Secure Logins for Important Sites

When I say “important sites” I really mean any online accounts that are valuable to you or that contain private or sensitive information.

Here are some sites that I recommend considering:

• Apple ID / iCloud
• Google / Gmail
• Bank Accounts
• Brokerage / Retirement Accounts
• Credit Card Accounts
• Wireless / Phone Service Accounts
• Internet Service / Utilities Accounts
• Dropbox / Box / Cloud Storage Apps
• Backblaze / Backup Apps
• Amazon / Shopping Sites
• Doctors / Insurance / Pharmacies / Healthcare Sites
• Domain / Web Hosts
• Github / Gitlab / Code Repos
• Slack / Discord / Teams / Chat Apps
• Zoom / Skype / Video Conference Apps
• Facebook / Twitter / Social Apps
• Accountants / Tax Prep Sites
• Remote Desktop Apps

I recommend thinking about:

• Anywhere else you're storing credit card info
• Anywhere else you're storing private health info
• Anywhere else you're storing social security or ID info

Make a list of sites that are important to you and work through improving their security.

Simply put, I recommend creating a strong and unique password and enabling multi-factor authentication and all of these sites.

You would essentially take the same steps you took with your email account back at the beginning of this whole journey. But now you're armed with a password manager, so it'll make the process easier.

Work through your list of sites, using Bitwarden to generate a new, strong and unique password for each. And because you don't have to even look at the passwords any more (they live entirely in the password manager) you can make them very long, very strong, and totally unique.

Let the built-in Bitwarden Password Generator do the work. You can read all about it and how to use it here. Or learn how to use it while adding a new vault item here.

One thing you'll notice as you work through this process is that some sites won't allow very long passwords. Some stop you at 12 or 20 characters. Just use as many as you can for each site, and max it out for the sites that have no limit. It'll take some practice to get use to the process.

Not all sites have multi-factor authentication available and of those that do, not all of them allow for use of TOTP / Authenticator apps like Authy. Some will only work with SMS (text messages).

Work through your list of important sites and enable TOTP / Authenticator MFA everywhere you can. If a site will only let you use SMS, that's fine. Any MFA is better than no MFA. But I recommend favoring TOTP (the app method) whenever it is available.

And if a site allows both TOTP / Authenticator app and SMS, I recommend disabling SMS completely after enabling it with Authy. You shouldn't need SMS backup as long as you are either using the Authy encrypted backups or download recovery codes for that account.

Why do this? If SMS is turned on, it could be used to override the other factor (TOTP / Authenticator), making the account less secure than it could be. Google / Gmail is one example of a site that leaves SMS on unless you turn it off.

Check out Authy's awesome guide on how to set up MFA for many sites. Popular sites are listed there, but you can search any app or site at the top.

Another site you may find helpful is the 2FA Directory, where you can search for popular apps and sites to see what types of MFA they allow. Anything that has a check mark in the “Software token” column should work with Authy.