Blog

Password Manager Selection Bitwarden FeatureDetailsEncryptionAES-256, PBKDF2 SHA-256, Argon2PricingFree (personal), $10/year (premium)Self-hostYes (Bitwarden_RS)Open sourceYesAuditThird-party security audits annually Installation Windows/macOS: bitwarden.com/download Linux: snap install bitwarden iOS/Android: App Store/Play Store Browser: Chrome/Firefox/Edge/Safari extensions CLI: npm install -g @bitwarden/cli Basic Commands bw login username@email.com bw unlock bw list items bw get item "github" bw generate --length 20 --uppercase --lowercase --numbers --special Self-hosted Setup docker run -d --name bitwarden \ -e WEB_VAULT_ENABLED=true \ -e SIGNUPS_ALLOWED=false \ -p 80:80 \ -v /bw-data/:/data/ \ vaultwarden/server:latest 1Password FeatureDetailsEncryptionAES-256, PBKDF2, 128-bit Secret KeyPricing$36/year (individual), $60/year (family)Self-hostNoOpen sourceNoAuditSOC 2 Type 2, ISO 27001 Unique Features Travel Mode (remove vaults from devices) Watchtower (breach monitoring) Secure file storage (1 GB) Document scanner SSH key management Password Manager Setup Master Password Guidelines Minimum requirements: - 12+ characters - Uppercase and lowercase - Numbers - Special characters - No dictionary words - No personal information Example strong password: Tr0ub4dor&3Xamp!e#2024 Better (passphrase): correct-horse-battery-staple!47 Emergency Kit Bitwarden Print or save: - Email address - Master password hint - Two-step login recovery code - Secret 2FA key (if applicable) Store in: Safe deposit box, physical safe, with trusted family 1Password Emergency Kit PDF contains: - Email address - Secret Key (34 characters) - Master password hint - QR code for setup Two-Factor Authentication (2FA) TOTP Authenticator Apps AppPlatformFeaturesBackupAegisAndroidOpen source, biometric unlock, groupsEncrypted JSONRaivo OTPiOSOpen source, iCloud sync, searchiCloud/iTunes2FASiOS/AndroidCloud sync, wearables, widgetsEncrypted cloudGoogle AuthenticatoriOS/AndroidSimple, Google integrationCloud (new versions)Microsoft AuthenticatoriOS/AndroidPush notifications, number matchingMicrosoft accountAuthyiOS/AndroidMulti-device, encrypted backupsAuthy cloud Aegis Setup (Android) 1. F-Droid or Play Store install 2. Set biometric unlock 3. Add accounts: - Scan QR code - Manual entry (base32 secret) 4. Organize with groups: Work, Personal, Finance 5. Export encrypted backup to cloud storage 6. Enable automatic backups Raivo Setup (iOS) 1. App Store install 2. Enable iCloud sync or local only 3. Import from Google Authenticator (scan export QR) 4. Set app lock: Face ID / Touch ID 5. Sort by issuer or account 6. Backup to encrypted iTunes backup Hardware Security Keys YubiKey 5 Series ModelConnectionFeaturesYubiKey 5 NFCUSB-A + NFCFIDO2, PIV, OpenPGP, OATH, FIDO U2FYubiKey 5C NFCUSB-C + NFCSame as aboveYubiKey 5 NanoUSB-A low-profileSame, no NFCYubiKey 5C NanoUSB-C low-profileSame, no NFCYubiKey 5CiUSB-C + LightningiOS + desktop support FIDO2/WebAuthn Registration 1. Insert YubiKey 2. Visit security settings (e.g., google.com/security) 3. 2-Step Verification → Security Key → Add 4. Touch key when prompted 5. Name the key (e.g., "YubiKey 5 NFC") 6. Register backup key Google Titan ModelConnectionFeaturesTitan Security KeyUSB-A/NFCFIDO U2F, FIDO2Titan USB-CUSB-C/NFCFIDO U2F, FIDO2Titan BluetoothBluetooth/NFC/USBFIDO U2F, FIDO2 SoloKeys (Open Source) ModelConnectionFeaturesSolo 1USB-AFIDO2, open sourceSolo TapUSB-A + NFCFIDO2, tap to authenticateSomuUSB-A tinyFIDO2, minimal size 2FA Implementation Strategy Account Prioritization Tier 1: Critical (Hardware Key + TOTP) Email providers (Gmail, Outlook) Password managers Banking/financial Cloud storage (Google Drive, Dropbox) Domain registrars Tier 2: Important (TOTP minimum) Social media (Twitter, Facebook, LinkedIn) Communication (Slack, Discord, WhatsApp) Shopping (Amazon, eBay) Utilities (GitHub, cloud servers) Tier 3: Standard (TOTP or SMS if no alternative) Forums, newsletters Minor services Trial accounts Backup Codes Generate and store securely: - Print physical copy - Store in password manager (encrypted notes) - Keep in safe deposit box - Never store in cloud unencrypted Format: 8-10 single-use codes per account Usage: One code = one login, then invalidated Passkey Implementation Supported Platforms PlatformPasskey StorageSyncApple iCloud KeychainiPhone/iPad/MaciCloudGoogle Password ManagerAndroid/ChromeGoogle account1PasswordCross-platform1Password cloudBitwardenCross-platformBitwarden cloudWindows HelloWindows devicesMicrosoft account Creating Passkeys Apple Settings → Password → [Website] → Set Up Passkey OR Safari login prompt → "Save passkey" Android Chrome/Edge login → "Create passkey" Choose: Device or security key Authenticate with biometrics 1Password 1Password → New Item → Passkey OR Browser extension → Save passkey to 1Password Enterprise Implementation SSO Integration SAML Configuration https://company.okta.com user@company.com Admin OIDC Configuration { "issuer": "https://auth.company.com", "authorization_endpoint": "/oauth2/authorize", "token_endpoint": "/oauth2/token", "scopes_supported": ["openid", "profile", "email", "groups"], "response_types_supported": ["code", "id_token"] } Conditional Access Policies Azure AD Example: - Require MFA for all users - Require compliant device for admin roles - Block legacy authentication - Require approved apps for mobile access - Block access from high-risk countries Password Rotation Automated Rotation AWS IAM import boto3 from datetime import datetime, timedelta def rotate_access_keys(user_name): iam = boto3.client('iam') # List current keys keys = iam.list_access_keys(UserName=user_name)['AccessKeyMetadata'] for key in keys: create_date = key['CreateDate'] age = datetime.now(create_date.tzinfo) - create_date if age > timedelta(days=90): # Create new key new_key = iam.create_access_key(UserName=user_name)['AccessKey'] # Update applications with new key update_applications(new_key['AccessKeyId'], new_key['SecretAccessKey']) # Deactivate old key iam.update_access_key( UserName=user_name, AccessKeyId=key['AccessKeyId'], Status='Inactive' ) # Delete after confirmation period (7 days) # iam.delete_access_key(UserName=user_name, AccessKeyId=key['AccessKeyId']) def update_applications(access_key_id, secret_key): # Update CI/CD pipelines, applications, etc. # Use AWS Secrets Manager or Parameter Store pass Database Credentials import secrets import psycopg2 def rotate_database_password(): # Generate new password new_password = secrets.token_urlsafe(32) # Update database conn = psycopg2.connect("postgresql://admin:oldpass@localhost/postgres") cur = conn.cursor() cur.execute(f"ALTER USER app_user WITH PASSWORD '{new_password}'") conn.commit() # Update secret manager update_secret_manager("db-password", new_password) # Rolling restart of applications restart_applications() Recovery Planning Shamir's Secret Sharing Split master password into n shares, require k to reconstruct. Example: 3-of-5 scheme - Share 1: Trusted family member A - Share 2: Trusted family member B - Share 3: Safe deposit box - Share 4: Attorney/executor - Share 5: Physical safe at home Any 3 shares reconstruct password. Any 2 shares reveal nothing. Implementation (Python) from secretsharing import SecretSharer secret = "correct-horse-battery-staple" shares = SecretSharer.split_secret(secret, 3, 5) # Returns 5 shares, any 3 reconstruct reconstructed = SecretSharer.recover_secret(shares[:3]) Emergency Access Bitwarden Settings → Emergency Access - Trusted emergency contact - 7-day waiting period - View-only or takeover access 1Password Settings → Emergency Kit - Share Secret Key and master password hint - Family organizer can recover accounts - 1Password support (identity verification required) Security Monitoring Breach Detection Have I Been Pwned API import requests import hashlib def check_breach(password): # k-Anonymity: send first 5 chars of hash sha1 = hashlib.sha1(password.encode()).hexdigest().upper() prefix = sha1[:5] suffix = sha1[5:] response = requests.get(f"https://api.pwnedpasswords.com/range/{prefix}") hashes = response.text.splitlines() for h in hashes: hash_suffix, count = h.split(":") if hash_suffix == suffix: return int(count) return 0 # Check if password appeared in breaches breach_count = check_breach("password123") if breach_count > 0: print(f"Password found in {breach_count} breaches") Bitwarden Data Breach Report Tools → Data Breach Report - Checks usernames against known breaches - Checks passwords against HIBP database - Reports exposed accounts Migration Procedures From LastPass to Bitwarden 1. LastPass → Advanced → Export → CSV 2. Bitwarden → Tools → Import Data 3. Select LastPass (csv) 4. Upload exported file 5. Verify imported items 6. Delete LastPass export file securely 7. Disable LastPass account From Google Password Manager 1. passwords.google.com → Settings → Export passwords 2. Chrome password manager → Export 3. Bitwarden/1Password → Import → Chrome (csv) 4. Verify all entries imported 5. Disable Chrome password saving 6. Remove saved passwords from Google CLI Automation Bitwarden CLI # Login bw login username@email.com export BW_SESSION=$(bw unlock --raw) # Get password bw get password github.com # Get TOTP code bw get totp aws.amazon.com # Generate password bw generate --length 32 --uppercase --lowercase --numbers --special # Create item bw create item '{"type":1,"name":"New Account","login":{"username":"user","password":"pass"}}' # Sync bw sync 1Password CLI # Signin eval $(op signin my.1password.com user@email.com) # Get password op get item "GitHub" --fields password # Get TOTP op get totp "AWS Console" # Create item op create item login --title="New Service" username="admin" password="generated" # List items op list items --tags work SSH Key Management 1Password SSH Agent 1. 1Password → Developer → SSH 2. Generate or import SSH keys 3. Enable "Use the SSH agent" 4. Configure SSH: ~/.ssh/config: Host * IdentityAgent ~/.1password/agent.sock AddKeysToAgent yes Traditional SSH with Passphrase # Generate key ssh-keygen -t ed25519 -C "user@email.com" # Add to agent eval $(ssh-agent -s) ssh-add ~/.ssh/id_ed25519 # Copy public key ssh-copy-id user@server # Config for multiple keys ~/.ssh/config: Host github.com IdentityFile ~/.ssh/id_ed25519_github User git Host work-server HostName 192.168.1.100 User admin IdentityFile ~/.ssh/id_ed25519_work

Authentication Apps and Password Management

Group All Your Email in One App

Work Smarter Not Harder with Scripts

Automation Tips: Work Smarter with Scripts

Rootkit Detection and Removal

Internet Speed Optimization: DNS, Network & Browser Tuning

Mobile Security Hardening: Complete Protection Guide

Speed Up Your PC: Essential Optimization Guide

Windows 11 Power Tips: Essential Shortcuts & Hidden Features

Truth Tables: Systematic Evaluation of Complex Logical Statements