Recommended Tools and Ground Rules for Security Management

This article reflects information as of 2021. For the latest details, please contact us.

Written by:

Image 1

Hello! Do you know about the uproar — which started in January 2021 and recently stirred up again on Twitter — over the source code of a system managed by SMBC being published on GitHub? According to the person who uploaded the source code (as they themselves stated on Twitter), there was a site that estimated your annual income from self-made source code posted to GitHub, and they uploaded the code in order to use it. What reignited the fuss this time was apparently that the same person mentioned on Twitter that the damages came to 7 million yen. It was, well, careless. This time I'll write about this whole area.

Cases

https://dev.classmethod.jp/articles/accesskey-leak/

DevelopersIO had an article like this. This one involves a leaked access key that was then abused. Similarly, the person accidentally pushed the access key to a public GitHub repository. After that, the access key was misused by someone and used to mine cryptocurrency. It was abused about ten minutes after the push. Is there some villain out there watching GitHub...? This case is described in detail at the URL above, so please give it a read.

Countermeasures

So how should you protect yourself? Beyond, of course, double-checking whenever you push to GitHub, I think it's important to be conscious about proper password management! Below are a few password-management tools I'd like to introduce!

1Password

https://1password.com/jp/

This is a tool introduced to me by one of our executive members. It seems to be used by a lot of people in engineering circles.

Dropbox Passwords

https://www.dropbox.com/ja/features/security/passwords

Many of you probably use a paid Dropbox plan. If so, you can use this right away!

Password Manager

https://www.trendmicro.com/ja_jp/forHome/products/pwmgr/trial.html

A service provided by Trend Micro Inc. Recommended for those who prefer a domestic maker.

Microsoft Edge

https://www.microsoft.com/ja-jp/edge

Microsoft Authenticator

https://play.google.com/store/apps/details?id=com.azure.authenticator

If you've set up password syncing in Edge, then as long as you use the same Microsoft account, passwords sync to Microsoft Authenticator, so you can manage passwords there, too. Edge's browser engine is now Blink — the same as Chrome — so more people are probably using it as their daily driver. Several of our members switched over from Chrome, too.

Firefox Firefox Sync

https://www.mozilla.org/ja/firefox/sync/

Firefox Lockwise

https://www.mozilla.org/ja/firefox/lockwise/

Among the free options, this may be the most trustworthy! That said, to get the most out of its features, you'll need to use Firefox as your everyday browser on PC.

If you want to go all open-source

KeePass

https://keepass.info/

KeePassDroid

https://play.google.com/store/apps/details?id=com.android.keepass

There's also an approach where you manage passwords with KeePass on PC, sync the data file via Dropbox and the like, and load that data with KeePassDroid on Android!

Other well-known options

Keeper

https://www.keepersecurity.com/ja_JP/

LastPass

https://www.lastpass.com/

Bitwarden

https://bitwarden.com/

Basic Rules

Adopting tools matters, but deciding on and being mindful of some basic rules can make all the difference. Below are the ones our members follow. Please use them as a reference.

1. Use a different password for every site (required). Use the strong passwords the tools above generate for you. 2. If a site supports two-step verification, always use it. 3. Occasionally go around your sites to check whether any service has shut down, and change your passwords. If rule 1 is in place, once every few years is fine. 4. Close accounts on sites you no longer use. We take stock of these about once a year.

In Closing

In these times when security and leaks are so often in the news, taking precautions really matters! As for the SMBC case above, the fault seems to lie with the individual involved, though... I hope this article is even a little helpful. Thank you for reading!