PSA: a setup for 'minimium viable security'

Eddy LazzarinMatt Gleason

The 3 types of secrets humans have to securely store, and how

We live in a digitally active world, and as our online accounts and information online increases, so does our need to hold on to secrets so no one can access that data. There are 3 main types of secrets most people have to hold for online access:

  1. Passwords — which people use to access various websites and services. These must not only be kept secret, but be unique from service to service.
  2. TOTP codes — which are often generated by an authenticator app or TOTP (time-based one time password) system. These provide two-factor authentication, where a second layer of security (hence the “two”, and “multi-” if more layers) helps protect access.
  3. Seed phrases — “mnemonic” codes or recovery phrases that give direct control of all crypto wallets derived from that seed phrase. This reflects one of the empowering features of crypto wallets: Once you enter your seed phrase, you have total control of your assets without needing to move them from one custodian to another.

Note, these “secrets” aren’t all specific to crypto/ web3; anyone using the internet today should be using these practices (or something custom tailored for their needs)! And while our recommendation would be to harden everything to the maximum extent possible, the practical reality is that purchasing hardware wallets, webauthn keys, and machines with TEEs isn’t easy to do for most people (at least, not yet). Furthermore, losing secrets can sometimes be a greater risk than having them compromised: some information, once lost, can’t ever be found.

So one could consider this a “minimal viable security” approach. That minimum setup — using things many people already have — would be to use a well-vetted password manager to store your seed phrases and passwords; and a TOTP app on your phone to store and use TOTP codes for 2FA (two-factor authentication).

Here’s more on why and how:

Do NOT use text messages on your phone (SMS) as a second factor for authentication. SMS is a very weak choice for 2FA, given the rise of SIM swapping/ jacking: where a hacker pretends to be you to your mobile provider (“I lost my phone and need help accessing it…”); then reroutes your phone number to their device; and then can then access any accounts linked to that phone. That’s why we recommend using authenticator apps (like Authy, Google Authenticator, etc.). Not all services allow two-factor authentication, unfortunately; so you should still make sure you’re using strong, unique passwords.

Store your passwords in a password manager. This is mostly to make having unique passwords for all internet services possible; otherwise most people default to reusing passwords across sites. A password manager secures each online account with a unique, complex password — and uses one strong “master password” to encrypt all the stored passwords (see for example 1Password, Bitwarden, or Dashlane).

Your master password should be at least 16 characters — preferably a randomly generated passphrase of at least 5 words, which is usually around 30 characters, but easier to remember. This is not an arbitrary recommendation; the GPU costs for computers to guess passwords by brute force goes up exponentially the more characters and words there are in a password. That’s why longer is better. Finally: Never forget the master password! If you have to, you can write down a password hint with pen and paper, store that in the safest place you can think of, and remember where it is.

Store an encrypted copy of your backup codes/ TOTP in cloud storage, and print them out in a secure hard safe. But what about storing your TOTP codes in a password manager? Some password managers do support this, but it is better to use two different applications so that both security “factors” — password, and TOTP — remain separated. So then where should you store seed phrases? While the answer is a bit more complicated, the short answer is: in your password manager. (If you have a crypto wallet with a lot of assets in it, consider a more complex scheme; otherwise, this approach should work for most).

related:

this post first appeared in our ‘web3 weekly’ newsletter

editor: Sonal Chokshi