🥇 Badge of the Month: Security Tips/ May

Miša Hennin · May 2023

Hey, badge enthusiasts!

Welcome to May's Badge of the Month! As part of our Rewards Program, Badge of the Month gives you an easy way to connect with others and earn a new badge. Your answers don't have to be Meister-related, we'd just like to hear from you 😃.

Want to know the rules? Check out this post.

Already know the rules? Read on to find out what this month is all about!

Badge of the Month: May 2023

May the 4th isn't just Star Wars Day, it's also World Password Day. On World Password Day, everybody is encouraged to consider the strength of their passwords and change any that might be vulnerable. This got me thinking about the issue of digital security more widely - An issue very important to us here at Meister 🔓.

This month, I invite you to share tips and tricks on how we can all improve our security and privacy in an increasingly digital world. How do you stay safe online and keep your data protected? You might recently have downloaded a security add-on, know great tips for strong passwords or have read an enlightening article... Please share your ideas in the comments below ⬇️.

Best,

Miša

Admin BSF.company · May 2023

Hi, incentivizing a more secure internet is always a good idea, so here I'll share my 3 basic recommendations, depending on how serious you want to be about your security online:

Level 1 Security - Beginners: Use a password wallet

Using a password wallet allows you to never re-use the same password over and over because they work like this:

Creates a secure password every time you need to sign up or create a new account.
Stores usernames and password pairs in an encrypted database.
Prompts with available credentials for each site every time you need to sign in.
Allows you to remember only one password: the master password of the wallet.

The best password wallet I can recommend is called BitWarden.

Recommended secure password variations include more than 18 characters, Uppercase, Lowercase, numbers, and special symbols.

In my wallet, no two passwords are the same and the average char size is 30.

Level 2 Security - Intermediate: Enable 2FA everywhere you can

2FA stands for two-factor authentication, which means, that not only the password is required to enter your account, but a dynamic token as well that is usually tied to your mobile device.

This way, a malicious actor not only will have to gain access to your username and password to steal information, but also your mobile device, which is less probable.

Most services allow for this type of security, including email providers, online banking, and social media.

Google Authenticator and Authy by Twilio are two examples of apps you can carry on your mobile with different tokens for different accounts.

Last time I checked, my GA screen cycles around 37 tokens every 60 seconds. The list continues to grow, though…

Level 3 Security - Aficionado: Periodic password rotation

On the internet, one can never be too secure, so the next step to take is to change your passwords periodically using a workflow you establish for yourself.

The advantage of being a sysadmin is that I can make sure practices like this get implemented by making them part of the system design.

I recall several mission-critical systems in which not only me, but all members of the team get a system request upon logging in to change the password using a new secure one.

Conclusion

Of course, there are tons more things to do regarding security tactics and strategies online, like tweaking the longevity of the session cookies, and implementing passwordless session handlers, for example.

The truth is: these 3 are good ones to start because from 100 people that I speak with in a month, not even 2 reach Level 1 suggested above 🤦‍♂️

Enjoy and start acting today before somebody else finds a way to be you 😉

Andrés D'Andrea

Andrew Lapidus · May 2023

Love the excellent suggestions above from @Andres D'Andrea! Before working at Meister, I definitely belonged to the group of "level 0" users who simply didn't consider security all that much. It's been an amazing experience to join the Meister culture, where security informs everything we do!

My tip is about being on guard against phishing - deceiving someone (usually by impersonating a colleague or friend) to divulge sensitive information.

As a well-known software company, employees at Meister receive such e-mails on a daily basis, but this is also becoming more and more relevant in our personal lives (especially as AI allows for even more advanced impersonations!)

Some quick tips for detecting fishing e-mails:

You did not expect this email
The e-mail urges you to immediate action (panic, stress)
The email looks like it’s from a company or person you may trust: It could be from coworkers, partners, or friends
Despite being from a trusted colleague, the e-mail is not personalized, e.g. generic greeting, “Hi”.
The e-mail invites you to click on a link or download an attachment.

At Meister, we only communicate internally via Slack, so any e-mail from a colleague is generally immediately a red flag. Take a look at a couple of real examples we've received:

And another:

Examples like these can be kind of silly, but phishing is a serious cybercrime and is extremely dangerous, especially when it preys on vulnerable people.

Hope you all find these helpful! Looking forward to hearing more tips!

Samuel Schläpfer · May 2023

Well, unfortunately I'm not that good in this as @Andres D'Andrea and @Andrew Lapidus are. I use a analog paper and write down my password. This way I always have access to my password and nobody can hack a analog paper! 😜

Cheers volks and a great week! 🤙

Cornelia Patscheider · May 2023

I love @Andres D'Andrea advice to use a password wallet! I started using one a few years ago, and it changed my way of picking and storing passwords sooo much 😍🔒!!

DorianS · May 2023

Hello everyone!

The world of password management is exciting and ever-changing. I'll keep it short while mentioning some of my favourite takeaways based on my knowledge of the current affairs.

Personally, I would highly recommend using a password manager, in addition to 2FA, whenever possible.

Using a password manager can reduce the number of passwords needed to be memorized to not even a hand full. No matter how many logins you'll need to have.

Regarding the password we need to remember, I recommend using a string of memorable words, also known as a passphrase. For example, pumpkin-treehouse-nuclear-jellyfish. This way, passwords are easy to remember and save. There are also web pages which can create random save passphrases for you.

This combination will allow you to remember your passwords without writing them down. At the same time, you'll achieve a very high degree of password security.

Last but not least, periodically check on your important emails and logins using haveibeenpwned.com. Or, even better, rely on a password manager who automatically scans and flags data breaches. If your password manager does so, you will not have to replace passwords ever again, unless your password manager flags them or you have reason to believe that they have been compromised in any other way.

For further information, check out the NIST Special Publication 800-63B.

I hope this was informative, cheers :)

Miša Hennin · May 2023

Hey!

@Andres D'Andrea Thank you for your insightful contribution. My favourite tip of yours is the password wallet. Before Meister, I had no idea what this was. Slowly, I'd like to move all my personal account passwords to the wallet as well. I also think 2FA is a great method of adding security BUT I have to admit, it really annoys me 😁. I don't like always having my phone with me or beside me which means I'm always having to run up or down stairs to find it when I'm asked for a code.

@Andrew Lapidus Also a good tip… I've definitely received a few of these 😅.

@DorianS Thanks for the link to the website!

One of my tips is similar to Dorian's. Dorian mentioned using a string of memorable words - Another way to make your passwords hard to guess is by choosing a sentence or phrase personal to you, and then creating a password just from the first letter of each word. For example, "I'm going to buy chocolate in the shop later" = Igtbcitsl. (Of course, with most password requirements now you'd have to add some numbers and/or symbols.)

Finally, I wanted to mention something topical (and much loved in our Community) - ChatGPT! At Meister, we had a meeting about the digital/data security concerns of using new AI tools. It goes without saying, we should all be careful when using these new toys 😅. Our legal team advised we never share personal or business information, especially information we don't want to become public.

Thanks for contributing! Hopefully, we can gather some more useful ideas 😎.

Joerg Koper · May 2023

@Andres D'Andrea, @Andrew Lapidus, @DorianS and @Miša Hennin have already described the best measures to provide the security of data. I can only underline them.

I do also use a password manager (open source software "KeePass") on all of my devices and have also enabled 2FA whenever possible.
Furthermore, I change the passwords in a regular interval and do a checkout on haveibeenpwned.com.
Checking the E-Mail header of suspect Mails or unknown sender is also one of the routines in my agency to prevent phishing etc.
To protect the privacy and personal data of ourselves and our clients as much as possible, we do not use WhatsApp. We prefer to use Signal and Threema instead.
To keep an eye on the GDPR (DSGVO in Germany) we try to prevent to make use of meeting software, that stores data out of Europe.
I do also recommend overthinking the massive usage of social media. I never publish unnecessary personal information on such platforms.

Best, Jörg