Rules for working with passwords
Working with passwords is the foundation of a trader’s cybersecurity. You must learn to manage your passwords not only securely, but also conveniently. If it takes a lot of time to find and enter a password, a person automatically starts saving time to the detriment of security. That’s the way a human being is, there’s nothing you can do about it.
The purpose of this guide is to help traders to organize their work with accesses not only securely, but also conveniently.
Let’s start with a banal advice – use long and complex passwords.
The longer the password, the better it is. If you store your passwords properly, it makes no difference to you what length password to use. Therefore, make it longer than the usual 8 characters. Your passwords should contain letters of both cases (e.g. n and N), numbers and service characters. Passwords like “12344321” and “iloveyou” are bad passwords. It is correct if the password is randomly generated. Password managers have a special function for this purpose – a password generator. A password created by a password generator is stronger than a human-created password. Even if they are the same length. The longer, more complex and random a password is, the more problematic it is to crack it by brute force.
One password can be used only once. Never, we repeat, never use a password twice. It often happens that a trader memorizes one password and uses it everywhere. This is a fatal mistake. If one account is hacked, all your accounts are at risk.
Passwords and the browser
Remembering a large number of unique and complex passwords is impossible. What to do? Many users store access in their browsers (e.g. Google Chrome). This is more convenient than storing them in your head or Excel, but it’s not secure. The browser’s built-in storage is the first place an attacker will go. And in most cases, he will get there without much trouble. That’s why we don’t recommend storing passwords in the browser.
An alternative to storing passwords in memory, Excel or browser is a password manager. This is an application for storing logins and passwords and secure authorization. The manager “knows” not only how to store, but also how to insert passwords directly into the authorization form. Companies developing password managers use the most advanced encryption technologies and invest huge sums in security. This provides convenience and a level of security that far exceeds “writing a password in Excel”. It takes time to get used to a password manager. But it’s well worth it. Once implemented, you will only need to remember one password – the password for the password manager.
The services you use can be hacked. No one is immune to this. Sometimes attackers publish or sell user databases – logins and passwords. To protect yourself, you should regularly monitor the DarkNet and check your accounts for leaks. You can check your data through a leak aggregator: you enter your e-mail or login into the search bar, and the service gives you the results of the check. However, not all leak aggregators are safe. Some of them are phishing-oriented. It is convenient and safe to check accounts for leaks through a password manager. Enter your email and have the password manager monitor it. If the manager detects a threat, it will notify you immediately.
As per the “old school” rules, changing passwords regularly is considered to increase cybersecurity. With a manager, changing passwords is easy – you can do it in a couple of clicks. However, many companies and cybersecurity experts call changing passwords an outdated technique. For example, Microsoft has abandoned the practice of regularly changing passwords in Windows.
Two-Factor Authentication (Two-Factor Authentication or 2FA) is logging into an account with two types of proof of account ownership. Usually, the first is a username and password, and the second is a special code that is sent via SMS, e-mail, or a special application. For example, you log in to your account on the stock exchange, enter your login and password. Then you receive a confirmation code on your phone. You enter the code and only then get into the account. It turns out that to enter the account you need two conditions – to know the login/password and to have access, for example, to SMS (depends on the method of authentication). A variant with three conditions can be used.
The advice for use with 2FA is simple – always use two-factor authentication! If you connect 2FA, you will make it dozens of times harder for a hacker to break in. That’s a valid argument, isn’t it?
There are different variants of two-factor authentication. The most common ones are 2FA via SMS, e-mail and a special application, such as Google Authenticator. The authors’ opinion is that 2FA via specialized services is more reliable than via e-mail SMS. There are known cases of hacking into databases of cellular operators and e-mail services, and fraudsters can get control over sim-cards using forged documents. It is much more difficult to do this with 2FA-applications. So if you can choose, choose the option with 2FA through an app.
Services for 2FA
Below we have prepared a brief description of 2FA services that are used to protect accounts on popular cryptocurrency exchanges.
Most cryptocurrency exchanges support two-factor authentication via Google Authenticator (GA). This is a simple and convenient application that does not require creating an account or any settings. It is enough to install GA and connect it to your account. The data is stored only on the user’s device. Google Authenticator is available on iOS, Android and BlackBerry OS.
To use Authy, you need to create an account linked to your phone number. The app stores user data on a cloud server, so access it from any of your connected devices. Authy supports macOS, Windows, iOS, Android, and Chrome.
Binance Authenticator is Binance’s own app. User data is stored in the cloud, so you must have an account to use the app. Binance Authenticator is used for two-factor authentication on Binance only.
When you enable authentication through the app, the service generates a secret key. Based on this key, one-time account login codes are created. The secret key can look like a set of characters or a QR code. Keep the key in a safe place in case you lose your device. For example, write it in the margins of your favorite book.
Popular authenticator applications, except for Google Authenticator, offer to store your secret key in the cloud and automatically synchronize password vaults on different devices. But to do this, you need to create an account tied to your phone or e-mail.
Another way to store your secret key is in the password manager, in protected notes. You can also write down the key on paper or print it out (if it is a QR code). If you choose the second option, take into account the risks associated with storing the “paper” version of the key.
Account security also depends on the security of the device you use. Let’s understand the rules of device security: computer, tablet, smartphone.
Regularly update the OS (Windows, macOS, iOS, etc.) and the apps you use, such as the stock exchange app. Almost every update contains patches for discovered vulnerabilities. If you don’t update, it is possible that the vulnerability has already been discovered and known to everyone, but you still have it “open”.
Use a licensed antivirus downloaded from the developer’s official website. If you downloaded and installed a pirated version of antivirus, do not expect reliability and security. The antivirus should have an up-to-date database. It should also be updated regularly.
When you are working through an unfamiliar network, use a VPN. This is a secure, encrypted connection that allows you to keep your data private and bypass local restrictions. If you’re going to use a VPN all the time, set it up carefully to ensure security.
Phishing is a way for fraudsters to obtain user data (logins and passwords). Phishing is conducted in a variety of ways. For example, attackers can send an email on behalf of Binance. The email contains a link to a fake site that is visually indistinguishable from the real Binance site. If you enter your username and password on such a site, they will fall into the hands of fraudsters.
To combat phishing, some cryptocurrency exchanges have an anti-phishing feature. In the account security settings, you can set a code with which the exchange signs all its emails.
Some exchanges have the ability to set master passwords. A master password is an additional password for specific actions. For example, you can log in to your account using the usual login/password combination, but to withdraw assets you need to know the master password as well.
Be sure to use master passwords if you store significant amounts on the exchange.
The white list allows you to set the addresses to which withdrawal will take place with minimal checks. Add your own addresses to this list and transactions with these addresses will become faster and more convenient.
It is ideal if you use a separate device for trading on a cryptocurrency exchange, from which you do not “surf” the Internet. If you do not need a large monitor for trading (you do not trade actively), then make transactions from your phone through the exchange app. Do not use any other devices to log in to your exchange account. It should be understood that different devices have different levels of security. It is believed that due to the architecture, the iPhone is more protected from viruses and hacking than a Windows PC.
API keys are analogous to a login (Api Key) and password (Api Secret). They are needed to connect a third-party application to an account on the exchange.
API keys have customization options. For example, you can customize the keys so that they can only be used to receive exchange information (read only keys), but it will be forbidden to make transactions.
Example #1: a trader wants to trade on a cryptocurrency exchange through a trading terminal, for example CScalp. To do this, he creates API keys with trading permission on the exchange and enters them into the terminal. CScalp connects to the exchange, you can trade.
Example #2: to track and analyze trades, a trader connects a special service to his trading account, for example, Free trader’s diaries. To do this, he only needs to create “Read-Only” API keys. He enters the keys in the diary, and data on trades starts to arrive.
One pair of API keys – one connection
Use a separate pair of API keys for each service. For example, one pair for CScalp, another for the trader’s diary, etc. Delete keys that you no longer need. You will no longer have access to your account using them.
You can set IP restriction in the API keys settings by whitelisting trusted IP addresses. After that it will be possible to connect to the trading account via keys only from the IP you specified. This option is recommended if you have a static (permanent) IP address. Also IP can be dynamic, i.e. change. You can find out the type of IP and connect a static IP address from your provider.