Password Management

What is a Password Manager and Why You Should Use One

Poor password hygiene is one of the major reasons why cyber criminals/threat actors can quickly and effectively breach multiple accounts using just a single breakthrough. And phishing attacks often become much more lucrative because of reused passwords.

The advantage of a password manager is create/memorize/autofill your login ID’s and passwords for you.

Users have devised easy-to-remember techniques for creating passwords, which cyber criminals have factored into their code-breaking manuals and software.

There is also the safety advantage where a fake/lookalike Website might fool you into entering your passwords, won’t fool a password manager. If your password manager refuses to autofill, because the domain doesn’t match, DON’T do it manually! The particular page may very likely be fake.

Strong Password Generation / Creation

What’s a strong password?

Using passphrases of 5 or more random words have proven to be more secure than random characters, as long as they’re at least 20 characters, plus numbers and symbols.

Bitwarden

  • Store, share, and sync sensitive data.
  • Zero Knowledge Encryption design model.
  • Bitwarden is audited by reputable third-party security auditing firms as well as independent security researchers.
  • Recommended by sources.
  • Bitwarden does not store your passwords. Bitwarden stores encrypted versions of your passwords that only you can unlock. Your sensitive information is encrypted locally on your personal device before ever being sent the cloud servers.
  • Bitwarden is 100% Open Source software. The source code is hosted on GitHub and is free for anyone to review.
  • Free version works across multiple platforms. e.g. PC, mobile
  • The Generator can set to generate a password or passphrase
  • Make sure to:
    1. Export your encrypted Bitwarden data on a regular basis: Tools > Export To > Encrypted File
    2. Download and keep a copy of the current Bitwarden executable. This will allow you access your exported data, if Bitwarden.com is not available or you don’t have Internet access.

Best Practice

Tips

  • To get a Windows you can resize larger for easier access. Click the App icon, then click the box to the left of Search to “Pop out to a new window”.

Reference

1Password

LastPass

Reference

LastPass Best Practices

  • Master password must be a minimum of 12 characters!
  • Set iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password, to at least the recommended OWASP 310,000 iterations.
  • Enable 2FA

LastPass Configuration

  • On the Login screen: Uncheck “Remember Email”
  • On the Login screen: Uncheck “Show My LastPass Vault After Login”
  • Under: Preferences > General: enable “Automatically Logoff when all browsers are closed for (mins)” and set the time to 1 min
  • Equivalent Domains: These are different domains that belong to the same entity. Also some Web sites may switch to a different domain for authentication.
    • Go to: My Vault > Account Settings > Equivalent Domains
    • Some “Equivalent Domains” to add to LastPass are:
      • comptia.org, certmetrics.com
      • nysed.gov, ny.gov
      • apple.com, icloud.com, itunes.com
  • Make sure to:
    1. Export your encrypted LastPass Vault data on a regular basis: Tools > Export To > LastPass Encrypted File
    2. Download and keep a copy of the current LastPass executable. This will allow you access your exported data, if LastPass.com is not available or you don’t have Internet access.
  • How To Stop LastPass Tracking You In 3 Easy Steps
    1. Open your LastPass Vault
    2. Select Account Settings
    3. At the bottom of the Account Settings windows, select Show Advanced Settings
    4. Scroll down to the privacy section, and deselect the “Help Improve LastPass” checkbox.
      • Should you disable the “Track History” option? Probably not. This is a security function of LastPass. This keeps a log of logins and events for the LastPass account. These logs can be helpful in spotting any unauthorized activity by showing account login date, domains accessed, IP address and the action taken.
      • You can delete the “Track History” log by selecting ‘View account history’ from the advanced options menu and clicking the “Clear History” button.
    5. Click the update button and enter your master password to confirm the changes.

Passkey

Authentication, Encryption, Hashing

Multi-Factor Authentication (MFA) / Two Factor Authentication (2FA)

Make sure to enable MFA/2FA on all your important accounts.

Multi-Factor Authentication (MFA) (also know as two-factor authentication or 2FA) is an additional security layer used to keep accounts secure.

  • 2FA Directory: List of websites and whether or not they support 2FA
  • Authy is a free mobile / desktop app for two-factor authentication, as well as security partner and SMS delivery service of many websites that want to make two-factor authentication work better for their users.
    • Important: You must create your account on your phone using the Authy app, not the Web site.
  • Google Authenticator
  • Google 2-Step Verification
  • LastPass Authenticator

Reference