Password Management

What is a Password Manager and Why You Should Use One

Poor password hygiene is one of the major reasons why cyber criminals/threat actors can quickly and effectively breach multiple accounts using just a single breakthrough. And phishing attacks often become much more lucrative because of reused passwords.

The advantage of a password manager is create/memorize/autofill your login ID’s and passwords for you.

Users have devised easy-to-remember techniques for creating passwords, which cyber criminals have factored into their code-breaking manuals and software.

There is also the safety advantage where a fake/lookalike Website might fool you into entering your passwords, won’t fool a password manager. If your password manager refuses to autofill, because the domain doesn’t match, DON’T do it manually! The particular page may very likely be fake.

Reference

• 7 in 10 Americans are Overwhelmed by Passwords. Here’s a Simple Solution
• Here’s why you should stop memorizing your passwords (Vox)
• You need a password manager — right now. (Violet Blue)
• Stop Memorizing Passwords! Use a Password Manager (Shannon Morse)
• How Password Managers Work (Computerphile)
• How Hackers Can Steal Your Passwords – And How Password Managers Can Help
• Cybersecurity 101: Why you need to use a password manager (TechCrunch.com)
• Am I An Idiot for Still Using a Password Manager?
• The Password Manager Special: Passwords, Two Factor Authentication, and Securing Your Life Online! by TekThing
• Five Best Password Managers (LifeHacker.com)
• Password Do’s and Don’ts (KrebsOnSecurity.com)
• Busting Password Myths, Paul Ducklin and Chester Wisniewski take a look at the thorny issue of password rules and regulations
• Password Haystacks by Steve Gibson
• How To Stop LastPass Tracking You In 3 Easy Steps
• Never reuse your master password and never disclose it to anyone.
• Never save passwords in the Web browser! Use a password manager instead.

Strong Password Generation / Creation

What’s a strong password?

Using passphrases of 5 or more random words have proven to be more secure than random characters, as long as they’re at least 20 characters, and include numbers and symbols.

• Let’s settle the password vs. passphrase debate once and for all
• random characters or random words? on r/Bitwarden
• Deep Dive: EFF’s New Wordlists for Random Passphrases
• Diceware Password Generator
• Password Haystacks – Interactive brute force search space calculator allows you to experiment with password length and composition to develop an accurate and quantified sense for the safety of using passwords that can only be found through exhaustive search.

Bitwarden

• Store, share, and sync sensitive data.
• Zero Knowledge Encryption design model.
• Bitwarden is audited by reputable third-party security auditing firms as well as independent security researchers.
• Recommended by sources.
• Bitwarden stores encrypted versions of your passwords that only you can unlock. Your sensitive information is encrypted locally on your personal device before ever being sent the cloud servers.
• Bitwarden is 100% Open Source software. The source code is hosted on GitHub and is free for anyone to review.
• Free version works across multiple platforms. e.g. PC, mobile, MacOS
• The Generator can set to generate a password or passphrase
• Make sure to:
  1. Export your encrypted Bitwarden data on a regular basis: Tools > Export To > Encrypted File
  2. Download and keep a copy of the current Bitwarden executable. This will allow you access your exported data, if Bitwarden.com is not available or you don’t have Internet access.

Best Practice

• Enable Two-step Login via an Authenticator App a.k.a. 2FA / MFA
  • To ensure Bitwarden always prompts for a MFA method:
    1. Refrain from clicking the “Remember me” option when logging in
    2. Settings > Set “Vault timeout” to “On browser restart”
    3. Settings > Set “Vault timeout action” to Log out
• Enable automatic Sync your Vault on your mobile devices.
• Enable Auto-fill on your mobile devices.
  • Auto-fill Logins on Android
  • Auto-fill Logins on iOS
• Set iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password, to at least the recommended OWASP 310,000 iterations.
  • Web Vault > Account Settings > Security > Keys tab

Tips

• Open Bitwarden plugin as a Window you can resize larger for easier access. Click the App icon, then click the box to the left of Search to “Pop out to a new window”.

Reference

• Bitwarden Keyboard Shortcuts
• Making Bitwarden Backups — One Approach
• So you think you have been hacked?
• Bitwarden Upholds High Security Standards with Annual Third-Party Audits
• Autofill isn’t working for a specific site #1621
• Auto-fill Custom Fields
• r/Bitwarden
• Bitwarden Status

1Password

• About the 1Password security model
• Store passwords locally.
• Use your security key as a second factor for your 1Password account

LastPass (Not recommended!)

• Security Incident Update and Recommended Actions (March 1, 2023)
• Security Bulletin: Recommended Actions for Free, Premium, and Families Customers
• Consider ditching LastPass
  • Not only were URI’s/URL’s unencrypted in your vault, LastPass also tracked when you accessed each URL and from where are also unencrypted. The bad actors now know which sites you visited, how often you visited them, and from which computers you did it.
  • LastPass Hack: The CRUCIAL Problem No One Is Talking About by Shannon Morse
  • 1 – LastPass Aftermath, LastPass vault de-obfuscator, LastPass iteration count folly
    • LastPass Vault Analyzer – by Rob Woodruff
  • LostPass: after the LastPass hack, here’s what you need to know by Graham Cluley
  • What’s in a PR statement: LastPass breach explained by Jeremi M. Gosney
  • Jeremi M. Gosney lists several reasons why LastPass can no longer be trusted.
  • Not in a million years: It can take far less to crack a LastPass password
  • The LastPass disclosure of leaked password vaults is being torn apart by security experts
• As of March 16th, 2021, LastPass Free only includes access on unlimited devices of one type, forcing one to pay for premium if you want to use LastPass on your phone and desktop/laptop.
• When adding a new Web site, make sure to turn off AutoFill
  • Subdomain autofill feature raises questions over LastPass security by James Walker | 2018-06-28

Reference

• Notice of Recent Security Incident
• LastPass 2017 Review (Lawrence Systems / PC Pickup)
• SecurityNow! Episode #256: In-depth review and evaluation of LastPass (00:52:28 – 01:53:00). [Show Notes]
• LastPass Review & Rating (PCMag.com)
• Why use LastPass? (Kinetal IT)
• Wikipedia Article on LastPass – Four things you should know about LastPass

LastPass Best Practices

• Master password must be a minimum of 12 characters!
• Set iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password, to at least the recommended OWASP 310,000 iterations.
• Enable 2FA

LastPass Configuration

• On the Login screen: Uncheck “Remember Email”
• On the Login screen: Uncheck “Show My LastPass Vault After Login”
• Under: Preferences > General: enable “Automatically Logoff when all browsers are closed for (mins)” and set the time to 1 min
• Equivalent Domains: These are different domains that belong to the same entity. Also some Web sites may switch to a different domain for authentication.
  • Go to: My Vault > Account Settings > Equivalent Domains
  • Some “Equivalent Domains” to add to LastPass are:
    • comptia.org, certmetrics.com
    • nysed.gov, ny.gov
    • apple.com, icloud.com, itunes.com
• Make sure to:
  1. Export your encrypted LastPass Vault data on a regular basis: Tools > Export To > LastPass Encrypted File
  2. Download and keep a copy of the current LastPass executable. This will allow you access your exported data, if LastPass.com is not available or you don’t have Internet access.
• How To Stop LastPass Tracking You In 3 Easy Steps
  1. Open your LastPass Vault
  2. Select Account Settings
  3. At the bottom of the Account Settings windows, select Show Advanced Settings
  4. Scroll down to the privacy section, and deselect the “Help Improve LastPass” checkbox.
     • Should you disable the “Track History” option? Probably not. This is a security function of LastPass. This keeps a log of logins and events for the LastPass account. These logs can be helpful in spotting any unauthorized activity by showing account login date, domains accessed, IP address and the action taken.
     • You can delete the “Track History” log by selecting ‘View account history’ from the advanced options menu and clicking the “Clear History” button.
  5. Click the update button and enter your master password to confirm the changes.

Passkeys

• A passkey is a passwordless way to log in to apps and websites. A passkey is another name for a pair of cryptography keys generated by your authenticated device. A public key and a private key combine to create a passkey.
• Passwordless Authentication: What It Is and Why You Need It ASAP
• What Is a Passkey, and Should You Use Them?

Authentication, Encryption, Hashing

• Can You Keep a Secret? (PacketLife.net)
• Authentication vs. Federation vs. Single Sign On (SSO) by Robert Broeckelmann for Medium.com
• Security Assertion Markup Language (SAML, pronounced sam-el) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions)

Multi-Factor Authentication (MFA) / Two Factor Authentication (2FA)

Make sure to enable MFA/2FA on all your important accounts.

Multi-Factor Authentication (MFA) (also know as two-factor authentication or 2FA) is an additional security layer used to keep accounts secure.

• 2FA Directory: List of websites and whether or not they support 2FA
• 2FAS is a free, secure, and open-source two-factor authenticator for Android and IOS.
• Authy is a free mobile / desktop app for two-factor authentication, as well as security partner and SMS delivery service of many websites.
  • Important: You must create your account on your phone using the Authy app, not the Web site.
  • What is a Recovery or Backup Code?
  • Export or Import Tokens in the Authy app
  • The Authy Desktop apps for Windows and MacOS that are available or were previously downloaded from authy.com/download as well as those for Linux will now reach their End-of-Life (EOL) on March 19, 2024. These apps were previously scheduled to EOL in August 2024.
• Aegis Authenticator is a free, secure and open-source app for Android to manage your 2-step verification tokens for your online services.
  • Imports MFA codes from other apps like Google Authenticator, Authy, etc.
  • Exports MFA codes for backup.
• Google Authenticator
• Google 2-Step Verification

Reference

• MFA/2FA Showdown: Which Authentication Factor is Best? by Pro Tech Show
• Most PRIVATE 2FA apps by Naomi Brockwell: NBTV
• How to enable 2FA for Google & Gmail
• How to Switch From Google Authenticator to Another 2FA App
• 2FA Isn’t Secure – Here’s What You Need Instead!
• Yubico’s award-winning security key, the YubiKey, is 100% built for security and trusted by millions, delivering modern authentication and peace of mind