Good security practices
- Do not store your password in plain text or on paper
- Do not share your credentials with other people
- This includes your parents, significant other, pets, colleagues, boss/superior
- Do not use the same password everywhere
- Or the same password with small changes
- For example
- Do not use personal details in your password
- This makes it vulnerable to dictionary attacks, or social engineering attacks
- For example:
- Date of birth
- Family members
- Favourite animal
- Pet names
- Place of birth
- Favourite numbers
- Or words in general
- Passwords should be more than 16 characters and should contain a varied number of digits, symbols and optional extended ASCII
- This is how a good password looks like:
- This one contains extended ASCII
- Use special software (or hardware) to generate your passwords. (eg: password managers)
- This ensures true entropy is used
- Passwords are managed and encrypted
A password manager is typically a software application or a hardware device that is used to store and manage a person’s passwords and strong passwords. Typically all stored passwords are encrypted, requiring the user to create a master password to access all managed passwords.
- Pick a program from the list below
- You generate a masater password (a very very strong and super super secret password)
- Which you should not forget! If you forget your master password there is no forgot password button. The database is encrypted so you permanently loose access.
- Some password managers allow the generation of a key (which is stored as a file) and can be used to unlock the database
- The key file can also be requiered to unlock the database (This means password + key, in order to unlock)
- Create groups and/or tags to order your credentials
- Create new entries in the password manager
- You can store a title, username, website
- Which can be used for autocompletion by using a shortcut,
- Use the password generator provided by the manager
- You can add extra fields or attach files to your entries
- These will be encrypted aswell
- Always make sure you lock your password manager
- Always make sure to save (
- Master password
- Do not share your master password!
- Do not forget your master password!
- Do not write down your master password!
- Try and backup your password database as often as possible!
- Perosnal recommendation
- Botnet (enjoy beeing tracked)
- I think it’s not free?
- Maybe don’t
When logging in (or signing up) using a web service, always check for the green lock and
https:// in the front of the
http (which stands for Hyper-Text-Transfer-Protocol), but
https, with the extra
s at the end (which stands for HTTP Secure).
HTTPS allows for Client-Server encrypted communication, while HTTP transfers everything in plain-text allowing “intruders” to sniff in on your traffic and steal your credentials. Even worse, HTTP allows for Man in the middle attacks.
Traffic over HTTPS is encrypted using SSL Certificates. You can read more about SSL here.
Web Extension that tries to use HTTPS on all websites:
They generally block ads, but can also block:
- Malicious content which can harm your computer or compromise your privacy and security
- Tracking software
Web Extension that blocks ads:
2FA (2 Factor Auth)
Some websites (most large websites) offer the option of 2 factor auth. This means that after logging in using your password, the website will ask for a code (usually 6 digits). This code will either:
- Be sent in an email (not that secure)
- Be sent in a SMS (not that secure, better than email)
- Be generated by a 2FA app
- Eg: Google Authenticator
The codes can be time based (they expire after 30-60 seconds), or count based (only valid in some order).
Why use 2FA?
In case your password gets compromised, 2FA will stop attackers from gaining access to your account without having access to your 2FA device (this is why an app is prefered, or dedicated hardware for code generation (eg: bank tokens)).
2FA will save your accounts security in case the websites password database gets leaked, your password gets stolen, your password gets cracked.
RSA/ECDSA/(or other) keys are usually used to replace passwords. Keys provide protection agains brute force/dicionary attacks. Keys can also be used to “sign” (verify that something comes from you) a “message” (or file, or anything).
In order to generate a key:
$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (~/.ssh/id_rsa): Enter passphrase (empty for no passphrase): Enter same passphrase again:
This will create a RSA key pair for you (in ~/.ssh). Do not share the
id_rsa file ever! Only share the public key, found in
# My public RSA key ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCTuTjOy984o3SuXoGfsnuaOuqET8wzmE+B0oDTDcl/Hz3SkNvHuKwYrXx0oHi2JUkKSwUx7XZtil0TN+U3mZ63gsfJ3ITazzsQ4hb39seajUiLK5Tcfgx1XnAevXRb9Bp+6LyEws4KbNbHv2bruYDYdoypkdTTfRJKZVjP0t4YxTkE69ImsW4K/Wi8f8WVa9EZecqEs3TvbVc4iuiJ9Fm2qkRCgD+kOmYf7+YNkLcgvuYDx0m7zRNqJyGs2r31qm8f/BMgpVZdN8o0441zotalDqLUHFlITxspKfiQyMr4NHQ/YuJZcAe5zhjutbEqi6FNGOMCK1YgYSUeywlCpxar # My public ECDSA key ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBAT4L1J12pZm3Ga/NHOvC0mudTRz5bv2UON/2Z294Z/ZCEy4wLqkIip4GnrJEbt9pJwG721fheVHP2PqBKwXyZU=
- Install GPG (OS dependant, should be easy by googling it)
- Check this guide for creating GPG keys.
- For step 14 share your public key with us.
Secure SHell, or SSH for short is a protocol which allows a users machine (client) to connect to another machine (host), allowing the user to run commands on the host. The link between the two is secure (no tampering is possible or sniffing).
A SSH server allows multiple auth methods (or any combination of these):
- Password (weak)
- Key (prefered)
- 2FA (overkill)
If the server does not have a firewall setup, brute force attacks (or dicionary attacks) are possible on the admin accounts. The best practice for security is disabling password auth, admin auth and force key only login over SSH.
Clients can find their SSH configurations, keys and known hosts in
.ssh/known_hosts contains a list of all previously connected machines, their “id” (used to determine the authenticity of the host).
The default directory for
ssh-keygen will be
* will be the format used (ecdsa, rsa, …).
Never share your private keys! (
id_rsa). Your public key is the only one you should ever share (
# This will show a nice ascii art image on connection # allowing you to identify a host/key used. VisualHostKey=yes
# If you have a Mac, you might want to turn this on # for all hosts. Host * UseKeychain yes
# Example of a host config Host gst.io HostName gstechnologies.io User example Port 22
gst.io is an alias in this case. Allowing you to run
ssh gst.io instead of
ssh [email protected]
# You can send environment variables to your host Host * SendEnv VARNAME
GS Technologies SSH Config
If you add this to your
.ssh/config, you can
Host gstech HostName gstechnologies.io User YOUR_USERNAME Port 22 IdentityFile $HOME/.ssh/YOUR_KEY
LoginGraceTime 1m PermitRootLogin no MaxAuthTries 3 PasswordAuthentication no
This enforces key only auth, and some more severe auth.
- Do not leave yourself logged in!
- Set your devices to auto-lock when closed.
- Set your devices to auto-close after short amounts of inactivity.
- Do not use crap pins:
- The year you were born in
- Do not browse private data in public areas.
- Always look over your shoulder.
You can encrypt files using your GPG key. You can also sign files (prove that they are coming from you) using GPG.
You can run
sum FILE_NAME to get a number which represents the version of the file. This can tell you if the file you obtained was modified or replaced.