Security Awareness and Tools#

Password Management Tools#

A password manager will enable you to have unique, strong passwords for every service that you log into. Good password managers will generate new passwords for you, auto-fill web forms, allow extra protection for high-security accounts (like banking), and more. Choose a password manager that encrypts locally (in your browser, so you don't have to trust the provider to keep their data safe) and that has iPhone and Android apps that will auto-sync with the manager. At Bixal Solutions, we currently recommend BitWarden (open source and privacy focused) LastPass or Keeper as it is the most full-featured, but we are keeping a close eye on the FOSS KeePass and Password Safe solutions.


Disable Browser Password Autofill#

LastPass provides secure password management especially when unlocked via Two Factor Authentication. Storing new passwords created in LastPass in your browser completely defeats this security, enabling anyone with access to your browser access to all your sites. If asked by your browser "Do you want to save this password in your browser?" answer "No". Then disable this insecure action altogether:

Use Two Factor (or 2-Step) Authentication (TFA, 2FA)#

Two-Factor Authentication (TFA) includes something you know (e.g. your memorized password) and something you have (e.g. your smartphone or a YubiKey) and can greatly increase the security of your systems. Bixal Solutions recommends you use Two-Factor Authentication for services that support it.

For example, as your password manager grows to have more passwords in it - not only Bixal Solutions' systems and clients but also your personal bank accounts, credit cards, school records, etc. - it becomes increasingly important to have it protected by more than just a password.

Bixal Solutions requires that its employees and contractors that are given access to the Bixal Solutions Office 365 - that include Outlook, Teams and OneDrive access - use Two-Factor Authentication on their Bixal Solutions Office365 Account.

Two-Factor Authenticators (TFA)#

There are many hardware and software tools for creating secure "one time passwords" (OTP). Three that we frequently use internally are described below.

Do not rely on SMS text messages for general two-factor authentication as it is less secure than others listed here. At the time of this writing, however, setting up Two-Factor Authentication on your Google account initially requires SMS verification. This is OK, and also serves as a "TFA Backup" mechanism (be sure to see the essential section below on Two-Factor Redundancy and TFA Backup Codes).

LastPass Authenticator#



Once set up, your YubiKey greatly simplifies the process of Two-Factor Authentication (TFA). While at home, keep the key plugged into an unused USB port and simply touch the button if asked to authenticate. This saves time while enabling the strongest security. While on the road, the nearly indestructible YubiKey attaches easily to your keychain (and should only be inserted when authenticating).

While YubiKey is the easiest to use on a daily basis, if you lose it you could get locked out of all your systems so be sure that you have set up Two-Factor Redundancy and TFA Backup Codes.

Partial List of TFA-Enabled Services#

Two-Factor Redundancy and TFA Backup Codes#

As a final, crucially important step, you must have a backup second factor for all your TFA accounts. Imagine that you use a YubiKey to unlock LastPass and you lose it. Without a backup second factor, you would be effectively locked out of all of your accounts. So you need a backup.

SMS can often be an easy backup, but it is known to be insecure. Most services that provide TFA provide multiple second factor options, and we recommend that you set up at least one of several backup strategies for each TFA-enabled service you use:

Phishing and Social Engineering#

Social engineering is the most common attack vector used to compromise computer systems. Social engineering relies heavily on human interaction and often involves tricking people into breaking normal security procedures. The following is a brief reminder of some of the methods used, but is in no way complete.

Keep Your Systems Up-to-date#

One of the best ways to protect yourself from being hacked (other than via a social engineering pathway) is to keep your software on your computers and phones up-to-date. Sometimes you may reasonably want to wait for a .1 or .2 release before updating after a new major release, but don't get far behind. Also, if you have a Windows machine, you must maintain an up-to-date anti-virus package on it.

macOS: FileVault#

Bixal Solutions utlizes full disk encryption (FDE) with FileVault, and requires the use of it. Bixal retains a copy of your key for recovery purposes.

Much more technical detail on securing your Mac: macOS-Security-and-Privacy-Guide. While Bixal does not require use of all these techniques learning them will help protect both personal, Bixal, and Federal information.

GNU/Linux: use the hardware#

Unlike Mac and Windows, you can only encrypt your drive during system installation. Might as well buy a new SSD with hardware encryption or - during install - enable Linux Unified Key Setup (LUKS) which comes standard with most distributions.


With more work captured in the cloud by OneDrive, GitHub, Adobe Cloud, etc. there is less that needs to be backed up. But you won't know what you'll miss until your system doesn't boot up because of an unrecoverable hard drive (or SSD) error. Bixal does configure macBooks to back up to a time machine in the office. If you loose information, file a help desk ticket.

Protecting Your Privacy#

Bixal Solutions believes that your privacy is a right, and that private communications can be beneficial to business. Here's some tips on how FOSS can help:

Edit on GitHub

Documentation built with MkDocs using a modified Windmill Dark theme