Passwords & security

A couple of weeks ago the Heartbleed bug in OpenSSL focused everyone on to security and passwords, remember that? yeah pretty much forgotten about now.

You’ve spent time changing your passwords haven’t you?

No?

Maybe you should…

Anyways, I try to be good with my security and password management, after being on-line for best part of 20 years I’ve had a few pitfalls and issues that made me realise very early on that account security is important and becoming more important each day. I made a very conscious decision to not pay lip service to my accounts and their security, I have a few tools that I use to help me and I thought I’d write up a bit about how I manage my on-line accounts & passwords to help you think through your procedures.

I honestly don’t remember more than one or three of my passwords, because I use strong passwords, very strong passwords, my WordPress sites for example have 100 character passwords, impossible for me to remember, I’m sure that they are not impossible to crack, they will just take a little longer than one that is say 10 characters long, which is generally classes as strong if it has a special character, a numeric and an uppercase letter.

This is what works for me, as ever there are other options available, you just need to find the set up that works for you.

I use 2 factor authentication on as many accounts as I can and in some cases this turns in to 3 factor authentication as you will see below. So for my mail on Google Apps I use the Google Authenticator on my phone which generates an ever changing code that you need to type in to Google before it will give you access to your account.

I use LastPass to store my passwords, as I said earlier this is the platform that works for me, have a look around at password vaults and pick on that does what you want, for me it is LastPass again with 2 factor authentication, this time in the guise of a Yubikey.

The Yubikey generates a one time password which is sent to LastPass, LastPass then checks this against the Yubikey server to check that it is correct and then allows access to my account

The weak point in all of this is my password for LastPass, it has to be something I can remember, granted it has the second level of protection of the 2 factor authentication but it still has to be something I can remember, I don’t want to be writing it down anywhere. So I started off with a strong 12 character password and I then add in a character or if I’m feeling daring, two, every so often, so my password is getting stronger every month. There will of course be a point when I need to stop this because it will become unmanageable but for now that is what works for me.

So my logging on process for my mail is something like:

• Sign in to LastPass with 2 factor authentication using the browser plugin
• Go to Google and use LastPass to fill the username & password fields
• Enter the Google Authenticator code

and I’m in, simple.

It isn’t as onerous as it sounds once you get in to it. Of course I need to have my phone and my Yubikey to access anything but I am rarely without them. If for what ever reason I am without one or the other of my physical tokens I do have a set of back-up codes that I can use.

A point to note, if you use 2 factor authentication with Google Apps, you will need to set up application specific passwords for your devices for Mail and other applications so that you can stay logged in and you don’t get asked for your password and authentication. This is currently found in

Manage this domain >> Users >> Security

Other stuff I do to stay secure includes not keeping my bank details in anything other than my head. I do use LastPass to do the first part of my banking login but there are somethings that are just too important to trust to anything other than my memory.

Regularly reviewing my accounts, do I need them, the best security you can have with any site or service is not having an account with them, so I look at my accounts a couple of times a year and decide if I need to have an account with XYZ service, if I don’t I delete it. If I can’t delete it I change the E-mail address to a special dump one just in case I ever need to get in again, set the longest password that I can and don’t save it.

I also run the handy security challenge on LastPass every month to check my passwords and give me a rank against other service users. I’m currently at 96.9% I will be working on improving that over the next few weeks.

I might be a bit odd and all this may be a bit extreme but it works for me, take the bits of this you want and use them and ignore the rest, but make sure you take your online security seriously.