Password Management

What is a Password Manager and Why You Should Use One

Poor password hygiene is one of the major reasons why cyber criminals/threat actors can quickly and effectively breach multiple accounts using just a single breakthrough. And phishing attacks often become much more lucrative because of reused passwords.

The advantage of a password manager is create/memorize/autofill your login ID’s and passwords for you.

Users have devised easy-to-remember techniques for creating passwords, which cyber criminals have factored into their code-breaking manuals and software.

There is also the safety advantage where a fake/lookalike Website might fool you into entering your passwords, won’t fool a password manager. If your password manager refuses to autofill, because the domain doesn’t match, DON’T do it manually! The particular page may very likely be fake.

Strong Password Generation / Creation

What’s a strong password?

Using passphrases of 3 or more random words have proven to be more secure than random characters, as long as they’re at least 16 to 20 characters, plus numbers and symbols.

Bitwarden

  • Store, share, and sync sensitive data.
  • Bitwarden does not store your passwords. Bitwarden stores encrypted versions of your passwords that only you can unlock. Your sensitive information is encrypted locally on your personal device before ever being sent the cloud servers.
  • Bitwarden is 100% open source software. The source code is hosted on GitHub and is free for anyone to review.
  • Bitwarden is audited by reputable third-party security auditing firms as well as independent security researchers.
  • Free version works across multiple platforms. e.g. PC, mobile
  • The Generator can set to generate a password or passphrase
  • Make sure to:
    1. Export your encrypted Bitwarden data on a regular basis: Tools > Export To > Encrypted File
    2. Download and keep a copy of the current Bitwarden executable. This will allow you access your exported data, if Bitwarden.com is not available or you don’t have Internet access.

Best Practice

Reference

LastPass

  • Important!!! As of March 16th, 2021, LastPass Free only includes access on unlimited devices of one type, forcing one to pay for premium if you’ve been using LastPass on your phone and desktop/laptop.
  • Your hosted data (vault) is encrypted on LastPass’ servers. They can’t decrypt the data.
  • User data is encrypted and decrypted locally on the device.
  • The user’s master password, and the keys used to locally encrypt and decrypt user data, are never sent to LastPass’ servers, and are never accessible by LastPass.
  • Access to your data is only as secure as your master password and the other security protections LastPass offers to help you protect it. e.g. MFA
  • When adding a new Web site, make sure to turn off AutoFill
  • How To Stop LastPass Tracking You In 3 Easy Steps
    1. Open your LastPass Vault
    2. Select Account Settings
    3. At the bottom of the Account Settings windows, select Show Advanced Settings
    4. Scroll down to the privacy section, and deselect the “Help Improve LastPass” checkbox.
      • Should you disable the “Track History” option? Probably not. This is a security function of LastPass. This keeps a log of logins and events for the LastPass account. These logs can be helpful in spotting any unauthorized activity by showing account login date, domains accessed, IP address and the action taken.
      • You can delete the “Track History” log by selecting ‘View account history’ from the advanced options menu and clicking the “Clear History” button.
    5. Click the update button and enter your master password to confirm the changes.

Reference

LastPass Configuration

  • On the Login screen: Uncheck “Remember Email”
  • On the Login screen: Uncheck “Show My LastPass Vault After Login”
  • Under: Preferences > General: enable “Automatically Logoff when all browsers are closed for (mins)” and set the time to 1 min
  • Equivalent Domains: These are different domains that belong to the same entity. Also some Web sites may switch to a different domain for authentication.
    • Go to: My Vault > Account Settings > Equivalent Domains
    • Some “Equivalent Domains” to add to LastPass are:
      • comptia.org, certmetrics.com
      • nysed.gov, ny.gov
      • apple.com, icloud.com, itunes.com
  • Make sure to:
    1. Export your encrypted LastPass Vault data on a regular basis: Tools > Export To > LastPass Encrypted File
    2. Download and keep a copy of the current LastPass executable. This will allow you access your exported data, if LastPass.com is not available or you don’t have Internet access.

1Password

Authentication, Encryption, Hashing

Multi-Factor Authentication (MFA) / Two Factor Authentication (2FA)

Make sure to enable MFA/2FA on all your important accounts.

Multi-Factor Authentication (MFA) (also know as two-factor authentication or 2FA) is an additional security layer used to keep accounts secure.

  • 2FA Directory: List of websites and whether or not they support 2FA
  • Authy is a free mobile / desktop app for two-factor authentication, as well as security partner and SMS delivery service of many websites that want to make two-factor authentication work better for their users.
    • Important: You must create your account on your phone using the Authy app, not the Web site.
  • Google Authenticator
  • Google 2-Step Verification
  • LastPass Authenticator

Reference