
My Blizzard account was recently hacked and I was completely baffled. Not only was my account hacked, it was straight up stolen. I had 6 emails with codes being generated for a notified login while I was asleep and somehow they were able to generate the correct 2FA code, log in to my Blizzard account and change my email, making the “forgot password prompt” useless. It felt like someone broke into my home, took a steamy shit on my floor and stole my rug.
I admit, I’m guilty of using the same passwords to everything except for my Gmail and banking, but the fact that they were able to generate a Blizzard 2FA code from my email is quite a shock. I was either completely hacked via my Gmail account or they were able to spoof the 2FA code externally. What bothers me is that I have 2FA on my Gmail account and I was never notified of an unauthorized login. I digress.
I’ve made significant steps on improving my security the past few days, including a complete change of all my passwords for all types of accounts and researching how to make my passwords more secure even with 2FA. This included:
- Buying a U2F Key - Yubico’s Yubikey 5 & NFC Security Key (Back-up)
- Switching to a password manager - Bitwarden
After this incident, I’ve learned a lot about streamlining my passwords, U2F keys and informing myself on how to become more secure online. I’ve also gone ahead and learned how to encrypt sensitive files on my computer and my portable USB drives using VeraCrypt which is an open source utility to encrypt data.
U2F (Universal 2nd Factor) is an open authentication standard that enables users to strengthen and simplify 2FA (two-factor authentication) using a USB key or an NFC device. Basically, it’s a physical USB key that relies on public key cryptography which helps protect against phishing, hijacking and malware attacks.
Universal 2nd Factor (U2F)
There are many ways a 2FA is implemented, usually, when you enter a password, you are prompted to answer a personal question or provide a one time passcode (OTP) from an SMS text or from an authenticator app. These provide a good additional layer of protection, however, they are vulnerable to man-in-the-middle attacks. A U2F key aims to solve this issue.
How the Yubico Key Works
When you log in to a service that supports U2F, a prompt will ask you to insert the USB key and requires a physical touch to activate it to ensure that a human is trying to log in and not a computer. During this process, the key does its magic and makes sure that the website is the real deal, otherwise, it will reject the log in. You can learn more here.
Luckily, there are many companies that support U2F, including Facebook, Google, Microsoft, Dropbox and Github. I ended up buying the Yubikey 5 as my main key and have an Yubico NFC Security Key as a back up which is generally recommended. I found a lot of information from this video.
Google said they’ve completely eliminated phishing attacks for 85,000 employees by adopting these U2F keys. Although I’m not a high profile person who is subjected to attacks, I’d like to have a peace of mind when it comes to online security.
I’ve used Last Pass and DashLane previously, but I’ve never liked their freemium models as they seem very intrusive in collecting your data. After doing a bit more digging, I found a service called Bitwarden, a free and open source software that can be audited by anyone ensuring there is no fancy stuff happening.
When compared to the other services, I found Bitwarden really intuitive, the syncing to multiple devices is free unlike other password managers like 1Password. It’s a basic password manager that does what Google Chrome does, however, it provides a much nicer and intuitive UI with a lot more features. You can log in to websites using a shortcut (Ctrl+Shift+L) and many more. Premium allows you to secure this vault with a U2F key.
I remember seeing a comic from xkcd regarding passwords and have always used this method, but now with Bitwarden, random ones like these can be generated and I no longer re-use the same one or need to remember any of them.
Thanks to whoever hacked my account, I was able to get it back through Blizzard support; it gave me a real wake up call and from this experience I’ve learned a ton on how to secure my accounts.