Secure Password Management
Karl MuellerSr. Solutions Architect, @Labs
karl – at – walmartlabs.com
March 21st, 2014
Who Am I?
● 20 years industry operations experience
● Joined Kosmix 2005
● Acquired into @Walmartlabs, 2011
● NOT a security expert!
– but neither are most people!
What is the problem?
● Sites get compromised
● Passwords can be recovered
– Even sites practicing good security!!● Emails and passwords are re-used
● More and more online accounts!
● Most hackers are after lower-hanging fruit
● Some hackers target specific people, i.e. @N twitter
What is a solution?
● Unique, random, long passwords per site
– 8, 12, 16 characters – even longer!● Compromised? Limited vulnerability
● Password managers are one way to do this
● Password manager must be secured well
● Not perfect – nothing is perfect
Considerations in a PM
● How is the data secured?
● Can I access my data on mobile? How?
● Is there two-factor authentication?
● Can the data be recovered without the master password?
● How do I back it up securely?
● Can it be used if company XX goes splat?
My choice: Lastpass Premium
● Premium ($12/yr) adds mobile support
● Encrypted cloud storage
● Secured and Encrypted by master password
● Good 2-factor authentication
● Usual support of forms, data, password generation
My choice: Lastpass Premium
● Works off-line
● Import/Export for backups
● CSV export available for non-lastpass
– PITA – mostly disaster recovery, IMO● All major browsers have plugins
● All mobile have fully-functional app ($$)
My choice: Lastpass Premium
● Lastpass never gets non-encrypted data
● Not perfect, but IMO the best option
● Other options are also good! Check 'em out
● Choosing a good password manager is a big deal!
● If somebody hacks Lastpass and releases booby-trapped code, all bets are off the table.. but that's true for everybody
Using Lastpass
● Create account
● Create MASTER PASSWORD
● No master password = NO DATA
● Add 2-factor authentication
● Read blogs on securing and using it
● Some security settings are important
Lastpass Vault (not mine)
Login buttons
Best Practices – Master Pass
● Master password should be very good
– Write one or two copies down – optional
– The MP is obviously critical
– Losing master password means no data ● Never use 'Remember me' option
● Be careful with “Allow for XX hours”
Best Practices - Sites
● Every site gets a long, unique password
– As long as allowed, if possible
– Use symbols if allowed● Change ALL passwords to random ones in PM
– (Optional) except things like financial accounts
– trade-offs for those as well
Best Practices - Sites
● Consider 2nd , secure email for financial
● Maybe not really helpful
● Enable 2-factor and security notifications
2-Factor Authentication
● Something you know + Something you have
● Possibilities:
– cell phone / SMS text
– FOB keys / custom solutions
– TOTP / Google Authenticator ● How secure it is varies, despite 2-factor
● Still a good thing - usually
2-Factor Best Practices
● Enable on critical accounts if at all possible
● Especially:
– Lastpass (or other PM)
– Banks and Financial (!!)● twofactorauth.org has a list
2-Factor Best Practices
● Realistically, it can often be bypassed
● Social engineering works really well
– Humans want to be helpful● Password protection still the best option
● “Reset password” is almost universal
– Email security on accounts is paramount!● Where you can't be secure, early notice is best
2-Factor Best Practices
● Some 2-factor sites (like Google) can give you one-time-use codes.
● Codes can substitute for your 2-factor once.
● Good to have as backup or travel
● Carefully print or control where they are
2-Factor Best Practices
● Be careful about critical 2-factor accounts
● You can lose access without it, sometimes!
● Understand how to transfer things like the Google Authenticator app to new phone
● Most sites, you can fix not having 2-factor with the master password, but not every one!
● Codes are a good idea to have printed out
– Secure those puppies!
Passwords – Worst Practices
● Are you a worst practice-ing password-er?
● YOU ARE MAKING IT EASY!!!
– hackers <3 you – feel the love● Bad ideas: Using personal data of any kind
– birthdays, anniversaries, dates
– addresses, cities, locations
– favorite colors, items, activities, ...
– old phone numbers and account numbers
– anything relating to your children or spouse
● Dictionary words of any kind, even modified
● DO NOT DO THIS!
How to make Secure Passwords
● Completely random is best
● Long, complex passwords are 2nd best
● Length of password matters - a lot
– encryption and hashes both benefit ● If you have to remember it, use strategies
Bad password example
● Example: Take two words, bunny + carrot
● Combine them and scramble a bit
– Bunn33%carrot● This is much less secure than you might think
– Though.. still better than most out there
Good password example
● Start with a phrase, a made-up story is good
– “My bunny is weird, he only eats green carrots”● Take first letters, scramble a bit
– Add punction/symbols
– replace some letters with non-expected
– add some words at the end that are easy to add length to the password
Good password example
“My bunny is weird, he only eats green carrots”
mY!biW+He0eatsgreencarrots
● Sufficient Random-ish chars important (8+)
● Extra words or characters help – even if simple
● You'll have to type this out, don't be too crazy
● You need to remember it
– Putting it on a post-it kind of beats the point of it
App-specific passwords
● Offered by Google, Microsoft, Facebook, etc.
● Creates a one-use password (or several)
– Sometimes it can be named, i.e. “iPhone email”● Limited ability to change account
● You can disable all app-specific passwords from master account controls
● Use for iphone email, IM chats, etc.
● Avoid using your real passwords whenever you can
2-Factor Example: Google
● Implements TOTP
● Scans a QR code (or type in) for shared secret
● Generates a 6-digit code based on secret securely
● Codes last about 30 seconds, then change
● Turns your mobile device into RSA FOB
● Works very easily in practice
● Add everywhere you can!
2-Factor Example: Google
2-Factor Example: Google
Final Suggestions
● Never, ever give out passwords
● IT and sites almost never can use it
● Don't save your corporate credentials – ever
● Be very careful giving out information
● Be very careful using devices not yours
Final Suggestions
● Passwords Managers are worthless without good device and computer security!
– phishing
– malware / viruses
– social engineering
– saved passwords in browser● Use passcodes on your phone
● Configure phone to erase itself after X tries
Final Suggestions
● Email account is critical
● Almost all sites have “reset password”
● Can usually bypass 2-factor as well (!!!)
Q&A
Questions?