Security, we know it’s important, but let’s be honest, it feels hard and is often overlooked. To fill some of those gaps, join me on an adventure to learn more.
We’ll be talking about making our apps more secure, the common pitfalls, and how to address them. Today, though, we’re going to start working on ourselves. What can we do today be safer on the internet?
Most of these are simple actions, but they have a significant impact on your security, and the safety of your business/clients’ data as well.
If you’re using passwords in multiple places, you depend on the security of the least capable of them. It’s the weakest link principle: when the system with the worst security has a breach, all other accounts that use that same password are now compromised as well.
It’s impracticable to have unique passwords for every account we have and keep track of all them in ours heads, so we’re going to use a tool to help us. This kind of tool is known as a password manager. It encrypts and stores all of our credentials for different sites and apps in a safe place1.
There’s a bunch of them, with different features and prices (here are two popular ones). They integrate into your browsers, so it’s easy to log in to your accounts, generate new passwords, and handle two-factor authentication.
Another nice side-effect of using password managers is that we can use longer, more complex – and therefore safer – passwords.
The easiest way is using an organization account in a password manager. This is a great approach for businesses, where it’s common to share passwords among employees. It’s also good for sharing the credentials for that streaming service with your family.
Now, say we don’t have an organization account, how can we share a password safely? If you’re a developer, you probably can get by using something like GnuPG, but that’s quite cumbersome. I’d suggest using an end-to-end encrypted tool like Keybase (it’s even better if it supports self-destruction).
As developers, we often have to deal with sensitive data, like credentials and private source code. Can you imagine what would happen if someone stole your hard drive? That’s the problem that disk encryption solves.
When you encrypt your disk, the computer can only read the encrypted data after you unlock it with a passphrase. So, if someone steals your disk, they won’t be able to read any of your data. This feature is available on most modern platforms, so you can use it on ∙ every ∙ major ∙ operating ∙ system.
Be aware, though, that disk encryption does not protect you against network attacks.
There’s very little you can do after you lose your laptop, so it’s better to be safe than sorry. As a precaution, use a remote tracking tool like Prey to keep track of your devices (it is also available for mobile devices), and in case of theft or loss, wipe your data out.
This article is mainly focused on what you can do for yourself, but in the following posts we’ll dive into application security topics like HTTPS, CORS, CSRF, SQL injection, common security breaches in apps, and how to prevent them. Stay tuned!
Of course, you still have to trust the password manager, and using any tool introduces risk. But provided you choose a trustworthy solution, your risk is greatly reduced compared to re-using passwords. ↩