How I secure website logins

Oh, hey, I have a blog. How’s everyone been over the past, uh, decade?

Anyway, I wanted to write about securing website logins. This is something I’m not really an expert in, though I do have some facility with computer security in general. But I’ve been doing a lot of thinking and research lately, and I think this is something I can communicate to a slightly less technical audience. So let’s give it a shot.

Oh, you should know that I’m pretty into lists lately. Anyway.

First, here are some definitions:

  1. A password manager is a tool that stores your passwords and generates good, long, random ones for you. Password reuse from site to site is the biggest risk for being hacked these days, so a password manager is vital.
  2. It’s important to identify your critical accounts. These are the ones that would really screw you over if they were hacked. Top of the list must be Google/Apple IDs, your password manager, and your email. Banking websites would also qualify, except the banking industry is frustratingly behind the times with all of this stuff, so it generally doesn’t matter if you consider them a critical account or not.
  3. A hardware security key is a small USB device, similar in appearance to but usually smaller than a USB “thumb drive”, which gives you a bunch of additional security options. Yubikeys are probably the most common, so if you haven’t heard of them, you probably haven’t heard of hardware keys in general. One neat thing about them is that it’s impossible to copy security credentials off of them. They can’t be cloned, synced, or backed up.
  4. A second factor for logging in somewhere, which leads to 2-factor authentication or 2-step verification, is something you enter to a website when logging in that’s in addition to your username and password. The reason it adds to the security is that it usually either requires an additional account or device to access, or it requires biometric input such as a fingerprint or face identification. One particular kind of 2nd factor that I don’t like is SMS verification, because it has several decent-sized security flaws. Email verification is better but still not ideal.
  5. TOTP is the most common form of 2nd factor that I like. This is the thing where you scan a QR code when you set up 2FA, and then the app on your phone generates a new 6-digit code every 30 seconds until the end of time. You’ve almost certainly seen it. TOTP is pretty good.
  6. FIDO2 U2F is a newer form of 2FA. Instead of a 6-digit code, you plug in your security key (or connect it wirelessly) and tap a button on it. It’s also neat because security keys can “store” a literally unlimited number of them! (FIDO2 U2F is technically an obsolete name, but I think it’s useful so I still use it.) This option is starting to be phased out, though, in favor of:
  7. Passkeys! The hot new technology. (They’re also known as FIDO2 or WebAuthn credentials.) These are things that enable passwordless logins to websites! They’re not physical things, any more than a TOTP setup is a physical thing. They’re secure because you need to verify yourself with the thing that stores them (enter a PIN to unlock your Yubikey, or use FaceID to unlock your phone’s passkey storage, or whatever.) In a sense, they obsolete the traditional idea of 2-factor verification, because the 2 factors now are (1) having the device on which the passkey is stored, and (2) having the ability to unlock that device. They come in two different flavors:
    1. Non-resident/non-discoverable credentials enable passwordless logins, and a hardware key can “store” an unlimited number of them. In practice, this isn’t really used to replace passwords, and instead is used more often as a 2nd factor, which makes it identical to FIDO2 U2F. They’re not actually different things. Some people would say that these aren’t even really passkeys, and the only things that can be called passkeys are:
    2. Resident/discoverable credentials enable usernameless and passwordless logins! They do, however, take up a storage “slot” in a hardware key. In practice, sites are not using them to replace usernames very much just yet, at least in my experience, but they’re definitely starting to be used as a passwordless option.
  8. Passkeys can also be stored in one of two ways:
    1. Hardware-bound passkeys, stored on a hardware key, can never leave that key. When you switch hardware keys, you go back on the website and set up an additional passkey.
    2. Copyable/software-based passkeys are ones you store on your phone, or in a password manager. They can be synced through the cloud and made available on other computers or on your next phone.

Got it? Cool. OK, so here’s what I currently do, in a world where passkeys are just starting to become a thing:

  1. I have two Yubikeys. Two because one of them is a backup that doesn’t leave my house. Yubikeys can do passkeys, FIDO2 U2F, and TOTP. I like doing TOTP on my Yubikey because that way I don’t have to worry about syncing it to a new phone. And when I’m at a computer for hours at a time such as at work, I leave my Yubikey plugged in all day (I work from home, so bathroom breaks aren’t a security risk) and then I can access TOTP on my computer without pulling out my phone.
  2. I have Bitwarden as my password manager. Bitwarden is really great. I log into it with my username, a memorized password (one of the few passwords I have to memorize!), and FIDO2 U2F. I recommend Bitwarden to everyone, and for only $10/year, you get additional features such as “give this other Bitwarden account access to some of my passwords if I die”.
  3. All websites I use other than Bitwarden itself have their username/password in Bitwarden. I don’t know any of the passwords in my head.
  4. For websites that support FIDO2 U2F, I do that. I have both Yubikeys registered.
  5. For websites that don’t support that but do support TOTP, I do that. I use my Yubikeys, and I make sure to have both keys on me when I set up a new website, so I can scan the QR code into both keys and get the same 6-digit codes on each.
  6. I don’t like using my Bitwarden to store 2nd factors at all. Keeping a password and a corresponding TOTP secret in the same place doesn’t seem like a great idea to me.

This all works pretty well and I’m pretty happy with it! But I would like to try Passkeys more. Passwordless login sounds really great to me, and there are also security reasons why they’re better than passwords, better than TOTP, and much much better than SMS-based 2FA or not having 2FA at all.

So here are my login-related goals in the coming years. This was hard to figure out, but I spent a couple dozen hours on it and I think I’m pretty happy with this plan:

  1. I’m not going to change anything about my Bitwarden login. I’m happy with the way it is now. FIDO2 U2F is really pretty good, and going passwordless would make me nervous even if it’s technically just as secure. Maybe I’ll revisit this later.
  2. Some critical accounts, I can’t do better than I am now. (The banking industry is really annoying about this! Why do they like SMS so much?) I’ll make sure to have the flag on in Bitwarden for my banking accounts so that I need to re-auth to Bitwarden every time I access these passwords. Some banking websites do let me use TOTP, and I’ll keep doing TOTP through my Yubikeys.
  3. For critical accounts that let me use passkeys, I’m going to do this! And I’m going to use my Yubikeys to make hardware passkeys. I don’t want my credentials for critical accounts to be cloud-synced.
  4. For less critical accounts that let me use passkeys…this is the hard one. This is why I needed to spend so long thinking about this, and this is why I’m bothering to write this blog post. Here’s what I’ve learned:
    1. Chrome has pretty good support for setting up passkeys and using passkeys. You’re prompted with options that, for my purposes, boil down to “Where is this passkey? Is it on a hardware key, is it on your Bitwarden browser plugin, or is it on some external thing like your phone?” But I don’t use Chrome much, I use Firefox mostly. Firefox is behind in this support. I can manage to have it check my Yubikey rather than the Bitwarden plugin, but I can’t get it to give me the option to use my phone’s passkey storage.
    2. I don’t really want to store passkeys in Bitwarden, any more than I want to store second factors in there. It’s actually probably fine, but I haven’t convinced myself of that yet.
    3. One thing about using passwordless login with passkeys is that you end up doing it a lot more often than you do a 2nd factor with a password-based login. I don’t want to have to plug in my Yubikey every single time I log in to a non-critical account; that feels like it will get annoying. (One nice thing about using TOTP is that you can look at the 6 digits on one device and enter them on another. Or it can be the same device. Up to you. If you’re using a hardware key as a passkey, though, you have to plug it into the same device. Sometimes that’s much more annoying, especially since my Yubikeys don’t have NFC support.) Also, my Yubikey can only support something like 25 discoverable passkeys, and I feel like I’ll bump up against that limit pretty quickly if I use it for everything.
    4. Phone-based storage of passkeys is pretty secure, given modern phone security. It’s a bit more obvious how to do it on iPhones, but I figured it out on my Android anyway. The real hurdle for me was realizing that I wasn’t getting anywhere with Firefox on my laptop. Once I started testing out the workflow with Chrome, it went fine.
    5. So I think my plan is to wait until Firefox support for passkeys gets better, and then start moving my non-critical logins to phone-based passkeys.
  5. My goal will be to remove sites from Bitwarden entirely once I have them set up with Passkeys. Or maybe I’ll store a password in there as a backup, but the plan will be that Bitwarden isn’t a part of my login flow for sites where I’m using passkeys.
  6. I think I might need one more place to store things like backup codes, maybe TOTP secrets (in the form of the QR code you get when you first set it up), maybe a 3rd hardware key as an emergency backup, etc. I haven’t decided yet if I want this to be a digital place (a second password manager?) or a physical place (fire safe in my house?). I don’t want backup codes and TOTP secrets in Bitwarden for the reason I’ve addressed already: I don’t want to make Bitwarden a single point of failure for sites that I’ve so carefully set up a good 2nd factor or passkeys for.
  7. Yubikey hasn’t released a new model in awhile, so I’m exploring options for other brands of keys that have a much higher resident passkey storage limit (and a slightly higher TOTP storage limit too). Or maybe I should just get a new Yubikey; mine is a slightly older model than their newest, which doesn’t do NFC (I can plug it into my phone’s USB port but it’s a bit fiddly) and which has no real ability to manage resident passkeys.

Any questions? Uh, comments are off, so if you know another way to reach me, ask me there! Have a good day, and I’ll write to you again in 2035 or so.

Accuweather long-range forecast accuracy questionable

Introduction

About 14 months ago, Accuweather extended its long-range forecasting to 25 days.  Forecasters at the Washington Post’s Capital Weather Gang and at the independent Phillyweather.net both expressed significant skepticism that any forecast could be accurate at that distance.  Tom from Phillyweather.net ran a small sample, confirming his impressions.

About 6 months ago, I also ran a small sample test.  I collected 25 days worth of Accuweather’s forecasts for a single future day, comparing them to each other and then to the final weather for that day.  The forecasts weren’t that great, as I expected.  But again, this wasn’t much of a sample size.  I wanted to go bigger.  Now, over 6 months after my last post, I now have data comprising all of (astronomical) winter and spring, and it’s time to see the results. Continue reading

Surviving the Boston Marathon bombings

3 people died in the horrible, evil bombings at the Boston Marathon 2 days ago.  6.9 billion people did not.

Here are some of the ways those people survived:

By never having been to the United States before.

By living in the United States, but having never been to Boston.

By having visited Boston, but not this week.

By being in Boston every day, but not near the marathon.

Continue reading

Accuweather forecast accuracy: a preview

Here’s a preview of a little something I’ve been working on: An analysis of Accuweather’s 25-day forecast for self-consistency and accuracy.

Here’s what the forecast high temperature looked like for today, December 10, 2012 for zip code 19103, on the 25 days leading up to today, as compared to the historical normal high for today, and today’s actual temperature:

Continue reading

Voter protection information 2012

Fair and safe elections are a huge passion of mine, and even though there’s much more information out there for the average voter than there was 4 or 8 years ago, I’m still going to continue my tradition of posting some information about voter rights before the election.  Please share this post widely.

A disclaimer: I live in Philadelphia, and my information comes from Philadelphia sources.  I’ll do my best to distinguish between federal and PA information where applicable, but some local stuff might slip in where it doesn’t belong.

FEDERAL RIGHTS:

Most important: The phone number 866-OUR-VOTE.  It’s easy to memorize, but still, program it into your phone AND write it down.  If you have it written down, you can give it to people you meet while voting, if they need it.  866-OUR-VOTE is a nationwide hotline to report polling place problems, voter intimidation, poll workers or printed materials with incorrect information, polls not opening on time, or any other problems that can lead to violations of election law and/or voter disenfranchisement.  It’s also the number to call if you don’t know if you’re registered to vote, don’t know where your polling place is, or aren’t being permitted to vote where and when you think you should be.  (I’ll be volunteering with the Committee of Seventy, which answers 866-OUR-VOTE calls in the Philadelphia area.)

You have the right to a provisional ballot!  Continue reading

NHC FAQ For People Who Like Things Like Hadar


In its own words, “The National Havurah Committee (NHC) is a network of diverse individuals and communities dedicated to Jewish living and learning, community building, and tikkun olam (repairing the world). For over 30 years, the NHC has helped Jews across North America envision a joyful grassroots Judaism, and has provided the tools to help people create empowered Jewish lives and communities. The NHC is nondenominational, multigenerational, egalitarian, and volunteer-run.”

Many people affiliated with the independent minyan scene, and/or organizations named Hadar, would find that they have a lot in common with the aims and ethos of the NHC and the members of that community.  At heart, the Hadar world and the Havurah world share the critique of American Judaism’s reliance on institutions and the idea that Judaism is about living values, not supporting institutions per se.  And many of the manifestations of that critique, in terms of the sorts of learning, discussions, prayer, and communities generated, are also shared between the two worlds.

Many folks have noticed some sentiment over the years, among Hadar and/or independent minyan individuals who have not attended NHC events, that the NHC is not for them.  That may well be true.  However, that sentiment is often grounded in a misunderstanding of what the NHC is, and the goal of this FAQ is to attempt to correct that.

Q: “Havurah”?  Really?  That still exists?  Wasn’t the Havurah movement, like, in the 70s?

Continue reading

A blog? That’s so 2006!

Most of what I and others write these days is short form, suitable for Twitter or Facebook.  But sometimes I want to write something longer, and lament for a good place to put it.  (Older blogging platforms that skew toward personal writing are not necessarily the right place to put things that one wants available to a larger audience.  And Facebook’s Notes just aren’t “a good place” for anything.)

So, a WordPress blog.  Expect infrequent updates, as the urge to write stuff strikes.