Managing Passwords, Securely

I recently wrote about the desire, by many, to see the death of passwords.  All negatives considered, if passwords go away, it won’t be because people don’t like them but because they lose their efficacy and cost proposition (they’re effectively free, transportable, satisfy the “something you know” criteria, and they’re easy to replace).

After that post, a friend asked how to generate, maintain, and use passwords, more securely.

Here’s my best effort at doing that reasonably.

 

You must remember some passwords

I tend to memorize passwords I use to authenticate to my physical devices (i.e., phone, Surface Pro 4, home and work laptops).  I also memorize the password I use for my password management software.

I create these passwords myself and I don’t tend to store these passwords anywhere.  I like to change these passwords at least every 90 days

These passwords are all at least 20 characters in length.

 

Use tools to help

 

LastPass

LastPass

iOS / Android / Windows

This tool is available as a web service, as a browser extension for many popular web browsers, and as a program that can be installed on Windows, Mac, or most mobile devices.  This program uses a password you supply to encrypt/decrypt information you want to protect.  You can store account credentials like username/password and that data will be protected.

LastPass costs $12/year at the time of this post.

Some features I value in LastPass include that it synchronizes your encrypted data across multiple devices so that even if you can’t access the internet, your mobile device or laptop will have an encrypted copy of your passwords that you can unlock and use.

 

Yubico

Yubico

To add to the security of LastPass, I’ve added Yubico Yubikeys (also available at Amazon.com).

Yubico YubiKey Neo

These devices can be used by plugging them into a USB port on a device or through Near Field Communications (NFC) for the Neo devices.  The devices becomes a second factor for authenticating you to LastPass (the password you memorized is the first).  The latest versions, YubiKey 4, is undergoing FIPS 140-2 certification (read Yubico blog post).

After connecting the YubiKey device to your LastPass account, you start the LastPass program and you are provided the opportunity to claim an identity.

You enter your secret credential (that’s your password) as your first credential to be validated against the identity you claimed.  If you have a Yubico Yubikey associated with your account, you will be challenged to use this physical device to complete the login process.

 

You can choose to enable multi-factor authentication (MFA) and then trust one or more computers/devices by checking the box at the bottom of the YubiKey authentication dialog that starts “This computer is trusted ….”

 

Generating Secure Passwords

Once you install and start using LastPass, you can generate secure passwords and store them immediately into your local copy of passwords.  The encrypted list of passwords will be synchronized with your other Lastpass devices as soon as you have access via the internet.

 

 

Logging In With Help

Once you have LastPass installed on your device or you have the browser extension installed, you can use the passwords LastPass stores to login to websites or programs without ever needing to know the password for the website or program.

One example of how the browser plugin helps is shown here with Facebook.  In this image you can see where you would normally enter your email and password but you will notice that there’s an extra item in these boxes.  The yellow box highlights that LastPass has 3 accounts stored for Facebook.  Clicking on the ellipses with the ‘3’ overlaid on it drops down a box from which I can select the account to which I want to login.  When I click that account, its credentials are pasted into the email and password fields and I can simply click the “Log In” button.  This type of help is supplied for applications on my mobile devices as well.

 

 

Conclusion

As with any process or tools, the effectiveness is in the use.  If you reuse passwords on multiple sites or keep the same password for many months without changing it, the odds of your credential being compromised grows.

Even if you use these tools effectively, they don’t guarantee you that your credentials, and whatever account depends on them, will be safe or secure.  Security is an interplay between what you as a user do and what the system implementers do.  If you use tools to generate very secure passwords (through length and large amounts of entropy, etc) but the system that’s holding your credentials (e.g., the website where you supplied your identity and password) fails to use strong encryption or good, effective security hygiene and practices, then your and other credentials may become compromised.

This isn’t your concern, however.  You must focus on doing your part.  If the service you log into fails to protect your information, there are organizations tasked with protecting you.  In the case of a business website that fails to protect your data, the Federal Trade Commission (FTC) may step in to protect US consumers.

Thus, until there is a shift towards some other security mechanisms like abstracted identity (or Identity as a Service) and physical security through devices like Yubico’s YubiKeys, passwords will likely continue and you can utilize services like LastPass for a nominal fee to achieve a higher degree of security.