Fortifying your online security with 1Password and OmniFocus

After a couple of recent scares with several online accounts I decided to take my online security more seriously. I've been using 1Password to keep track of all my online accounts, so that's where I started. Though my setup is in 1Password, you can probably recreate the same thing in other applications.

1Password makes security audits easy with filtered views for duplicated passwords and passwords that haven't been changed in a long time. These views are useful, but as I was working to update my passwords I found that the job was too unwieldy. So I decided to take a more structured approach.

Remove old accounts

There were a bunch of accounts in my vault that I don't use any more. At best those are pointless and at worst they are a security risk. Closing accounts is sometimes quick but unfortunately most sites don't give you that option.

That forces you to remove any personal identifying information from the account and change the password to an overly strong. This can take a long time depending on the site, so I decided to do this on a regular basis instead of everything at once.

To make auditing these accounts easier I did the following:

  1. Add the delete tag to all accounts set for deletion
  2. Create a new Smart Folder called "[Audit] Delete" and set it to display only items wit hthe delete tag.

Why don't I use the delete tag subitem in the sidebar? Because maybe one day my criteria for deleting accounts will change and I'll have to create a new Smart Folder anyway. This way I have all the lists I need for audits in the same place.

Update high-risk accounts

It's important to keep your passwords up to date. You never know when that password may have been leaked online, so changing things on a regular basis is a good idea. You might also find that the security requirements of the site have changed to allow for stronger passwords or even two-factor authentication. Changing older passwords regularly also serves as a security review of that site. Maybe you need to tag it for deletion or maybe the account information needs to be updated and old information removed.

If you're an active internet user you've likely accumulated hundreds of accounts across services, and given a limited time to deal with these you're better served by dealing with the highest risk accounts first. These can include shopping sites which have payment details, government services that contain potentially sensitive information, and social media accounts that have private information and are linked to other services.

Aside: As I think about it, logging-in to services with your social media accounts creates an unnecessary interdependency that weakens your online security. If somebody gets your Facebook account, they also get your Spotify. In addition, it creates a login profile which you cannot monitor with a password manager.

To make auditing these accounts easier I did the following:

  1. Tag all the so-called high-risk accounts with a highrisk tag.
  2. Create a new Smart Folder named [Audit] Change which displays login items that are tagged as highrisk and haven't been changed in over 300 days

Finally, I added the following items to my Monthly Reviews in OmniFocus:

  • Audit: 1Password Delete
  • Audit: 1Password Change
  • Audit: 1Password Duplicates

That way once a month while I'm clearing shop I'll make a dent in each of the lists, improving my online security slowly over time.

I hope this encourages you to fortify your online security and provide you with some workflow to do it.

Have a good one. Until next time.

-- Jay Blanco

Why can't I delete my account?!

Normally I talk about the topic of self-improvement and productivity, sharing things I'm trying out or ideas that I find interesting that others might want to explore. Today I'm gonna go on a rant.

I decided to start taking my personal online security more seriously, I've been using 1Password for a while but some older accounts still use the same password or haven't been updated in years. So I started with the most obvious first step, delete accounts on services that you don't use any more.

Here I ran into a problem, and this is where the rant begins. The number of sites, including e-commerce sites, which do not let you easily remove your information from their site is enfuriating. If I don't use your service, not letting me delete the account won't change that. At this point, that account is at best and inconvenience or at worse a security liability.

Instead of being able to hit the Delete Account button, I now need to find all the bits of personal identifying information and set it to something ridiculous. Why is this a thing that I need to do to keep my information online safe? What's the point of making this harder for me?

Dear every site that requires you to setup an account, please add an easy to find Delete Your Account button written in huge red letters to your My Account pages.

I urge you to look into your password manager and see how many unused accounts you have and see if you can delete them. Just Delete Me provides a directory with direct links to remove your account from different services. I am not sure if it's comprehensive or up to date but its a start.

Thank you, yours until I am not Jay Blanco