Don't forget your online security

[Baptiste Wicht]

Good morning

These last few days, I have updated multiple of my passwords to improve my online security. And I have also updated my disaster file. So, I thought I would just do a "public service announcement" and remind you that online security is essential. These days, most of our finances can be accessed online. So, it is paramount that you treat your online security very importantly.

A good sets of simple rules:

1. Use random passwords (don't choose them yourself)
2. Use long passwords (long beats complex)
3. Use unique passwords (one different password for each service)
4. Use 2FA whenever possible

To manage unique passwords, the best is to use a password manager with a very strong master password

If you want more tips, you can check out my article about this:

13 Tips To Protect Your Online Personal Finances In 2025 - The Poor Swiss

Your Online Personal Finances are essential, you need to protect them from hackers! Follow these 9 tips to protect your online services!

thepoorswiss.com

And if you have any tips you would like to share, please do!

 

[gaijin]

Fully agree that this is very important. Some thoughts:

I would rephrase (3) to 'use 2FA for your important accounts such as banking and shopping' . I know this weakens your security. But I don't think 2FA is really necessary in simple web apps.
A password manager is a tool to make (1) and (2) more simple and actually manageble. It might even enclude the option for (3). So I would put (4) somehow apart from the rest.

 

[Baptiste Wicht]

It's a good point, the password manager is only here to help us use random, long and unique passwords. If we had the capacity to remember 300 unique passwords, we coud avoid it.

I am not entirely convinced about 2FA only for some services. Some services may not be critical, but they may hold a lot of personal information that is best protected. For me, 2FA should always be activated. Honestly, I do not even understand why 2FA is sometimes an option, it should be activated for everybody whenever possible.

 

[Denis]

hello,
which password manager do you recommend ?

 

[Baptiste Wicht]

hello,
which password manager do you recommend ?

I have been using KeePassXC for 2-3 years now and I am very happy about it.

 

[gaijin]

which password manager do you recommend ?

My favourite is Bitwarden:

• Open Source with regular independent security audits
• Central (of course encrypted) database -> always have the latest version on all synched devices
• Free for personal use
• Focus on password management (no other services)
• Solid business model
• Self hosting and forking possible (for geeks)

 

[BPH]

My favourite is 1Password.

Have gone back and forth between Bitwarden and 1Password and keep ending up with 1Password. Even though more expensive and closed source, just has been more reliable and polished in my experience

 

[MaxJG]

It's a good point, the password manager is only here to help us use random, long and unique passwords. If we had the capacity to remember 300 unique passwords, we coud avoid it.

I am not entirely convinced about 2FA only for some services. Some services may not be critical, but they may hold a lot of personal information that is best protected. For me, 2FA should always be activated. Honestly, I do not even understand why 2FA is sometimes an option, it should be activated for everybody whenever possible.

With Swissquote app, I always do a full lockout after use meaning I have to set up again the 2FA each time I log in with one of the authentifications being sent to another cellphone. The reason I do this is to avoid any unauthorized party who might get control of my phone/screen via malware, spyware or keylog. That’s why I don’t have 2FA permanently activated.

 

[Baptiste Wicht]

With Swissquote app, I always do a full lockout after use meaning I have to set up again the 2FA each time I log in with one of the authentifications being sent to another cellphone.

That sounds interesting. But how does that work? If you disable 2FA, can't anybody log with only your password and then setup 2FA anyway?

 

[MaxJG]

Basically after you enter your username and password (which I don’t save on my phone), it sends an email with a first identification code. This email I consult on the same phone. Then it sends a different by SMS to my second phone. So basically a crook would need access to both these phones.

Once I finish checking my accounts or making transactions, I conduct a full log out procedure, which disables 2FA.

To make it even safer I could remove my email app from the first phone and only consult it from my computer but I guess that would be overkill.

 

[MaxJG]

I meant this is sends a different CODE by sms to my second phone …..sorry, the word CODE was missing

 

[Baptiste Wicht]

Thanks for sharing, this is very advanced, but seems quite secure!

 

[Baptiste Wicht]

One other advanced tip: If you have a static IP address, you can restrict your trading on Interactive Brokers to only work from this IP address.

 

[OxygeN]

My favourite is 1Password.

Have gone back and forth between Bitwarden and 1Password and keep ending up with 1Password. Even though more expensive and closed source, just has been more reliable and polished in my experience

Remember that 1Password has been hacked some years ago, whereas Bitwarden has not. I use the latter and it's hosted on my own Docker, restricted access via WireGuard on all my (mobile) devices.
For non-geeks, just subscribe to the "family" plan at bitwarden.com and you're set for the start. ;-)

PS: SMS are not encrypted and can be intercepted. So not a really good MFA solution (but still better than NO MFA at all).

 

[gaijin]

Remember that 1Password has been hacked some years ago

Do you have a source for this? I found this blog post stating that 1Password was not hacked.

 

[Baptiste Wicht]

Remember that 1Password has been hacked some years ago, whereas Bitwarden has not.

Wasn't it LastPass that got hacked?

PS: SMS are not encrypted and can be intercepted. So not a really good MFA solution (but still better than NO MFA at all).

Totally right. I wish that Swiss services would do better for 2FA.

 

[OxygeN]

Do you have a source for this? I found this blog post stating that 1Password was not hacked.

Saw that one too, but it's biased as it is on their own platform
I've found several addressing the Okta breach affected 1Password too - the majority state that no data has been exfiltrated, other say it's unclear...

1Password reports security incident after breach at Okta - ThreatDown by Malwarebytes

Password manager 1Password says it’s been affected by a breach at Okta, but it reports no user data has been stolen.

www.threatdown.com

1Password Warning—Beware Of Master Password-Reset Attack

As attackers target users of the highly popular 1Password password manager, heed the warning: don’t reset your master password in response to this email request.

www.forbes.com

 

[OxygeN]

Wasn't it LastPass that got hacked?

They got hacked for sure, yes.

Totally right. I wish that Swiss services would do better for 2FA.

Well, as long as SMS is being used... SMTP is the same: email traffic is in clear-text. BUT: since quite some years there's been additional security enhancements, TLS for example used with SMTP, so the communication is encrypted between email servers. It's not mandatory, but today only lazy admins or third-world countries do not use SMTP-over-TLS. With SMS it's not feasible I guess - no interest in enhancing security for such a technology.