Credential Management
Credential and password management is one of the most important security practices. Many people learn the hard way after their accounts are breached or their information is sold off to nefarious companies and governments. Prevent yourself from being a victim.
Here are some guidelines
- Use a unique strong password for each online account.
- Use a unique username and email addresses for each account.
- Use a different credit card for each account that requires one.
- Use a separate phone number for accounts you do not want tied to your real identity.
Online services are breached every day with the data sold to anybody who will pay for it. Data brokers legally buy up and collect data from many services. If your credentials are unique to each site, your individual damage is limited to that service. Hackers cannot use the info from one breach to breach your other accounts, and data brokers cannot match up the data from other accounts to add to your dossier that they sell on to advertisers and government agencies.
Password Managers
Some of us can have hundreds of different accounts. So it is impossible to remember the unique usernames, complex passwords, and email addresses used for each. This is where a good password manager is very important. You could write everything down on a piece of paper that you hide someplace safe but that can be inconvenient and have other problems. A password manager is software that will allow you to remember only one password to access all your safely stored credentials. Here are some I recommend:
| Password Manager | Pros | Cons |
|---|---|---|
| Bitwarden | Generous free tier from Bitwarden with great apps for all platforms | Your vault is stored encrypted on Bitwarden or Ravergram server. |
| Nextcloud Passwords | Built into your existing Nextcloud account here, Stored online but managed by someone you trust. | Some apps are still WIP so not as fully featured. Your vault is stored encrypted online but on this server. |
| KeepassXC | Locally managed on device, Great features | You must manage your backups carefully to ensure you don't loose your vault. Accessing the vault from multiple devices not possible. |
Email Management
This is a good document, but my summary is below.
Your email address is often a real identification of who you are. You may choose to provide real identification email addresses to some accounts you trust such as your bank, but for most accounts, it is best to provide anonymous unique addresses. You can maintain a single email inbox with many aliases these ways:
-
Buy a domain at a registrar such as Njalla (anonymous), Gandi or Porkbun. Then create a catchall forward to your inbox. I will give you a free subdomain from one of mine if you just ask me and give me the email address to which to forward.
-
https://simplelogin.io/ or Anonaddy.com provide alias management for a small fee.
-
Your email inbox provider might provide you with alias services. Fastmail.com, proton.me, tuta.net, and other private email services have this built in. If you are using an email service supported by advertising which you are not paying for, it is probably not private. See the Be Not Beholden document for more on email
Credit Cards
I use and recommend https://privacy.com to create a virtual card for every account. I don't need to give vendors my real name or address either. It has other features such as setting limits and easy cancellation of the card that helps with sneaky subscription services that make it difficult to cancel.
Phone Numbers
If you give a company your real phone number, they know who is associated to that number unless that number. This is one way they try to identify you. I have several phone numbers. I will give you a phone number to use for SMS verifications and even calls if you want it. The SMS can simply forward to your email inbox if you give me the email address to which to forward. They cost me something but not much.
More options if you want to setup your own number are found at https://kycnot.me.
Multi-factor Authentication
This is also called two factor authentication. MFA requires you to also authenticate using a secondary device or app. You should use this when possible, especially for important accounts.