Secure Password Management, Informal, @WalmartLabs
1 like1,011 views
The document discusses secure password management, focusing on the importance of using unique, random, and long passwords for different accounts. It advocates for the use of password managers, particularly LastPass Premium, and emphasizes best practices for password creation and two-factor authentication to enhance security. The document also highlights common password mistakes and stresses the significance of securing devices and email accounts to mitigate risks from various threats.
Secure Password Management, Informal, @WalmartLabs
- 1. Secure Password Management Karl Mueller Sr. Solutions Architect, @Labs karl – at – walmartlabs.com March 21st , 2014
- 2. Who Am I? ● 20 years industry operations experience ● Joined Kosmix 2005 ● Acquired into @Walmartlabs, 2011 ● NOT a security expert! – but neither are most people!
- 3. What is the problem? ● Sites get compromised ● Passwords can be recovered – Even sites practicing good security!! ● Emails and passwords are re-used ● More and more online accounts! ● Most hackers are after lower-hanging fruit ● Some hackers target specific people, i.e. @N twitter
- 4. What is a solution? ● Unique, random, long passwords per site – 8, 12, 16 characters – even longer! ● Compromised? Limited vulnerability ● Password managers are one way to do this ● Password manager must be secured well ● Not perfect – nothing is perfect
- 5. Considerations in a PM ● How is the data secured? ● Can I access my data on mobile? How? ● Is there two-factor authentication? ● Can the data be recovered without the master password? ● How do I back it up securely? ● Can it be used if company XX goes splat?
- 6. My choice: Lastpass Premium ● Premium ($12/yr) adds mobile support ● Encrypted cloud storage ● Secured and Encrypted by master password ● Good 2-factor authentication ● Usual support of forms, data, password generation
- 7. My choice: Lastpass Premium ● Works off-line ● Import/Export for backups ● CSV export available for non-lastpass – PITA – mostly disaster recovery, IMO ● All major browsers have plugins ● All mobile have fully-functional app ($$)
- 8. My choice: Lastpass Premium ● Lastpass never gets non-encrypted data ● Not perfect, but IMO the best option ● Other options are also good! Check 'em out ● Choosing a good password manager is a big deal! ● If somebody hacks Lastpass and releases booby-trapped code, all bets are off the table.. but that's true for everybody
- 9. Using Lastpass ● Create account ● Create MASTER PASSWORD ● No master password = NO DATA ● Add 2-factor authentication ● Read blogs on securing and using it ● Some security settings are important
- 10. Lastpass Vault (not mine)
- 11. Login buttons
- 12. Best Practices – Master Pass ● Master password should be very good – Write one or two copies down – optional – The MP is obviously critical – Losing master password means no data ● Never use 'Remember me' option ● Be careful with “Allow for XX hours”
- 13. Best Practices - Sites ● Every site gets a long, unique password – As long as allowed, if possible – Use symbols if allowed ● Change ALL passwords to random ones in PM – (Optional) except things like financial accounts – trade-offs for those as well
- 14. Best Practices - Sites ● Consider 2nd , secure email for financial ● Maybe not really helpful ● Enable 2-factor and security notifications
- 15. 2-Factor Authentication ● Something you know + Something you have ● Possibilities: – cell phone / SMS text – FOB keys / custom solutions – TOTP / Google Authenticator ● How secure it is varies, despite 2-factor ● Still a good thing - usually
- 16. 2-Factor Best Practices ● Enable on critical accounts if at all possible ● Especially: – Lastpass (or other PM) – Google – Facebook – Linkedin – Banks and Financial (!!) ● twofactorauth.org has a list
- 17. 2-Factor Best Practices ● Realistically, it can often be bypassed ● Social engineering works really well – Humans want to be helpful ● Password protection still the best option ● “Reset password” is almost universal – Email security on accounts is paramount! ● Where you can't be secure, early notice is best
- 18. 2-Factor Best Practices ● Some 2-factor sites (like Google) can give you one-time- use codes. ● Codes can substitute for your 2-factor once. ● Good to have as backup or travel ● Carefully print or control where they are
- 19. 2-Factor Best Practices ● Be careful about critical 2-factor accounts ● You can lose access without it, sometimes! ● Understand how to transfer things like the Google Authenticator app to new phone ● Most sites, you can fix not having 2-factor with the master password, but not every one! ● Codes are a good idea to have printed out – Secure those puppies!
- 20. Passwords – Worst Practices ● Are you a worst practice-ing password-er? ● YOU ARE MAKING IT EASY!!! – hackers <3 you – feel the love ● Bad ideas: Using personal data of any kind – birthdays, anniversaries, dates – addresses, cities, locations – favorite colors, items, activities, ... – old phone numbers and account numbers – anything relating to your children or spouse ● Dictionary words of any kind, even modified ● DO NOT DO THIS!
- 21. How to make Secure Passwords ● Completely random is best ● Long, complex passwords are 2nd best ● Length of password matters - a lot – encryption and hashes both benefit ● If you have to remember it, use strategies
- 22. Bad password example ● Example: Take two words, bunny + carrot ● Combine them and scramble a bit – Bunn33%carrot ● This is much less secure than you might think – Though.. still better than most out there
- 23. Good password example ● Start with a phrase, a made-up story is good – “My bunny is weird, he only eats green carrots” ● Take first letters, scramble a bit – Add punction/symbols – replace some letters with non-expected – add some words at the end that are easy to add length to the password
- 24. Good password example “My bunny is weird, he only eats green carrots” mY!biW+He0eatsgreencarrots ● Sufficient Random-ish chars important (8+) ● Extra words or characters help – even if simple ● You'll have to type this out, don't be too crazy ● You need to remember it – Putting it on a post-it kind of beats the point of it
- 25. App-specific passwords ● Offered by Google, Microsoft, Facebook, etc. ● Creates a one-use password (or several) – Sometimes it can be named, i.e. “iPhone email” ● Limited ability to change account ● You can disable all app-specific passwords from master account controls ● Use for iphone email, IM chats, etc. ● Avoid using your real passwords whenever you can
- 26. 2-Factor Example: Google ● Implements TOTP ● Scans a QR code (or type in) for shared secret ● Generates a 6-digit code based on secret securely ● Codes last about 30 seconds, then change ● Turns your mobile device into RSA FOB ● Works very easily in practice ● Add everywhere you can!
- 29. Final Suggestions ● Never, ever give out passwords ● IT and sites almost never can use it ● Don't save your corporate credentials – ever ● Be very careful giving out information ● Be very careful using devices not yours
- 30. Final Suggestions ● Passwords Managers are worthless without good device and computer security! – phishing – malware / viruses – social engineering – saved passwords in browser ● Use passcodes on your phone ● Configure phone to erase itself after X tries
- 31. Final Suggestions ● Email account is critical ● Almost all sites have “reset password” ● Can usually bypass 2-factor as well (!!!)
- 32. Q&A Questions?