Password Best Practices (part 2)
Problems to be solved regarding passwords
Passwords provide authentication, an answer to the question “Who are you?” We’ve covered selecting a password that is hard to crack, but there is a different problem to be solved today; passwords being used across multiple websites.
A single security breach often gives an attacker all of your passwords
When a site you have an account with has a security breach and their database is stolen, the attacker has a list of username and password combinations and often email addresses. This allows them to access different sites and try those combinations. Most people use the same credentials everywhere, giving the attacker virtually all their accounts with one security breach.
The solution to this problem is to use a different password for each site.
The challenge then becomes: remembering and keeping straight all of the different passwords required. My favorite solution is a service called LastPass.
LastPass is a password vault with many features that make it both secure and available anywhere. You use LastPass so you don’t have to remember or type your password for any site ever again. This allows you to use very secure passwords that are unique to each site, without the hardship that would otherwise entail.
I use LastPass exclusively to store my passwords (over 200 at last count). This allows me to keep them unique and hard to crack.
Let me show you how I use LastPass to make life easier.
Plugins, plugins everywhere
LastPass is available as browser plugins for all major browsers across all major platforms. It is available for Mac, Windows, or Linux. Open any major browser on virtually any computer, login to LastPass and you will have all your passwords at your fingertips.
I use more computers than most people, due to my job and addiction to technology. I use my iMac, iPad, iPhone, MacBook Air, my wife’s Windows 7 computer, and a couple of test Android devices almost daily and never have to scramble for login credentials when I need to get something accomplished.
Coming up with unique, hard-to-crack passwords for each site is tedious, to say the least. LastPass plugins provide a password generation tool. This allows you to generate secure passwords that are long, random, and unique.
I use it’s generator for all the passwords I use. Since LastPass frees me from remembering or typing passwords, it’s a perfect solution.
If you keep all your passwords in LastPass, a thief who accesses your account will have ‘all the keys to the castle’. To further secure your account, LastPass supports many different forms of two-factor authentication. Two-factor authentication is a method that ensures you are who you say you are by not only requiring a password (something you know), but requiring a code from a device or piece of paper (something you have), greatly increasing security. LastPass supports the YubiKey, the Google Authenticator, paper-based Grid Multifactor Authentication, Sesame: Multifactor Authentication with a USB Thumb Drive, Fingerprint Authentication, or Smart Card Authentication. Don’t worry if you don’t know what each of those are, just notice that you have many different options to increase the security of your LastPass account.
I personally use a YubiKey to secure my account against theft.
You may need to log into your account from an untrusted computer, such as a public computer or someone else’s machine. This is dangerous since you do not know if the computer has a key logger installed. To mitigate this risk, LastPass supports the use of one-time passwords.
One-time passwords are also useful to bypass your two-factor authentication in the off chance that you’ve lost or misplaced your two-factor authentication device or paper.
I always keep a sheet of 10 one-time passwords in a safe place.
LastPass provides what they call a security check feature. It searches your saved credentials and gives you a score based on the difficulty of your passwords and password reuse. It identifies sites that you use the same password on so you can change them to something unique or more difficult.
I make it a habit to go through this process every 3-4 months, since I have a tendency to be lazy. I think of it as a security tuneup.
LastPass can also fill forms for you. Never again will you have to fill in complicated shipping address or registration forms. It uses the same secure storage and synchronization routines to keep this data safe, so you can trust it with credit card numbers.
LastPass knows all the URL rules that are hard for a human to know and recognize. A human cannot distinguish http://pаypаl.com and http://paypal.com. The former is actually a different site, as the ‘a’ characters are cyrillic (Russian glyphs), though visually identical in almost all fonts. LastPass can tell the difference and will only enter in credentials for the real PayPal site.
- Secure Notes
- Offline Backup
- Import and Export
- Virtual Keyboard
You can find details about all I’ve discussed here and more in LastPass’s User Manual.