Managing your certificate files
Certificate files are extremely secure. But they are only secure if you handle them correctly.
You can generate as many certificate files as you want to access your account. All the certificates you generate have access to read, edit and delete your data. This is why it is important to make sure you always know where these files are kept, and that you back them up in a very safe place.Keep them in a safe place
It is pretty safe to keep a certificate file in your mobile phone or computer if they require a password or PIN to login. It is less safe to keep them on a USB key that is not password-protected. We do not advise you to keep your certificate files on any public online storage service, like Dropbox or Gmail, that can be hacked pretty easily.Never copy your certificate files
You should download a certificate file only once and move it to its final destination: the device that you will use to access your account. You should never copy it to other devices. You should GENERATE a new certificate file for every device you plan to use your MySecureVault.ca account. You should also make sure to put the name of the device in the certificate holder's full name field of the certificates you generate. This way, you can identify where you use each certificate file and easily know which one to revoke, renew or delete.Revoke the certificates you lose
If you lose a USB key that contains one of your certificate files, you should revoke this certificate immediately in your account. To do so, log in using another certificate file that is authorized to access your account, find the certificate you lost in the "Certificates" section, then click the [Revoke] button. If you happen to recover it, you can always re-instate it. If you lost it for good, you can simply delete it from your account.Renew your certificates before they expire
The certificates we issue are valid for a 1 year period. Make sure you always have a valid certificate file if you want to be able to access your data. If you no longer have a valid certificate in your account, you will no longer be able to access your account and your data will be lost forever.
Your certificate passphrase
Your certficate passphrase is what keeps your private key secure. It has to be extremely strong
to prevent anyone from gaining access to your data after gaining access to your certificate file, but it has to be easy for you to remember
so you don't have to write it down on a piece of paper.
Our requirements of 15 characters is extremely basic. Mixing lowercase and UPPERCASE letters makes our 15 characters strong enough for most people. If you want to make sure it is strong enough for military or state secrets, you should use at leats 20 characters, using lowercase, uppercase, numbers and special characters.
Here is an example of a good passphrase:
When COVID19 is over, I want to visit Paris!
Here is an example of a not so good passphrase:
The first passphrase contains, lowercase, uppercase, digits and special characters (spaces, a comma and exclamation mark). The second one is a combination of two well-known character sequences, that are pretty easy to guess in a dictionary attack, and contains only lowercase characters and digits.When you login to your account, if your browser asks to remind your passphrase, it is better to say no!
. It is very bad to have your browser remind your passwords. If someone ever take control of it (physically or remotely), this person would be able to take control of your account.
Keep in mind that your passphrase should:
- Contain different character types: lowercase, uppercase, digits, punctuation
- Be a phrase that you can easily remember, but not an expression you use so frequently that someone could guess it
- Be easy enough for you to remember that you don't need to write it down
Below, you will find a great resource to measure the search space of your passphrase. Even though this tool is well-known and reputable, we recommend that you do NOT type your passphrase in it, but use it as a gauge as to what is an acceptable length and complexity for your passphrase.
It is also a very good read about passwords and passphrases.
GRC Password Haystack
Sharing an account with other people
There is no limit to the number of accounts one person can register here. This way, you can create your own personal account for the private data that you do not want to share, and another account that you can share with your friends.
You can share an account with other people by registering a new account, then by generating a certificate file for each people that should have access to this account (recommended), or by sharing a single certificate file with other users of this shared account (not recommended).You should never put information that you do not want to share in a shared account!
The most secure way to transfer the certificate files to other account users is by physical means. A USB cable, a USB key, an external hard drive, a CDROM, and so on. Less secure means are over a Wifi or Bluetooth connection.The worst way to share a certificate file is by email
, because it can be sent over unsecure connections. If this is your only way to share a certificate file, make sure the passphrase is extremely secure, and DO NOT SEND THE PASSPHRASE BY EMAIL. EVER.
Not even in a separate email or to another email address.
Accessing MySecureVault.ca securely
Choose your device wisely
Choose your network wisely
- Make sure that the device you use to access your account is safe, exempt from any virus, malware or ransomware
- Do not use a public device, like a public computer at an Internet Café or a library, and if you must, check the "This is a public device" checkbox at login, so your session will only last 5 minutes
- When you access your account from a public device, ALWAYS logout once you are done, and clear the browser cache, if possible. Otherwise, remain at the computer until your 5 minutes session expires
- Use a device that only you can access, like your personal computer, your tablet or your smartphone
If possible, use an anonymization network like TOR
- Never access your account using a public Wifi network, even if it seems to be secure
- Avoid networks that could be tracking your usage, like your office's. They could potentially decrypt your passphrase or your entries
- Prefer your own internet connection that you know is not compromised or wiretapped
- If you think you may be under surveilance, avoid using mobile networks (LTE / 5G) at all costs. Authorities or criminals can use IMSI catchers to wiretap your mobile connection, and set up a proxy as a "man-in-the-middle" to decrypt your secure https trafic
TOR, or The Onion Router, is a network whose main purpose is to hide the original IP address and the identity of the user. By using TOR, we do not know what country you're in or what Internet provider you're using. If you are careful enough using TOR, you can remain completely anonymous while using our services.Most of all, make sure our website's certificate is the good one!
We use HTTP Strict Transport Security to make sure our users are safe from Man-in-the-middle attacks, but some very motivated hackers could circumvent this. Always validate that the certificate's signature of our website is the same as the one you will find in the footer of all our pages.
Managing your passwords
Never use the same password for multiple accounts
Imagine using the same password for your Gmail, Paypal, Facebook, Twitter and Spotify accounts. All these having your Gmail address as your username. Let's say Spotify is hacked, and your password is now known to hackers. (In fact, they were hacked on 2020-12-11, and email address, passwords and other information were actually leaked). After that, all your other accounts would be compromised.
This is a real-life scenario that would never happen if you have a different password for every online service you use. This is where a password manager such as MySecureVault.ca comes in handy.
In the end, each online service or office account that you use should be protected by a different password.Length and complexity
Your passwords should always be at least 15 characters long, and should include uppercase, lowercase, numbers and special characters. Avoid at all costs any easy to guess suites, like 12345, qwerty, asdfg, or words from the dictionary and any personal information. These are known attack vectors that can be leveraged to crack your passwords, even if you make a combination that seems to be complex to you.
The ideal password should be randomly generated by a password generator, like the one that we offer you in your account and on our home page.