Ep 91 – May 12 – Password Management

Martin Uncut
Martin Uncut
Ep 91 - May 12 - Password Management

Today I am going to talk about password and password management.

It is probably 10 years ago by now but back then I stored all my passwords in a note in Evernote called password. I encrypted the note of course to make it harder to get hold of them. But it was a bit of a trouble to open up Evernote, de encrypt the note, copy the password and go back to the browser. Most of the places where I needed to login thus got a short and easy password that I could easily remember. hj6789. Yes, that was the password. Super easy to remember and super easy to type.

I am a fairly well educated person (Ms. Sc.) and have worked with computer for a while. I also had a great interest in hacking – I still do, I can’t hack myself, but I do love to understand, and be fascinated of what people can come up with. But all of this knowledge didn’t beat my laziness. And guess what. Someone got into my Twitter account and DM:ed all my connections. What a wake-up call.

I can’t be sure. But I think a website somewhere, where I had my an account, got hacked. They got hold of the password store that was either in plain text or salted and one way encrypted – which is a no match for a dictionary lookup. This incident of course put me in red-alert mode and I spent the grunt of two days to go through all the sites I could remember, all accounts everywhere, and gave them though and unique passwords. And since then I have been rock solid with that personal password policy.

If you do this, you can of course not remember the passwords or keep them in a semi-secure Evernote-note. You need to have them in a save, well encrypted place, but still have quick and easy access to them. Not only from you computer but also your mobile devices. Being able to log into an account should never be hard. Creating a new account with a secure password should never be hard.

This is where the password managers comes in. I will talk about two different ones today. There are more out there. Do your own research on these and choose the one that works for you. This is a tool that you should not consider cost – it is unimportant. If you only can pay for one app – this is the app you should invest in. That should be the priority. Take it serious, make it easy. Be paranoid.

When this incident happened I started to use Lastpass. And that is a small tool that has browser plugins, applications for most plattforms such as android and iOS. I used it for both my private passwords and later also when I created my consultancy company it for company purposes. I made sure everyone in the company had a license and could (and should) store their passwords safely. I don’t have anything against Lastpass it was a great companion for many years. I think there was some security issues with it in the beginning but the attack vectors was very small and they responded quickly to them (as I can remember).

A bit more than a year ago I switched over from Lastpass to 1password. It is a tool that is very similar to Lastpass. Has all the browser plugins and application on all the major platforms. One thing that I did notice with 1password is that it integrates with the password manager in iOS so that you even easier can fill usernames and passwords – both on websites and in applications. Probably a feature that also has come to Lastpass. The major difference for me is that Lastpass is more pretty. It is more attractive. That is for me important for a password manager.

In both tools you can store notes. These notes will be encrypted and kept safe in the same way as you username and passwords. This is perfect to store credit card numbers, alarm codes, pin-codes for phones etc. Easy to access from both the computer and from your phone.

I quickly wanted to a bit about password. What is a good password. A good password should be truly random characters, upper- and lower case, numbers and special characters. And you should keep them as long as possible. You should never need to type them manually so it doesn’t really matter to you if they are 12 or 30 characters long. Most of my passwords full fill this and are long. There are some sites, and don’t ask me why, that limits what characters you can put in your password or the length of the password to something quite short (less than 12 is short). A password that is 20 characters long cannot be brute forced (guessed) – or it will take thousands of years.

When ever you can you should also use 2 factor authentication. This is that you login with something you know (password, 1st factor) and something you have (token, 2nd factor). That will make your account event more secure. Some services utilises a SMS-code as the second factor – but I would not recommend that if you have the choice (it is better than nothing, but not great). There are multiple cases if number-hijacking used to go around these. A better approach is to use a token generator on a device that you have (most often you phone). This will generate random tokens that the service can verify. There a many different ones of these out there, to mention a few – Duo, Google Authenticator, Microsofts Authenticator etc.

This was a not so short episode about passwords and password managers. I hope you liked it. Until tomorrow – have a great day. Ciao, Ciao.