
Ask HN: Please critique my personal digital security strategy - toocool
Hi<p>After the latest events, I thought I&#x27;d share with HN what I do to protect myself from identity theft, and ask for suggestions. I&#x27;ll try to be brief. The goal is to be in a sweet spot between convenience and security:<p>- Froze my credit on the 3 agencies<p>- My personal Google account is the central hub of my online identity: all accounts are hooked to my gmail, and I keep sensitive documents, including financial statements and contracts, on Google Drive. The Google password is complicated and as a MFA I have Google authenticator on my phone and printed backup codes. No recovery phone&#x2F;email address set.<p>- I keep all my passwords in Lastpass. I really love the app and how well it works on mobile. As a MFA I have Google authenticator on my phone.<p>- My phone is secured with touch id and long pass code, and automatic data deletion after 10 failed attempts<p>- I use a lot of services, I just counted 430 online services. Each one ends up hooked to my gmail and a random password that I don&#x27;t remember and store right away in Lastpass (including various bank accounts). Whenever available, I always enable the following MFA methods in order of preference:<p>* Google authenticator on my phone (e.g. Facebook)<p>* Email verification on my Google email (e.g. bank accounts)<p>* Text verification on my Google Voice number (e.g. bank accounts). I don&#x27;t use my non-gv phone number because of how easy it is to trick call center operators into transferring the number away from a given SIM card. Seems very sad.<p>What do you think? It seems pretty secure to me. If I were to lose my phone, I&#x27;d recover Google via the backup codes, and all the other accounts via the google email.<p>Thanks!
======
philiphodgen
And if (God forbid, because it could never happen) Google arbitrarily froze
you out of your email account and you could not talk to a human at Google to
remedy the situation . . . ?

~~~
toocool
Thanks for your reply.

That is a possibility, I might be naive but I consider it on the very unlikely
side. What I would imagine in that case is that I would reset the important
other accounts such as the bank ones by showing up in some physical office
with my passport, or something similar, while waiting to solve the situation
with Google.

What alternatives would you suggest? Spreading the accounts over different
email addresses? Letting aside the privacy issue, to be honest I don't think
there is another mail provider that I'd trust better than Google from a
security point of view.

~~~
philiphodgen
Yes I would hedge my bets.

I have seen businesses die because they only had one bank. You and I have both
seen, from time to time, people complaining that something went wrong with a
Google account with no apparent way to obtain recourse.

Always have a backup. And a contingency plan in case the backup plan fails.

I'm with you on LastPass. I am utterly reliant on it, and it bothers me
greatly. I have hedged my bets a bit by backing things up with 1Password. But
what a collosal pain in the ass that is. Friction leads to sloth, and sloth
leads to system failure.

------
j_s
Any consideration given to a hardware security token? The Yubikey NFC edition
(~$50?) can even work with your phone.

[https://helpdesk.lastpass.com/multifactor-authentication-
opt...](https://helpdesk.lastpass.com/multifactor-authentication-
options/yubikey-authentication/#h4)

At the very least, consider securing Lastpass with U2F (fairly cheap) once
they support it.

[https://cognitionsecure.com/u2f-otp-google-
lastpass/](https://cognitionsecure.com/u2f-otp-google-lastpass/)

Be sure to get at least two hardware tokens in case of failure.

\--

PS. Some more exotic options even store actual passwords rather than
encryption keys.

[https://www.tindie.com/products/stephanelec/mooltipass-
mini-...](https://www.tindie.com/products/stephanelec/mooltipass-mini-offline-
password-keeper/)

------
johnpython
Overall you have a great security posture. I would not recommend using
LastPass due to the service having a history of really bad security
vulnerabilities. If you must use a cloud-based password manager, 1Password is
the most secure choice, otherwise use KeePassX. As others have mentioned, less
reliance on Google will do you some good. Look into using Duo MFA. Migrate
high-security accounts like banking to a separate email account. Don't store
credit card details with shopping sites. Disable Touch ID.

------
elops
Storing seed for 2FA on your phone (google authenticator) leaves you
vulnerable to anyone who compromises your phone. If someone compromised your
phone, your likely would not know they are generating the same 2FA codes as
you do. To tackle this problem you could store your 2FA secrets on secure
device (e.g. Yubikey NEO) and use phone as display.

Lastpass is cloud service and they had some issues in the past, I consider
more offline/app approach for password manager as bit more secure alternative.

------
netvarun
Just a word of caution on google Authenticator - the iOS version didn't seem
to be maintained and it didn't have any sort of export or backup feature. I
lost all my codes due to a factory reset of my phone. I've ever since (dec
2016) switched to using Authy for my codes.

~~~
Top19
Furthering this, I would use "Duo". It's such a better MFA app. It has lots of
better usability features, and should you want they just added iOS back up.

By having just your one Gmail account you are making yourself vulnerable.
Google does allow up to 99 character passwords, but still your laptop might be
left open and things like that.

I would suggest starting to use email aliases such as those offered by 33mail
or Blur which forward to Gmail. Basically instead of using the same username
everywhere you now have say 10 or 20 usernames. A lot of people forget that
usernames can be as effective as passwords, they in a sense are credentials
to.

Also read any of the books by Michael Bazzell.

Also also going all the way here I would get a VPN service for your phone.
Then I would go to FladhRouters.com and order a DD-WRT router and embed that
VPN (easy to do) in the router, or even better another VPN service.

------
afarrell
For your more critical passwords, enable the setting where lastpass prompts
you to re-enter your master password. This ensures that:

1) you are less vulnerable to leaving your laptop unlocked.

2) you have to enter your master password frequently, preventing you from
forgetting it.

------
beckler
I've never used lastpass', but is there a way to backup your data? That seems
like the biggest point of failure for me. I dislike purely hosted solutions
for critical info because they become a bigger target as more people join.

~~~
toocool
Thanks for your reply.

Yes, with Lastpass you can export all your data to a csv that is generated at
runtime using your master password. Although, to be honest, why would I need
that? Assuming every important service in that list has some sort of MFA via
Google authenticator/gmail/google voice number and a recovery option via the
gmail address, what would a backup be useful for?

Essentially, the only passwords I really need to memorize in my head are the
lastpass and google ones.

The biggest point of failure to me seems some bank account that I tried to
recover in incognito mode which apparently just asks social security number
plus some other idiotic information instead of relying on sending a recovery
email. And there doesn't seem to be any way to change that, beside changing
bank that is.

------
pmlnr
I always wonder what has higher risks: me, hosting my own mail, maybe getting
hacked, or a gmail user, risking being locked out forever due to posting
something inappropiate in a youtube comment.

~~~
toocool
Haha I hope you're not being serious. If I had to estimate the probability of
Google ever blocking my account over my life time I'd say 0.01%, whereas the
probability of someone successfully attacking my mail server/dns records/...
if I really became a target would be easily 100%.

~~~
pmlnr
Oh, I'm completely serious. Random bots attacking my server, sure, but that's
not what I meant, the real problem is targeted attacks and spearfishing. The
difference is: I can move my domain, I can move my server to another system,
build defenses, if needed, whereas who's gmail address gets blocked or reused
(though this latter is more frequent with tumblr and instagram handles), there
are no options.

Also, I wasn't asking for chances, but for risks.

------
roarktoohey
all your base are belong to us

