In part 1 of Protecting against a password manager breach, in light of LastPass’ recent back-to-back security incidents (i.e. one long drawn out incident), I provided an overview of how password managers could be successfully breached and what users of password managers can do to protect themselves against such a breach. In this context, a successful password manager breach means decrypted data from a password manager is obtained by a malicious actor.

Let’s dive a bit deeper into how best to combine and use these ingredients for hardening your online accounts in the event your password manager (or really any of your passwords in general) gets breached.

Harden your password manager and online accounts 

Here’s a summarized checklist of steps you can start taking to harden your password manager and online accounts. I’ve also ported this over to GitHub in an actual checklist format and also to encourage folks to submit pull requests for additional ideas or edits. 

NOTE: As mentioned in part 1, for the sake of simplicity and security, this guide assumes you’re only using Apple devices. I'm also assuming you’re using 1Password, BitWarden, Authy, and 2 YubiKeys.

Securely setup 1Password

Setup 1Password for creating and storing passwords and password equivalents, such as security question answers. Especially in light of LastPass’ latest incident update, 1Password’s Secret Key feature, which is built-in at the moment of account creation, guarantees universal protection against offline brute force attacks.

• Use a unique passphrase for logging into 1Password

• Setup MFA with YubiKeys only

• Store your 1Password passphrase in a secure place (fireproof safe = better security, Apple Keychain = better usability)

  • Your 1Password Secret Key can be stored in the same place since it's designed to be an entropy-boosting addition to your password

Harden foundational accounts

These are accounts that, if compromised, could be used to reset account passwords or access Passkeys.

• Ensure email account has a strong password and MFA setup with YubiKeys

  • Use Gmail (Google’s security is top notch). If you're extra paranoid, use Protonmail

• Ensure Apple ID has strong password and MFA setup with YubiKeys

Protect against SMS MFA code theft

Some of your accounts may still only support SMS MFA codes (and any form of MFA is better than no MFA). Similarly, some sites and apps, such as Authy, use mobile phone numbers for account creation. Hardening your mobile phone number and account is essential in these contexts.

• Create a strong password for your mobile carrier online account

• Setup MFA on your mobile carrier online account

• Setup a mobile carrier PIN to protect against SIM hijacking (Verizon, T-Mobile, AT&T, Sprint, Cricket)

• Setup Google Voice number to be used for SMS MFA (you can disassociate it from your mobile phone number later on for added security)

  • Ensure Google Account has strong password and YubiKey-only MFA enabled

Securely setup Authy

Use Authy whenever time-based one-time passcode (TOTP aka “Google Authenticator”) MFA is the most secure option available. If you’re extra paranoid and are willing to make some usability sacrifices, try storing your MFA codes in a YubiKey and use Yubico Authenticator to access them.

• Setup Authy using your Google Voice number

• Enable Authy Backups and create/store a randomly generated Backup Password with 1Password

• Disable Authy Multi-Device access and only re-enable when you're setting up Authy on another device

  • If you are able to, install Authy on at least two devices so you don't have to go through a painful account recovery process if your only Authy-installed device breaks, is lost, etc.

  • If you’re extra paranoid and are willing to make some usability sacrifices, try storing your MFA codes in a YubiKey and use Yubico Authenticator to access them

Securely setup BitWarden

Setup BitWarden for storing TOTP MFA recovery codes and MFA recovery code equivalents such as seed keys.

• Setup a BitWarden account using an email address from a different provider

  • E.g. if you used Gmail for your 1Password account and other accounts, use Protonmail for your BitWarden account

• Use a unique passphrase for logging into BitWarden

  • Store your BitWarden passphrase in a secure place (fireproof safe = better security, Apple Keychain = better usability) but not in your 1Password vault

• If you're already paying for BitWarden, setup MFA with YubiKeys only. Otherwise, setup TOTP MFA codes using Authy

Enable MFA everywhere you can

Don’t delay, enable MFA today! This is essential for protecting your accounts in the event their passwords are compromised.

• Use 1Password Watchtower to identify accounts that support MFA and ensure MFA is setup on all of  them

• Explore 2fa.directory to identify additional accounts that support MFA and ensure MFA is setup on all of them

Change compromised and vulnerable passwords

• Use 1Password Watchtower to identify passwords of yours that have been caught up in past data breaches

• Change each compromised or vulnerable password

Change weak and reused passwords

• Use 1Password Watchtower to identify weak and reused passwords of yours

• Change each weak or reused password

• Replace passwords with Passkeys (WebAuthN) where possible 

Detect account compromises as they happen

• Setup email rules for new device login, suspicious login, password reset, and MFA change notifications

  

• Start treating rogue SMS MFA codes and push notification MFA prompts with suspicion, changing passwords when benign cause of rogue codes/prompts can't be identified 

  • Especially if you receive a message from someone who claims to need your MFA codes or for you to approve push notifications. If this happens, change passwords and report to your account provider ASAP

That’s it for now. When all is said and done, this is what your password manager and online account security “architecture” will look like:

Stay tuned for part 3 of this series where I’ll cover how password manager developers can secure their software development lifecycle (SDLC) and cloud infrastructure to protect their customers.