Recently, we met up with some extended family who told us about a targeted phishing and hacking attack that led to their bank accounts being hijacked. Some of the questions they had while we talked were about how I handle my personal security.

I was quite confident about how I handled my online security at that point, but it got me thinking where I could do better. And around the same time I came across a blog post by Andrej Karpathy that triggered some actions.

First let's start with where I came from. I was using 1Password to store all my accounts (in the cloud). Not a real security feature, but a thing that makes me easily identify any phishing mails, is that I use unique email addresses for every service I sign up to. So if I get a DHL notification email to the email address I used to sign up at a random online shop, I know this is phishy. And it's also probably safe to assume that that random online shop got hacked and leaked customer emails. Other things like encrypting my disk with FileVault, encrypting my Synology backups, using a VPN, and secure messaging were already in place.

The first thing I did was move away from 1Password. I must say that I think they have an absolutely great product. But it's totally based on trust and I'm trusting this one service with basically all my accounts. That always scared me, but it was so convenient. Now I'm self-hosting open source software on my own server, which isn’t exposed to the public internet. To connect, I use my home VPN gateway with VPN Tracker as the client, so the vault is only reachable within my private network.

Next up was setting up a true second factor. That was an important key (haha) missing in my workflow. I had the first factor (something I know), but was lacking the second one (something I have). So I bought a set of hardware tokens and started setting them up where it made sense. First thing was using them as a second factor for my password vault. I also set it up for important accounts (Apple ID, Amazon, Paypal). The YubiKey 5 Series actually supports storing OTP codes on device, which allows you to use them as true second factors for any service that does not support FIDO2. I keep one token on my keychain, have a tiny one plugged into my computer, and stored one securely at home.

Being reminded of checking how to improve my digital hygiene was great. My main take away from this lesson (apart from actually doing the things described above) was to make this a regular thing in the future. So I've set up a reminder that reminds me of checking up on my security setup once in a while.

Reference: Andrej Karpathy - Digital hygiene