19 Apr 2020
One of my 2020 resolution was to start using secure passwords and 2FA (Two Factor Authentication) on every site where I had an account. I had been meaning to do this for a while, the final push came when I received a free 1Password family account.
Essentially, this meant
I have been active on the internet for 15 years now and that meant - a lot of accounts!
I broke this problem down into 3 steps
The shortlist came to ~25 accounts.
As a matter of shame, changing the passwords was a breeze since I had re-used 3-4 passwords (with some variations in casing or numbers).
I used 1Password’s “Suggested Password” feature to do this. The only hiccups where when few sites insisted on a restricted character set or a “strong password policy” that required a few iteration of suggestions.
I chose to enable 2FA only for sites
I chose to use 1Password’s 2FA helper on sites where TOTP was available as a mode of authentication. This is probably not very wise to couple both factors behind a single source.
I made sure to take a physical print of the backup codes.
For good measure, I deactivated more 40 accounts that I no longer used. Some made it easy by enabling deactivation was a self-serve process while others required to… cringe… write a support ticket.
I have 60ish accounts enabled in my 1Password. Not having to type out my credentials is an usability win for me apart from the obvious security improvement. I’ve the 1Password companion app my phone that makes the process easier on mobile.
The biggest “bang my head” moment was in signing into Netflix on my Android TV & Fire stick. Netflix doesn’t provide a login via device option and typing a long password via arrow keys was sufficiently frustrating for me to go back to a manual, smaller length password.
Though, HDFC NetBanking & Income Tax Portal took the cake for the ugly. Both of them trying a fancy client side hash of password on an
onchange trigger of the password field. This did not play well with the password manager and I switched to bespoke passwords for them.
How do you decide it’s for you? You should use a password manager