Pamela Morgan is an attorney, educator, and entrepreneur who has been working exclusively in the bitcoin and blockchain industry since early 2014. In addition to her law practice, Pamela is the CEO of Third Key Solutions LLC. This is the first article in a series discussing general security practices that become essential when your money is digital.
I have a confession. While today I work to help people and organizations secure their bitcoin, in 2013 my security practices were abysmal. My passwords were terrible. Really awful, like 12345 and Abc123. Oh, and I reused the same passwords everywhere, except for online banking where I cleverly combined my three bad passwords for “added security.” Looking back, it’s amazing I never got hacked. Or maybe I did but I just didn’t know it…
Am I embarrassed to confess? No, because I now know that these security practices are the norm, NOT the exception. And, importantly, I now understand that my failure to implement good security wasn’t totally my fault; it was a combination of misunderstanding the risks, overestimating the effort it takes to implement decent security, and underestimating the reward for good security.
Of course, I had heard about people getting hacked. But it was always other people. I was under the illusion that no one wanted to hack me. And that even if they did, I didn’t have anything of value. Anything I lost I could get back. But I was wrong. The danger isn’t that your money gets stolen from your bank account or that people read your emails (though that might not be ideal), the real danger is that when your credentials are stolen your life can be disrupted in a major way. You lose time and energy trying to fix the damage caused by the hack. No one wants that but the risk wasn’t real enough for me to do anything about it.
Then came bitcoin
Owning bitcoin (and wanting to keep it) has forced me to learn about security. Digital cash is both empowering and frightening, particularly if you have no idea how to keep it safe.
Maybe you’re new to bitcoin and digital currencies. Maybe you’ve been involved for a while but haven’t really done much to improve your security. Maybe you’re not involved in bitcoin at all but you know you should do more to protect yourself online. Maybe you’re like I used to be: simply unsure of what to do — so you do nothing. It’s work to sift through all of the information about security and choose what to implement and what to ignore. It’s easier to put it on your ‘to-do’ list (that you never get to) and hope you don’t get hacked.
Now that I’ve implemented some basic security best practices, I can tell you it’s much easier than I thought it would be. Basic good security practices are now part of my routine. So much so that I don’t even notice most of them anymore. Like putting on a seatbelt after getting into a vehicle, it’s just something I do.
In terms of security, I’ve come a long way since 2013 and with this article series I hope to share some of the things I’ve learned to help you become more secure too.
One caveat before we get started. Learning new technology takes time, openness, and the right attitude. Do you remember the last time you got a new cell phone, or switched from Windows to OSX (or vice versa)? It took some time to learn the new system. You weren’t as fast at sending messages or finding files. But you learned. And processes that once seemed foreign and clunky have now become second nature. You don’t even really think about them anymore. If you stick with these security practices, they will fade into the background and become part of how you do things. If you’re competitive, make it a game. How quickly can you implement these practices? For each feature I’ll tell you how long it took me to acclimate, as a guide. Remember the real question is: How much have you improved your overall security?
Security Tip #1: The first and most important thing you can do to up your security game is to start using a password manager
Start using software as a password manager instead of your brain. With all the data breaches happening, we know it’s dangerous to use the same password on more than one site. But it’s a huge hassle to remember different passwords for different sites. That’s what a password manager does. Simply put, it’s software that will automatically fill unique usernames and passwords for you in each site you register (with the click of a button). You’ll never have to type a regular password again!
What risks does this protect against? Primarily, it protects you from security breaches of the sites you use. The risk isn’t that someone will guess your password (unless your passwords are terrible — like mine used to be). The risk is that by breaching one site, they will then try that password on every other major internet service, eventually getting to your email or cell-phone provider. Once they have access to the service you use to reset passwords, they own your online life. At that point, consider your bitcoin gone, unless it’s stored in a hardware, multisig, or physical wallet.
“But if they get my master password — won’t they have access to all my passwords?!?” Hopefully not, because you’ll be using 2-factor authentication, or 2FA, for both your password manager and your sensitive site passwords (2FA is the subject of the next article). Also, remember that password management software is intended to do one thing well — user security. It’s special purpose software so the risk profile is different. Without getting too technical, with this software, your master password is used on your device only and not transmitted to the websites you visit. Your password manager can also use more resource intensive security methods (like password stretching algorithms) because doesn’t have to serve thousands of users simultaneously. It only needs to serve one user — you!
Choosing a password manager. Costs range from free to $40 per year for access with multiple devices like your laptop and smartphone. For context, $40 per year is less than eleven cents per day. Most people I know use either LastPass or KeePass. If you want more options, a great place to start comparing password managers is this recent article from PC Magazine highlighting 10 different options with costs and features of each. Importantly, the export function, available with most of the listed managers, means that you can change password managers later if you find another you prefer. Another good article, comparing 5 different managers is this one from Lifehacker.
How do password managers work? Generally, you’ll set one master password to access your password manager. It’s like storing all of your passwords in a safe and your master password is the combination to that safe. You’ll only need to remember this one password because once you’ve accessed the manager, it will store site specific passwords for you. Many password managers will offer to generate and store passwords for each unique site you visit.
How long will it take to start using a password manager? 20 minutes or less, depending on the download time. Start by choosing a manager and downloading it from the developer’s website or another trusted source. Be careful here, sometimes scam sites are made to look just like another site! Once you install it, you’ll need to memorize a master password.
How to select a good master password. A good master password is longer than five words, random, not a sentence, and easy for you to remember. The words you select should never appear in a “normal” sentence anywhere. I know you might want to but please don’t choose a sentence or phrase from your favorite book, song, or movie. Don’t use a sentence that makes sense to anyone but you.
One way to do this is to take an unpopular book, get a pencil, close your eyes, open the book to a random page and circle a word (with your eyes closed), switch pages and do it again at least five more times. Now you’ve got your new master password. Write it down, on a single sheet of paper, and plan to destroy the paper next week (when you’ve memorized your master password). Don’t forget to erase the marks from your source material. By the way, this is sometimes called the XKCD method. Another way to select your words is to use dice and the diceware wordlist or use software like this random password generator. For a different point of view, take a look at this article: Choosing Secure Passwords from the brilliant Bruce Schneier.
Memorizing your master password. Before you enter or change any of your passwords, it’s best to memorize your master password. To do this, log in and out of the manager 10–15 times in a row (could be more or less depending on your memory). Then wait 5–10 minutes. Try logging in again. If you remember your password then try again in an hour. Then try again tomorrow morning.
Contrary to your intuition, don’t have the password manager remember your device. If you do, it will not ask you for your username and master password and you’ll probably forget it which could be devastating. It’s better to enter your username and master password fairly frequently (a couple of times per day at first) to ensure you don’t forget it. Some managers allow you to require the master password be retyped before you can access specific sites, like online banking. Although entering your master password can expose it to keyloggers installed on your system (and takes an extra 5 seconds per login), in my experience the much greater risk for most people is that they’ll forget their master password.
Transitioning to a password manager. At first I didn’t really trust the software. Or maybe I didn’t really trust myself to use it. I couldn’t afford to have it slow down my entire online life, so I decided to implement in stages. Your plan could look something like this — Day one, chose three to five sites to integrate, including email. Visit each site and “reset” the password with one generated by the manager. Save the new password in the software. Logout and login after each site, to be sure you’ve done it correctly and to ensure you can access the sites with the manager. This should take you about about 15 minutes, total. Slowly add more sites. Each time you visit a new site, use the manager to select and store the password. Today, I have more than 300 unique, strong, randomly generated passwords — which is a significant improvement from the three passwords I started with.
Choosing password length and complexity. The the most complex character set, the better — so I choose upper and lower case letters, numbers, and symbols whenever possible. I always choose passwords that are longer than 12 characters. For more information on choosing passwords, check out Sharon Profis cnet article The Guide to Password Security and why you should care.
How long did it take to get used to my password manager? Overall, it took 3–4 weeks before I really started liking my password manager. It took about a year before I started using the advanced features. Is it perfect? No. Sometimes (rarely) there’s a problem with my browser or mobile device and I can’t do exactly what I want to do when I want to do it. Is it frustrating? Sometimes. But all technology is frustrating when it doesn’t work perfectly. Overall though, I’m more secure using a password manager than not — at least until we get to the password-free utopia of the future.