I strongly advocate the use of password managers. In October I will be reviewing and providing tutorials for a number of password managers as part of my National Cyber Security Awareness Month posts. Even with password managers, however, you still need to remember – and be able to manually enter – at least a few passwords. Your like full-disk encryption and password manager require passwords you know and remember. Diceware passwords are cryptographically sound passphrases that are easily remembered and easily created. This technique is quickly becoming one of my favorite for creating good passphrases. Continue reading “How To: Diceware Passwords”
I was recently a guest alongside my co-author, Michael Bazzell on the Social-Engineer podcast (the episode will be be available tomorrow). We discussed social engineering for security and privacy reasons. Since being on the show I have thought more about social engineering than at any time since I attended Chris Hadnagy’s SE course back in 2013. One realization I’ve had is that social engineering attacks commonly begin with a starting point. An email address to which the attacker can send phishing emails. A phone number she can use to hack your cell account. A username she can use to call customer service and request access. Along this line of thought, it has also occured to me that it is never a bad time to restress the importance of usernames as a security measure. Continue reading “Usernames as a Security Measure”
Last week we primarily worked on securing your local computer. Yesterday we focused on installing a local password manager. Today our view will expand outward. On this, the eighth day of the Thirty-Day Security Challenge I will challenge you to change your passwords on your online accounts. Don’t rush in and try to change them all at once though – that could be a recipe for disaster. Instead, try to change your passwords during your normal logins. Time to check your Gmail account? About to settle in for some Netflix? Getting ready to order that new book on Amazon? Take an extra couple of minutes and change those passwords. Your Dropbox account can wait until tomorrow when you will be logging into Dropbox, anyway.
When changing your passwords you should definitely pay attention to the qualitative aspect of the new ones. All of your passwords should be:
- Unique. Don’t use the same password on any two accounts. Each account gets its own password – this is critical to good online account security. This is much more important than even the quality of your passwords. No ifs, ands, or buts. This way if one account is hacked it won’t effect any of the others. Mat Honan is an excellent example of why using the same password on multiple accounts is a bad idea.
- Long. Use the maximum allowable length. Google accounts allow you to use up to a 99-character password. Your password manager does all the work and you’ll never enter it manually, so what do you care? Max it out!
- Randomly generated. Human-designed passwords are terrible, in the vast, overwhelming majority of cases. We just have a hard time reliably generating truly complex strings of letters, numbers, and special characters. Don’t try to make one up. Instead let the password manager do the work and generate one for you.
The password manager you installed yesterday will be fairly critical to this task. Without it you won’t be able to generate password meeting the above criteria…and if you do, you won’t be able to remember them. Add each one as a new entry to your password manager when you change it.
This will be a carry-over task that won’t be finished in a day (unless you really work at it). If you only change your passwords at your normal logins the process will be slower but it will also be more manageable. By this time next week I bet that the majority of your accounts have been changed, and by the end of this month all of your accounts should have new passwords.
Welcome to the second week of the Thirty-Day Security Challenge! We are officially one-quarter of the way through the process! Today’s task is install a password manager on your computer and/or phone. This is an absolutely critical step. Future posts in this series will ask that you change current passwords and create new accounts with good, strong passwords. Being limited to feeble human memory requires most of us to choose poor passwords. We use the same ones on multiple accounts and some of the new ones we will create this month will probably be lost or forgotten. Storing passwords insecurely on a Word document or spreadsheet isn’t a great idea, either, since it’s really vulnerable to loss. The password manager will solve these problems for us by creating good passwords, recalling them for us, and storing them securely.
Below I have listed some reputable password management options. Review these, choose one, and install it. After you have chosen a password manager, secure it with a good, strong password. Pin it to your taskbar (Windows) or keep in in your dock (Mac). This will place it within easy access for the remainder of the month. Take a few minutes to get familiar with creating and accessing entries – you should be using this a lot in the future.
There are a number of good password managers out there and your choice will be somewhat driven by your operating system(s). The list I give here is by no means exhaustive and there are loads of options. I am only willing to list the ones that I have used and have familiarity with, however.
Password Safe – Windows: If you primarily use a single Windows computer, Password Safe is the way to go. It is widely known for it’s user-friendliness. Password Safe is what is known as a host-based password manager meaning your password database is stored only on one, single device. It isn’t transmitted to the cloud or stored on a remote server. There are variants of Password Safe for other operating systems, too, but none of them are supported by the original developer.
KeePass/KeePassX/MacPass – Cross-platform: KeePass and its variants are open-source password managers and perhaps the most universal of the ones listed here. There are forks that work on nearly any operating system you can imagine and all of the databases are compatible with other versions. These are not the most user-friendly password managers, however, and they lack some of the functionality and polish of most of the alternatives. They do enjoy the benefits of being strongly encrypted, cross-platform, and totally free. Like Password Safe, KeePass (and its sister applications) only stores your AES-256-encrypted password database locally, on a single device.
LastPass – Cross-platform: LastPass is the only cloud-based password manager I would even begin to recommend. LastPass stores all of your passwords in an encrypted database in the cloud. This means that you can access your passwords from any device, as long as you can access the internet. One other major benefit of a cloud-based password manager is that you will have an offsite backup of your passwords should your computer crash or be stolen. Unfortunately this is exactly the reason I don’t prefer LastPass; being able to access your passwords from the internet means that someone else can, too. It also means that you might be tempted to enter your master password on a computer that you don’t own or control. LastPass is free on a single device; to install it on multiple devices will require a premium account, which is only $1/month (which is still really close to free). Premium accounts can be installed on all your devices and shared among up to five users.
Codebook Password Manager: I have a fondness for Zetetic’s Codebook that I have written about it before. I have used it for years on my iOS devices, and if you only have one or two devices this may be a great option for you. However it is a paid program and you must purchase a subscription for each device. Codebook is a host-based password manager that allows you to sync with other devices locally through Wi-Fi.
1Password: I include 1Password because it consistently ranks among the most popular password managers. I personally don’t love it but I also don’t have anything against it, and it does have some good things going for it. 1Password is a host-based password manager that allows you to sync with other devices locally through Wi-Fi. It is also incredibly user-friendly and good looking, but it is expensive.
I have a couple of thoughts regarding the breach on the popular password manager LastPass earlier this week. Initially I was disheartened to hear about the breach but was very glad that LastPass dealt with it swiftly and responsibly. I actually learned of the breach from LastPass, with an email alerting me to change my master password. Additionally LastPass is verifying all intial post-breach logins via email unless two-factor authentication is enabled on the account. I was also glad to hear that the attackers were unable to make off with anything more substantial than very strongly hashed (encrypted) master passwords, cryptographic salts, and email addresses. Though certainly less than ideal, the attackers were still unable to capture plaintext password vaults.
Though I don’t use LastPass anymore I did for several years and because of this and my comfort with it, I recommended it in Your Ultimate Security Guide: Windows 7 Edition and plan to in the upcoming iOS 8.3 Edition. The two big take-aways from this breach (at least in my mind) are:
Cloud-based password managers are inherently risky. This may be a provocative statement because many people use web-based password managers without incident. But for how long? Because of the treasure trove of information a password manager contains they are naturally a target. Secondly, because they are a more complex system than a host-based password manager like Password Safe there are more potential points of failure. The data must transit the internet, back and forth from your computer to the internet, be decrypted locally to be used, be re-encrypted before being re-uploaded to the cloud server, etc. A lot of things have to be done correctly for it to be secure throughout the entire process.
Two-factor authentication is important. When I first saw the email from LastPass about the breach my heart sank. I no longer use LastPass but I know a lot of people who do. Fortunately I know that msot of them also use two-factor authentication and as I learned more about the breach I realized that accounts protected with two-factor were still safe. I gave high praise to LastPass in Your Ultimate Security Guide: Windows 7 Edition for the multitudinous two-factor options it offers: “The Grid” (my favorite), Google Authenticator, fingerprints, Yubikey, etc. With two-factor enabled my friends were able to rest easy that their passwords had not been breached. This is the kind of confidence I want in an internet system, especially one with which so much critical data is entrusted.
As I said earlier, I would still recommend LastPass to anyone who is determined to have a web-based password manager. The convenience of the system is hard to deny, but personally, I’d rather have the security of knowing exactly where all of my passwords are stored.