First Steps: Secure Your Online Identity

Posted on December 31, 2016 by Paul Thurrott in Android, Cloud, iOS, Microsoft Consumer Services, Mobile, OneDrive, Outlook.com, Windows 10, Windows Phones, Xbox One with 15 Comments

First Steps: Secure Your Online Identity

Here’s a New Year’s Resolution that everyone should embrace: It’s time to take control of your online identity, which is comprised of multiple accounts of varying importance.

Note: In the future, I will look much more closely at the Microsoft Account (MSA) that is at the center of so many of our digital lives, and perhaps at other top-level online accounts such as those provided by Apple and Google.

There was a ton of great feedback to my post Resolving to Revisit the Fundamentals in 2017. But the topic that really stood out, to me at least, was a repeated call for online identity management.

And that’s because we all have multiple online accounts, with their associated passwords and other security features. And because these accounts hold our precious personal data—photos, banking records and credit card information, other personal documents, and more—properly managing and protecting these accounts—collectively, your online identity—is quite important.

In fact, this topic is so important that I did something I rarely do: I spoke with an expert in this field. In this case, my friend Sean Deuby, who is an identity technology analyst and expert and a 13-year Microsoft Directory Services MVP. The goal of this conversation was simple: How does an expert in identity management protect his own online identity?

Here’s what we discussed.

Follow modern password recommendations. As he wrote in a Semperis blog post earlier this year, Microsoft in 2016 revised its password guidance in a direction that many will find surprising. “Long-held password practices fall down in the face of modern credentials-oriented attacks,” he writes. “Further, some of these policies actually increase the ease with which passwords can be compromised and should thus be changed or abandoned altogether.” Check out that post for a nice seven-action checklist to provide maximum password-based identity protection.

Enable two-factor authentication (2FA) on all of your accounts. As I wrote previously in Tip: Protect Your Online Accounts with Two-Factor Authentication 2FA improves the security of your online account by adding a second “factor” to the authentication process used to prove that you are you. For online accounts, the first factor is always your password. And the second factor is usually a code or prompt generated by a smartphone app like Microsoft Authenticator (Android, iPhone, Windows), which both Sean and I recommend, or sent via text message to your smartphone. (Which is falling out of favor.)

Use a password manager. A good password manager will help you stop using bad (easily guessable or attacked) passwords, and it will stop you from using the same password across multiple sites. Here, Sean recommends LastPass—as do I—though there are other good choices as well. Just make sure it does all of the following: It creates and stores complex passwords, it examines your saved passwords and prevents you from using duplicates on different sites over time, it stores credit card information (for usage at e-commerce sites), and it too supports 2FA. Yes, there are user experience challenges with password managers, especially on mobile, but they are minor compared to data loss or identity theft. (And no, reports that “LastPass might have been hacked” should not deter you from using this or another service to protect yourself, Sean says. You’re using strong passwords and 2FA with LastPass, right?)

Reexamine your accounts on a regular basis. Sean and I spoke about the need to occasionally check in on your online accounts and make sure that all of the security settings are up-to-date. I suggest putting an entry in your calendar to remind you to do this: I try to do so once a quarter, and as part of this check-up, I also do things like remove devices from my Microsoft account and perform other housekeeping tasks. Since you’re reading this now, take a few minutes to sign-in to some key online accounts of your own and make sure they are adequately protected.

To be clear, each of these topics warrants future articles of their own. And as noted, I will be deep-diving into Microsoft Account management specifically as well.

Happy 2017.

 

Tagged with , , ,

Join the discussion!

BECOME A THURROTT MEMBER:

Don't have a login but want to join the conversation? Become a Thurrott Premium or Basic User to participate

Register
Comments (15)

15 responses to “First Steps: Secure Your Online Identity”

  1. Avatar

    131

    A lot of people recommend LastPass, but my wife and I use a shared KeePass file (via Dropbox) and it works great. In particular, I love that my passwords exist in an encrypted "file" (like a super secure Excel spreadsheet) rather than in a complex cloud infrastructure. Yes, I've heard Steve Gibson and others talk about how secure LastPass is, but I'm stuck in the old school on password management. 

  2. Avatar

    9692

    I use a nifty app "Hacked?" which shows if any of your account with associated email ID is hacked:

    www.microsoft.com/store/apps/9nblggh6850j

    It can also periodically scan every 12 hours to check if there is any new breach.

  3. Avatar

    124

    Great article.  Happy New Year!

  4. Avatar

    249

    2017 is a few hours away, is there a book running on whether or not MS will support passwords longer than 16 characters with O365?

    Even with 2FA I don't feel all that secure using it. And if there is a 16 character limitation it would seem to me that the password is being stored encrypted somewhere, rather than a hash of the password. That worries me greatly. 

    Everyone else good with this?

     

    • Avatar

      2

      In reply to Nic:

      Not sure if you saw this, but Sean replied in the non-Premium contents section. Here is the reply:

      Hi Nic,

      I don't have the exact details on how an Azure password is stored, but I'm writing the doc for Microsoft on how password synchronization works between on-prem Active Directory and Azure AD so I know that process in great detail. I can assure you that your Azure password is not stored with any kind of reversible encryption. My educated guess is that a random salt is added to the password to make it much longer and then it's run through a one-way hash function (probably HMAC-SHA256) before it's stored. As the crypto guys like to say, it's then "infeasable" to decrypt it.

  5. Avatar

    8616

    Happy new year everyone. I've been using 2FA for a couple of years now and think that it really is a step in the right direction to get our online world more secure. There should however be more emphasis on it because most people don't know it exists.

    What worries me most though is that some websites and apps still don't allow special characters in a password. 

  6. Avatar

    5345

    I have found that the Authy app is better for managing two factor login codes than Microsoft's or Google Authenticator apps. 

    The main reason is because it allows multiple device synchronization. So you can have your Two Factor codes on your iPhone, iPad, Android and Windows devices. You are no longer forced to scan a 2D barcode on multiple devices during the registration process if you need access from multiple devices. 

    It it also also you to restore your codes when you replace your phone or tablet. 

  7. Avatar

    9694

    In reply to Nic:

    Hi Nic,

    I don't have the exact details on how an Azure password is stored, but I'm writing the doc for Microsoft on how password synchronization works between on-prem Active Directory and Azure AD so I know that process in great detail. I can assure you that your Azure password is not stored with any kind of reversible encryption. My educated guess is that a random salt is added to the password to make it much longer and then it's run through a one-way hash function (probably HMAC-SHA256) before it's stored. As the crypto guys like to say, it's then "infeasable" to decrypt it.

  8. Avatar

    699

    I tried using two factor authentication on both my Macs and PC's and realized that sometimes, iCloud won't let you fully approve the Apple account on a Windows Phone, for instance, and sometimes I've had issues with Microsoft accounts, as well, on Macs. To avoid the headaches, I've just been changing my passwords more frequently and NOT using 2 factor auth. I think we still have a long ways to go to make this work seamlessly across devices and operating systems. Thanks for the great tips, though!

  9. Avatar

    9735

    In reply to jboman32768:

    Managing your passwords online increases the risk for passwords being breached and for inside threats. The good news is that you can still manage your passwords online limiting those risks and the solution is to use PasswordWrench (https://www.PasswordWrench.com). The reason why its safe is very simple, they don't ask you to enter your passwords into their system and they don't record your passwords. They provide a new approach to password management to eliminate those risks. After all, if this could be done, its a lot easier to manage them online, there is no synchronization of tools or software to do, your effort are then kept to a minimum. Using complex passwords is not easy and a password manager is a good tool to use.

  10. Avatar

    Minok

    Ah Microsoft account - my arch nemisis. Security is guaranteed by not being able to GET my identity. For reasons only Microsoft knows for sure and their Indian call center cannot explain as its not in the script, I cannot get my [email protected]

    You would think, someone has it... right? Nope, I'm not Bob Smith.. there is no other like me. If I ask for a password reminder it says no such account exists. As expected.. its not assigned. But trying to register it and Microsoft says no can do mister.. you cannot have it. So what idiotic hard coded policy does MSFT have in place that would prevent me from getting a microsoft account that uses my full name. The best guess me and my friends have come up with is MSFT is flagging any that contain specific keywords as substrings. My name has the letters M-A-I-L in there.. .so our guess is its verboten.

    Security guaranteed as no one, not even me, can actually GET my identity.

Leave a Reply