What is a Password Manager and Why You Should Use One
Poor password hygiene is one of the major reasons why cyber criminals/threat actors can quickly and effectively breach multiple accounts using just a single breakthrough. And phishing attacks often become much more lucrative because of reused passwords.
The advantage of a password manager is create/memorize/autofill your login ID’s and passwords for you.
Users have devised easy-to-remember techniques for creating passwords, which cyber criminals have factored into their code-breaking manuals and software.
There is also the safety advantage where a fake/lookalike Website might fool you into entering your passwords, won’t fool a password manager. If your password manager refuses to autofill, because the domain doesn’t match, DON’T do it manually! The particular page may very likely be fake.
- You need a password manager — right now. (Violet Blue)
- Stop Memorizing Passwords! Use a Password Manager (Shannon Morse)
- How Hackers Can Steal Your Passwords – And How Password Managers Can Help
- Here’s why you should stop memorizing your passwords (Vox)
- Cybersecurity 101: Why you need to use a password manager (TechCrunch.com)
- Am I An Idiot for Still Using a Password Manager?
- The Password Manager Special: Passwords, Two Factor Authentication, and Securing Your Life Online! by TekThing
- Five Best Password Managers (LifeHacker.com)
- Password Do’s and Don’ts (KrebsOnSecurity.com)
- Busting Password Myths, Paul Ducklin and Chester Wisniewski take a look at the thorny issue of password rules and regulations
- Password Haystacks by Steve Gibson
- How To Stop LastPass Tracking You In 3 Easy Steps
- Never reuse your master password and never disclose it to anyone.
- Never save passwords in the Web browser! User a password manager instead.
Strong Password Generation / Creation
What’s a strong password?
Using passphrases of 3 or more random words have proven to be more secure than random characters, as long as they’re at least 16 to 20 characters, plus numbers and symbols.
- Store, share, and sync sensitive data.
- Bitwarden does not store your passwords. Bitwarden stores encrypted versions of your passwords that only you can unlock. Your sensitive information is encrypted locally on your personal device before ever being sent the cloud servers.
- Bitwarden is 100% open source software. The source code is hosted on GitHub and is free for anyone to review.
- Bitwarden is audited by reputable third-party security auditing firms as well as independent security researchers.
- Free version works across multiple platforms. e.g. PC, mobile
- The Generator can set to generate a password or passphrase
- Make sure to:
- Export your encrypted Bitwarden data on a regular basis: Tools > Export To > Encrypted File
- Download and keep a copy of the current Bitwarden executable. This will allow you access your exported data, if Bitwarden.com is not available or you don’t have Internet access.
- Enable Two-step Login via an Authenticator App
- Enable automatic Sync your Vault on your mobile devices.
- Enable Auto-fill on your mobile devices.
- Important!!! As of March 16th, 2021, LastPass Free only includes access on unlimited devices of one type, forcing one to pay for premium if you’ve been using LastPass on your phone and desktop/laptop.
- Your hosted data (vault) is encrypted on LastPass’ servers. They can’t decrypt the data.
- User data is encrypted and decrypted locally on the device.
- The user’s master password, and the keys used to locally encrypt and decrypt user data, are never sent to LastPass’ servers, and are never accessible by LastPass.
- Access to your data is only as secure as your master password and the other security protections LastPass offers to help you protect it. e.g. MFA
- When adding a new Web site, make sure to turn off AutoFill
- Subdomain autofill feature raises questions over LastPass security by James Walker | 2018-06-28
- How To Stop LastPass Tracking You In 3 Easy Steps
- Open your LastPass Vault
- Select Account Settings
- At the bottom of the Account Settings windows, select Show Advanced Settings
- Scroll down to the privacy section, and deselect the “Help Improve LastPass” checkbox.
- Should you disable the “Track History” option? Probably not. This is a security function of LastPass. This keeps a log of logins and events for the LastPass account. These logs can be helpful in spotting any unauthorized activity by showing account login date, domains accessed, IP address and the action taken.
- You can delete the “Track History” log by selecting ‘View account history’ from the advanced options menu and clicking the “Clear History” button.
- Click the update button and enter your master password to confirm the changes.
- LastPass 2017 Review (Lawrence Systems / PC Pickup)
- SecurityNow! Episode #256: In-depth review and evaluation of LastPass (00:52:28 – 01:53:00). [Show Notes]
- LastPass Review & Rating (PCMag.com)
- Why use LastPass? (Kinetal IT)
- Wikipedia Article on LastPassFour things you should know about LastPass
- On the Login screen: Uncheck “Remember Email”
- On the Login screen: Uncheck “Show My LastPass Vault After Login”
- Under: Preferences > General: enable “Automatically Logoff when all browsers are closed for (mins)” and set the time to 1 min
- Equivalent Domains: These are different domains that belong to the same entity. Also some Web sites may switch to a different domain for authentication.
- Go to: My Vault > Account Settings > Equivalent Domains
- Some “Equivalent Domains” to add to LastPass are:
- comptia.org, certmetrics.com
- nysed.gov, ny.gov
- apple.com, icloud.com, itunes.com
- Make sure to:
- Export your encrypted LastPass Vault data on a regular basis: Tools > Export To > LastPass Encrypted File
- Download and keep a copy of the current LastPass executable. This will allow you access your exported data, if LastPass.com is not available or you don’t have Internet access.
- About the 1Password security model
- Store passwords locally.
Authentication, Encryption, Hashing
- Can You Keep a Secret? (PacketLife.net)
- Authentication vs. Federation vs. Single Sign On (SSO) by Robert Broeckelmann for Medium.com
- Security Assertion Markup Language (SAML, pronounced sam-el) is an open standard for exchanging authentication and authorization data between parties, in particular, between an identity provider and a service provider. SAML is an XML-based markup language for security assertions (statements that service providers use to make access-control decisions)
Multi-Factor Authentication (MFA) / Two Factor Authentication (2FA)
Make sure to enable MFA/2FA on all your important accounts.
- 2FA Directory: List of websites and whether or not they support 2FA
- Authy is a free mobile / desktop app for two-factor authentication, as well as security partner and SMS delivery service of many websites that want to make two-factor authentication work better for their users.
- Important: You must create your account on your phone using the Authy app, not the Web site.
- Google Authenticator
- Google 2-Step Verification
- LastPass Authenticator