843-606-6255
NEWS



Passwords Vol. 2 The Solution



Posted: May 9th, 2017

By Jeremy Sonntag 5-9-17


Passwords are, by nature, insecure. This is due to human inadequacies. We humans can't easily remember a string of characters which constitute a strong password, so out of convenience, we create simple easy to remember passwords. THEN, we continue to use the same password for several or all of our accounts. We have many online accounts needed to manage our life and are all "secured" with these simple passwords. I went into further detail on why strong authentication is needed in a previous post. https://netcertpro.com/Full-Article/14/dont-take-passwords-lightly/



What I will suggest here is the best solution we have today. One that caters to security and convenience. Typically these two are at odds with each other. The more secure it is, the more inconvenient it becomes.

The combination of two things will hugely improve your digital security. A secure, well vetted password manager, and Two-Factor Authentication. These solutions are both implemented by third parties so the vetting process should be examined when considering your options. I have tried and researched all of the popular implementations and make my recommendation as a result of my findings.


Password Manager

I recommend you take a few minutes and sign up for a Lastpass account to manage your passwords. It is free for personal use, very easy to use, and as secure as is possible. Lastpass has been around a long time and has been put through the ringer by various security researchers including Google's 0-day hunter Tavis Ormandy. NOTE: Lastpass has an Enterprise product as well.


Once you have a Lastpass account. Install the Lastpass browser extension and phone app. Proceed by accessing the most important accounts you can think of such as your bank, credit card, email, etc. As you login, Lastpass will ask if you want to save this password. Afterwards, find where you can reset these passwords for your bank, email and other accounts. On the password reset screen, you can have Lastpass auto generate a long complex password and automatically update it in your password vault. Complete this with your most important accounts first, then update your others as you go. Ideally you would never know what your bank or email password is. Perhaps something like this XkK9&RJ!76F%eg. With a good password manager, you don't have to enter it. Instead, you simply select the account you would like to use to sign in with.


Important security notes on password managers!

  • Create a strong Master Password! Something complex but memorable for you. Maybe a phrase but misspell some words and add symbols and CAPS. Example: U#Kant+Hak=MypAzzWerd!
  • Do Not have Lastpass save your Master Password upon login.
  • Set your Lastpass session to expire after a reasonable time and upon closing the browser
  • Smartphones should be set with a PIN / fingerprint to unlock.
  • Setup Lastpass to authenticate with fingerprint on smartphone.
  • Run the security audit. See how you stack up.

Two-Factor Authentication (2FA)

This simply means that you should use two authentication points for a login. Typically your password is the first. The second, can be several things, but usual implementations today will make use of an expiring one time password via email, SMS text message or mobile app. With this in place, someone who might have your password can attempt to login, which is when they will be presented with yet another password that needs entered. This second password has a short expiration and is show when needed to the person who has access to that 2FA method (app, email, text).


Many sites and services offer the option of 2FA. Some even require it. I highly suggest checking for this option where it matters. Next, that password manager you just setup, contains ALL of your important passwords! Lastpass DOES support 2FA and even has their own implementation of it. SET THIS UP ASAP!


2FA Apps

There are several popular and well vetted authenticator apps available. Choose one and use it. This should be setup on your smartphone. NOTE: your smart phone should be locked via PIN, fingerprint, etc. I use Lastpass Authenticator because of the convenience and it works nicely with the Lastpass solution but there are other fine solutions. Google Authenticator and Authy are both clean implementations and well trusted.


So there it is. Now you have a strong option to secure your digital self. And it's easy! No need for a pocket notebook full of passwords or re-using the same password across the board. This is the best solution to date that I am aware of.


Action Summery

  1. Sign up for Lastpass
  2. Download Lastpass smartphone app and Authenticator app
  3. Sign in using the Lastpass email.
  4. Setup Master Password. (Must be complex and long)
    1. --example U#Kant+H4k=MypAzzWerd!
  5. Setup 2 Factor authentication with Authenticator app.
  6. Start changing your passwords and setup 2FA

Resources

Lastpass website https://www.lastpass.com/
Lastpass installs https://lastpass.com/misc_download2.php
Lastpass How-Tos https://helpdesk.lastpass.com/
Authy website https://authy.com/
Google Authenticator https://support.google.com/accounts/answer/1066447?hl=en