- Goal 4
Secure Logins for Important Sites
Protect your sensitive accounts.
What's an important site?
When we say “important sites” we really mean any online accounts that are valuable to you or that contain private or sensitive information.
Here are some sites that we recommend considering:
- Apple ID / iCloud
- Google / Gmail
- Bank Accounts
- Brokerage / Retirement Accounts
- Credit Card Accounts
- Wireless / Phone Service Accounts
- Internet Service / Utilities Accounts
- Dropbox / Box / Cloud Storage Apps
- Backblaze / Backup Apps
- Amazon / Shopping Sites
- Doctors / Insurance / Pharmacies / Healthcare Sites
- Domain / Web Hosts
- Github / Gitlab / Code Repos
- Slack / Discord / Teams / Chat Apps
- Zoom / Skype / Video Conference Apps
- Facebook / Twitter / Social Apps
- Accountants / Tax Prep Sites
- Remote Desktop Apps
We recommend thinking about:
- Anywhere else you're storing credit card info
- Anywhere else you're storing private health info
- Anywhere else you're storing social security or ID info
Make a list of sites that are important to you and work through improving their security.
How to improve the security of these sites
Simply put, we recommend creating a strong and unique password and enabling multi-factor authentication and all of these sites.
You would essentially take the same steps you took with your email account back at the beginning of this whole journey. But now you're armed with a password manager, so it'll make the process easier.
Set strong and unique passwords where you can
Work through your list of sites, using Bitwarden to generate a new, strong and unique password for each. And because you don't have to even look at the passwords any more (they live entirely in the password manager) you can make them very long, very strong, and totally unique.
One thing you'll notice as you work through this process is that some sites won't allow very long passwords. Some stop you at 12 or 20 characters. Just use as many as you can for each site, and max it out for the sites that have no limit. It'll take some practice to get use to the process.
Enable MFA where you can
Not all sites have multi-factor authentication available and of those that do, not all of them allow for use of TOTP / Authenticator apps like Authy. Some will only work with SMS (text messages).
Work through your list of important sites and enable TOTP / Authenticator MFA everywhere you can. If a site will only let you use SMS, that's fine. Any MFA is better than no MFA. But we recommend favoring TOTP (the app method) whenever it is available.
And if a site allows both TOTP / Authenticator app and SMS, we recommend disabling SMS completely after enabling it with Authy. You shouldn't need SMS backup as long as you are either using the Authy encrypted backups or download recovery codes for that account.
Why do this? If SMS is turned on, it could be used to override the other factor (TOTP / Authenticator), making the account less secure than it could be. Google / Gmail is one example of a site that leaves SMS on unless you turn it off.
Check out Authy's awesome guide on how to set up MFA for many sites. Popular sites are listed there, but you can search any app or site at the top.
Another site you may find helpful is the 2FA Directory, where you can search for popular apps and sites to see what types of MFA they allow. Anything that has a check mark in the “Software token” column should work with Authy.