Security


Time to Kill Passwords

Disclaimer – I do not work for nor am I being paid to write this article by either LastPass or Yubico or any other party.

Passwords

Image Source: pcmag.com

Over the last month there have been a dozen different security breaches:

And all of these just from December 2013 through January 2014. Admittedly the CNN and Microsoft breaches were not a release of data, but shows that hackers (in these two cases it looks like it was the SEA or Syrian Electronic Army) are active and using whatever they can to either get your information or spread their message across. Furthermore, using compromised accounts do not seem to be the root of the Target, Nemian Marcus, Michaels, or White Lodging attacks, but a sophisticated malware that was introduced in the Point-of-Sale (POS) systems. The Yahoo attack was simple: get people’s account credentials.

What the Microsoft, CNN and Yahoo attacks have in common though, are either getting account information and/or using compromised accounts for malicious intent. We may not be able to easily fight credit card theft without a huge overhaul to all our POS systems, but as individuals we do have control of our web accounts and being able to use a form of two-factor authentication to keep ourselves safe.

In my article I am going to be speaking specifically around YubiKey by Yubico and LastPass. Why? These are the products I currently use, have had no issues and love the easy integration between them.

Password Managers

There are a few dozen different password managers in the world. All have different kinds of features. Most have some kind of plugin that can tie into your favorite web browser. Some have a nice web interface while others have a desktop application. It all depends on what you are really looking for and wanting. For a good article on the different password managers out there, go over to PCMag and read their “The Best Password Managers” article.

LastPass

LastPassI’ve been using LastPass for over a year now. It stores/creates all my passwords now days and it can do so much more. It can also securely store credit card information, documents, audit yourself and more. Currently I am using it primarily to store my passwords, while having access to them at work or at the local bar using the mobile app.

Besides storing and importing all your current passwords, it is streamlined enough to tell you if you are using that same password with another site (which is a big no-no) as well as an easy to use password generator to help update all those annoying passwords. You can also setup “equivalent domains” for those sites that use the same login credentials but have different URLs (example: amazon.com & audible.com).

You are probably saying right now: “this is all good, but I still need to have a username and password to login to LastPass”. Correct, and it will be the only password you ever have to know. It is a lot easier to remember one long complicated password than to remember “which complicated password do I use with Wells Fargo vs Chase?”. My current password is over 20 characters long, using special characters, numbers, lower and uppercase letters.

LastPass does have a few issues I have found. Integration with IE doesn’t seem to be the best in the world, some websites it cannot determine the username and password boxes and by default they do not have two-factor authentication enabled. For the last point, there are a number of ways to enable two-factor authentication, including a one time password (OTP) by LastPass and various third-party tools.

Conclusion: no matter what password manager you choose, just do it. You only need to know one password and no matter if Yahoo or someone else gets hacked, only THAT account is compromised. They will not be able to get into your Facebook or Twitter accounts. Plus using a password manager lets you have complicated random passwords which cannot be easily brute-forced.

Two-Factor Authentication

There are many options in this area. Google uses their Google Authenticator, Facebook and Twitter can send a one time use code to your phone when you try and login from an unrecognized device. In the corporate environment companies use a special smart card/badge, security token or biometrics. Whenever possible you should use two-factor. More and more sites are rolling this out, so opt-in ASAP!

YubiKey-NEO-on-SmartPhone

Image Source: yubico.com

LastPass can tie into the following methods:

* Indicate built-in LastPass options

YubiKey by Yubico

Yubico-Trust-the-Net-Logo-SmallYubico has a number of options. The one I have is the YubiKey Neo (pictured above). The reason I got this one is has all the standard features, but also has the NFC option. This option is useful if you have an NFC enabled Smartphone, you have LastPass configured to use YubiKey and you want to access your passwords while on the go and are not near a computer.

Yubico has a decent software suite that will let you program your YubiKey for other activities, including enabling two-factor authentication in Windows.

Overall Conclusion

With LastPass and YubiKey together you have a secure place to store random passwords, having different passwords on every site, including adding a little extra protection to your LastPass account. The two working together is incredibly simple. Sign Up with Lastpass, purchase a YubiKey, configure LastPass with a strong password and to use YubiKey as two-factor authentication. After that, everytime you try and log into your LastPass vault it will ask you for your username, password. After you click login, plugin your YubiKey to a spare USB port and tab the little button to send a onetime code to LastPass that will let you finish logging in.

So get out there, get a password manager and keep your passwords secure.