Secure and Private Profiles Online

By Matt Bishop

In a previously published Q&A with European Business Review, Bitwarden CEO Michael Crandell stated “Improving corporate security starts at the personal level, where employees are not only educated and aware of best practices, but also have the necessary tools to follow similar practices in their personal and home lives…If you educate your employees about password management and multi-factor authentication and give them tools that improve their workflows and daily lives in and outside of work, you’ll see much less resistance.” 

This perspective continues to hold true and will remain the case as employees – especially those who operate within a distributed workforce – toggle between the personal and professional, intermixing devices and (sometimes) data. Businesses who have a vested interest in seeing their employees observe security best practices in the workplace should also encourage them to do the same at home. One of the best places to start is with cybersecurity education and awareness, as it can lead to better outcomes in both the professional and personal sphere. And there’s certainly room for improvement. According to the Bitwarden 2023 World Password Day Survey, a global survey of internet users, one fifth (20%) were affected by data beaches in the past 18 months. If we were to broaden that timeline to encompass the last couple years, one can easily assume that number would be larger.  

Another survey, the Bitwarden 2023 Password Decisions Survey, also took stock of how businesses are faring. The survey found that 60% of IT decision maker respondents reported their organization had experienced a data breach in the past year. With these data points in mind, and with the encouragement of their employers, below are steps employees can take to bolster their online security.  

Use a Password Manager and Two-Factor Authentication 

A password manager, used in tandem with two-factor authentication (2FA), should be the foundation of a strategy geared toward helping users create secure and private profiles online.   

Our online world revolves around passwords and will for some time, even with the growing popularity of passwordless, biometric-oriented solutions. Users keen on staying safe from data breaches need to create strong and unique passwords for every account, both at home and in the workplace. While it’s tempting to write things down or lean on Excel spreadsheets, these tactics often lead to extensive password reuse and/or the creation of weak passwords. A few other telling stats from the Bitwarden 2023 World Password Day Survey: 

  • Most (85%) reuse passwords across multiple sites and 58% rely on memory for their passwords 
  • A little over half (52%) use easily identifiable information in their passwords, such as company/brand names, well-known song lyrics, pet names, and names of loved ones 
  • More than half of respondents forget and reset their passwords on a regular basis 

Password managers are ideal because most of them, including Bitwarden, generate, store, and secure user data in an end-to-end encrypted vault. A good password manager should allow for integration with 2FA. As a reminder, 2FA refers to the technology that requires users to utilize two separate methods of verifying their identity in order to access an account. The first method is typically a password; the second, something one has, such as an authentication code or hardware token.  

In the Bitwarden 2023 Password Decisions Survey, 71% of respondents said they’d be very likely to use a work-provided (complimentary) password manager family account.  

Search safely with DuckDuckGo, Startpage.com, and Qwant 

The majority of the population uses Google to conduct online searches. While the search engine is popular for a host of good reasons, it’s not necessarily the most secure. Users who are concerned about the privacy of their online searches and how the content of those searches could be used in the future should opt for private search engines that keep search activity anonymous, avoid selling data, and do not track activity for advertising sale purposes. While there are a few private search engines out there, a poll of the Bitwarden community found preferences for DuckDuckGo, Startpage.com, and Qwant.  

Choose a Privacy-Centric Email Option 

In the same survey for Data Privacy Week, the Bitwarden community selected Tutanota as one of the leading privacy-centric email options. Chances are that you – and most of your employees – are using Gmail, Outlook, AOL, or Yahoo. The difference between these popular services and a service like Tutanota is that it does not profit off its service by selling ads and does not log information from its users. Additionally, the information stored on its servers is end-to-end encrypted (a concept very familiar to GDPR-governed European businesses). Tutanota is also ad-free, open source, and available on any device. 

Utilize an Encrypted Service When Messaging 

A quick refresh: encrypted data means it is rendered useless to anyone that does not have the decryption key. Encryption is especially critical for those who desire to send messages with sensitive or personally identifiable information.  

Most of your employees probably use WhatsApp, a Meta-owned business that is estimated to have around 2 billion monthly active users. But this is, again, a case where the most popular tool isn’t necessarily the most secure. Users who desire security over popularity should use messaging alternatives, such as Signal, Threema, Element, or Session. For more on the privacy drawbacks of WhatsApp, check out this Washington Post article

Deploy Random Usernames 

As discussed above, creating strong and unique passwords helps isolate and limit the impact of a data breach. Applying unique usernames can carry that protection even further. For example, Bitwarden includes the ability to generate secure usernames and passwords in every plan within the Bitwarden desktop app, web client, mobile, and browser extensions. Find out more here.  

Consider an Email Alias 

Email aliases, also known as masked or anonymous emails, allow for the use of unique addresses that forward personal email. For example, if a newsletter you enjoy requires your email, you can use an alias. You will still receive missives, but the newsletter will not have your email address – keeping your privacy and identity all the more secure. For more (a lot more) on email aliases, check out the blog ‘Add Privacy and Security Using Email Addresses with Bitwarden’. 

Add Extra Protection with a VPN 

VPNs, or Virtual Private Networks, add an extra layer of privacy by masking a user’s internet service provider (ISP). As defined by the publication TechTarget, a VPN “…is a service that creates a safe, encrypted online connection. Internet users may use a VPN to give themselves more privacy and anonymity online or circumvent geographic-based blocking and censorship. VPNs essentially extend a private network across a public network, which should allow a user to securely send and receive data across the internet.” 

While VPNs aren’t perfect, they can give users even more peace of mind. Mullvad VPN is one of the services recommended by the Bitwarden community. Understandably, VPNs are popular with businesses, especially those that have a large remote workforce.  

Parting Words 

In a culture governed by GDPR, some of these recommendations may be familiar to business readers. Nonetheless, they’re worth emphasizing. While it may take time, patience, and in some cases, a financial investment, encouraging security-centric habits at home will pay off in dividends in the workplace.   

About the Author

Matt Bishop

Matt Bishop is the principal architect at Bitwarden investing in technology initiatives for core company operations, security, deployment, and infrastructure. Before Bitwarden, Matt was a senior engineering leader at Olo where he managed online and mobile ordering software delivery. Olo grew from 150 to over 700 employees and went public during his time there. Before Olo he was the CTO and co-founder of iMobile3 where he managed technology strategy for 10 years before the company was acquired by TSYS, now Global Payments. Matt holds a bachelor’s degree from the Georgia Institute of Technology. 

LEAVE A REPLY

Please enter your comment!
Please enter your name here