How many online accounts do you have? How many of them use the same password? Is this password a simple word like ‘Bananas123’? Thought so. Your’re screwed.
If you’re reading this post, you’re probably an ‘internet person’, use many online services from banking to Facebook and let’s face it, probably have insecure passwords to most of them. After years of hearing my friends moan about…
- forgetting their password to a particular site
- having to type a long password
- not wanting to use a securer password since it's too complicated to remember
- rejecting a semi-secure password I've generated for them (see #3)
- getting hacked
… I realized that I too, have some of those problems. Most critically, my passwords aren’t really that secure and could be brute-forced relatively quickly. In addition, I reuse my passwords (guilty).
The Last Password You Have To Remember
I’ve been using LastPass (watch a video) to manage and remember my passwords for years but so far, it’s been a matter of convenience: automatically logging into places with the same password. Now, after seeing my friend write on Facebook that she got hacked, I finally had the required incentive to take action.
For three nights in a row, I went through all of my online accounts and changed the password to every last one of them. I honestly can not remember all of the services I’ve signed up to over the years, but luckily, my LastPass vault had a good overview, of more than fifty services. Some of them I no longer use and a fraction of them had a “Delete account” link, which I shamelessly clicked. Others got their passwords changed to a long, completely random string like “orC+S9j7.k0!89aEUh?vVH5”.
- I'm now an unattractive target to personalized password-stealing attacks (not using any guessable personal words + see #2)
- Most large-scale brute-force attacks (trying do guess passwords from a list of password hashes) fail against my password: a large alphabet (letters, numbers, symbols), randomness and length (no password I generated is smaller than X characters, unless the service had a max length restriction)
- Even if my password on some service is compromised, it has no effect on the rest of my accounts since no account shares a password with another account
- I am now dependent on LastPass: I can not access any of my other accounts without first signing in to LastPass
This is all well and good, except…
@Yubico @SQrooted As long your Passwords are stored in any kind of Cloud , it isnt really save... — Archangel Blue 58 (@ArchangelBlue58) August 12, 2014
There is now a single point of failure: LastPass. If my master password was compromised, LastPass turned out to be evil or the password safe somehow got hacked, I’d be doomed.
From what I’ve read on the net on how LastPass operates and how they react to security breaches, I’m confident in trusting them with my safe of encrypted passwords. Yes, nothing is 100% secure, but you have to start trusting at some point.
As for keeping my master password safe:
- Use a secure (long, random) password
- Take the usual precautions: don't log in from an untrusted source, don't let anyone see you type the password etc
- Use two-factor authentication
Two Factor Authentication
Most banks (except Estonian ones, for we have ID-cards) require you to have some form of secondary identification, usually in the form of a code card. The same idea applies here: you have your password (something you know) and some form of a physical token (something you have). Login succeeds only when the two are used together, so when someone gets your password he can’t log in because he does not have the physical token and when you lose your token the finder can not log in because he does not know your password.
There’s a company out there that specializes in creating such tokens: enter YubiKey.
The rapid growth of online identity theft has exposed the vulnerabilities of logging with a username and password. Any information that is static, or stored on a device connected to the Internet, can be copied and misused by malware. Security experts agree that the best way to secure an online identity is to move out the user credentials to a separate device that is not connected to the Internet, and which generates a new and encrypted pass code every time it is used. Also, for strong two factor authentication it is recommended to combine the hardware authentication device with a PIN or a password – something you have + something you know. - YubiKey Website
A YubiKey is a small USB device that goes into your USB port and fits on your key ring for portability. The basic premise is simple: you log into your LastPass vault with your master password and are required to provide a unique password, generated by YubiKey. Just insert the device, press a button and the YubiKey creates a random password on the spot for you to log in with.
This isn’t a magical solution to all your online identity security problems, but using secure two factor authentication (which I consider YubiKey to be) and a good master password goes a long, long way, making less than sophisticated attacks against you fail (unless you’re really foolish yourself).
I am comfortable with my current state of security practices: I don’t log in from public devices, have strong, unique passwords to every service I use and a secure way to access them through two-factor authentication.
If you a) have short, easy passwords or b) reuse passwords, you should really do something about that. After all, “The Only Secure Password Is the One You Can’t Remember”. You don’t have to go all nuts, but I’d at least advise you to adopt LastPass (or similar) into your daily life and start generating random and secure(r) passwords for your services.
You will be glad you did this when you read another “my account just got hacked” post on your Facebook wall.
In case you’re interested how to use LastPass with Yubikey: LastPass YubiKey. Also, see Lorrie Faith Cranor: What’s wrong with your pa$$w0rd?