Secure Password Management, Informal, @WalmartLabs
-
Upload
karl-mueller -
Category
Technology
-
view
110 -
download
2
description
Transcript of Secure Password Management, Informal, @WalmartLabs
![Page 1: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/1.jpg)
Secure Password Management
Karl MuellerSr. Solutions Architect, @Labs
karl – at – walmartlabs.com
March 21st, 2014
![Page 2: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/2.jpg)
Who Am I?
● 20 years industry operations experience
● Joined Kosmix 2005
● Acquired into @Walmartlabs, 2011
● NOT a security expert!
– but neither are most people!
![Page 3: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/3.jpg)
What is the problem?
● Sites get compromised
● Passwords can be recovered
– Even sites practicing good security!!● Emails and passwords are re-used
● More and more online accounts!
● Most hackers are after lower-hanging fruit
● Some hackers target specific people, i.e. @N twitter
![Page 4: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/4.jpg)
What is a solution?
● Unique, random, long passwords per site
– 8, 12, 16 characters – even longer!● Compromised? Limited vulnerability
● Password managers are one way to do this
● Password manager must be secured well
● Not perfect – nothing is perfect
![Page 5: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/5.jpg)
Considerations in a PM
● How is the data secured?
● Can I access my data on mobile? How?
● Is there two-factor authentication?
● Can the data be recovered without the master password?
● How do I back it up securely?
● Can it be used if company XX goes splat?
![Page 6: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/6.jpg)
My choice: Lastpass Premium
● Premium ($12/yr) adds mobile support
● Encrypted cloud storage
● Secured and Encrypted by master password
● Good 2-factor authentication
● Usual support of forms, data, password generation
![Page 7: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/7.jpg)
My choice: Lastpass Premium
● Works off-line
● Import/Export for backups
● CSV export available for non-lastpass
– PITA – mostly disaster recovery, IMO● All major browsers have plugins
● All mobile have fully-functional app ($$)
![Page 8: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/8.jpg)
My choice: Lastpass Premium
● Lastpass never gets non-encrypted data
● Not perfect, but IMO the best option
● Other options are also good! Check 'em out
● Choosing a good password manager is a big deal!
● If somebody hacks Lastpass and releases booby-trapped code, all bets are off the table.. but that's true for everybody
![Page 9: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/9.jpg)
Using Lastpass
● Create account
● Create MASTER PASSWORD
● No master password = NO DATA
● Add 2-factor authentication
● Read blogs on securing and using it
● Some security settings are important
![Page 10: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/10.jpg)
Lastpass Vault (not mine)
![Page 11: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/11.jpg)
Login buttons
![Page 12: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/12.jpg)
Best Practices – Master Pass
● Master password should be very good
– Write one or two copies down – optional
– The MP is obviously critical
– Losing master password means no data ● Never use 'Remember me' option
● Be careful with “Allow for XX hours”
![Page 13: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/13.jpg)
Best Practices - Sites
● Every site gets a long, unique password
– As long as allowed, if possible
– Use symbols if allowed● Change ALL passwords to random ones in PM
– (Optional) except things like financial accounts
– trade-offs for those as well
![Page 14: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/14.jpg)
Best Practices - Sites
● Consider 2nd , secure email for financial
● Maybe not really helpful
● Enable 2-factor and security notifications
![Page 15: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/15.jpg)
2-Factor Authentication
● Something you know + Something you have
● Possibilities:
– cell phone / SMS text
– FOB keys / custom solutions
– TOTP / Google Authenticator ● How secure it is varies, despite 2-factor
● Still a good thing - usually
![Page 16: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/16.jpg)
2-Factor Best Practices
● Enable on critical accounts if at all possible
● Especially:
– Lastpass (or other PM)
– Banks and Financial (!!)● twofactorauth.org has a list
![Page 17: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/17.jpg)
2-Factor Best Practices
● Realistically, it can often be bypassed
● Social engineering works really well
– Humans want to be helpful● Password protection still the best option
● “Reset password” is almost universal
– Email security on accounts is paramount!● Where you can't be secure, early notice is best
![Page 18: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/18.jpg)
2-Factor Best Practices
● Some 2-factor sites (like Google) can give you one-time-use codes.
● Codes can substitute for your 2-factor once.
● Good to have as backup or travel
● Carefully print or control where they are
![Page 19: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/19.jpg)
2-Factor Best Practices
● Be careful about critical 2-factor accounts
● You can lose access without it, sometimes!
● Understand how to transfer things like the Google Authenticator app to new phone
● Most sites, you can fix not having 2-factor with the master password, but not every one!
● Codes are a good idea to have printed out
– Secure those puppies!
![Page 20: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/20.jpg)
Passwords – Worst Practices
● Are you a worst practice-ing password-er?
● YOU ARE MAKING IT EASY!!!
– hackers <3 you – feel the love● Bad ideas: Using personal data of any kind
– birthdays, anniversaries, dates
– addresses, cities, locations
– favorite colors, items, activities, ...
– old phone numbers and account numbers
– anything relating to your children or spouse
● Dictionary words of any kind, even modified
● DO NOT DO THIS!
![Page 21: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/21.jpg)
How to make Secure Passwords
● Completely random is best
● Long, complex passwords are 2nd best
● Length of password matters - a lot
– encryption and hashes both benefit ● If you have to remember it, use strategies
![Page 22: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/22.jpg)
Bad password example
● Example: Take two words, bunny + carrot
● Combine them and scramble a bit
– Bunn33%carrot● This is much less secure than you might think
– Though.. still better than most out there
![Page 23: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/23.jpg)
Good password example
● Start with a phrase, a made-up story is good
– “My bunny is weird, he only eats green carrots”● Take first letters, scramble a bit
– Add punction/symbols
– replace some letters with non-expected
– add some words at the end that are easy to add length to the password
![Page 24: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/24.jpg)
Good password example
“My bunny is weird, he only eats green carrots”
mY!biW+He0eatsgreencarrots
● Sufficient Random-ish chars important (8+)
● Extra words or characters help – even if simple
● You'll have to type this out, don't be too crazy
● You need to remember it
– Putting it on a post-it kind of beats the point of it
![Page 25: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/25.jpg)
App-specific passwords
● Offered by Google, Microsoft, Facebook, etc.
● Creates a one-use password (or several)
– Sometimes it can be named, i.e. “iPhone email”● Limited ability to change account
● You can disable all app-specific passwords from master account controls
● Use for iphone email, IM chats, etc.
● Avoid using your real passwords whenever you can
![Page 26: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/26.jpg)
2-Factor Example: Google
● Implements TOTP
● Scans a QR code (or type in) for shared secret
● Generates a 6-digit code based on secret securely
● Codes last about 30 seconds, then change
● Turns your mobile device into RSA FOB
● Works very easily in practice
● Add everywhere you can!
![Page 27: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/27.jpg)
2-Factor Example: Google
![Page 28: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/28.jpg)
2-Factor Example: Google
![Page 29: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/29.jpg)
Final Suggestions
● Never, ever give out passwords
● IT and sites almost never can use it
● Don't save your corporate credentials – ever
● Be very careful giving out information
● Be very careful using devices not yours
![Page 30: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/30.jpg)
Final Suggestions
● Passwords Managers are worthless without good device and computer security!
– phishing
– malware / viruses
– social engineering
– saved passwords in browser● Use passcodes on your phone
● Configure phone to erase itself after X tries
![Page 31: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/31.jpg)
Final Suggestions
● Email account is critical
● Almost all sites have “reset password”
● Can usually bypass 2-factor as well (!!!)
![Page 32: Secure Password Management, Informal, @WalmartLabs](https://reader034.fdocuments.net/reader034/viewer/2022052304/5594c6311a28abab5c8b4795/html5/thumbnails/32.jpg)
Q&A
Questions?