password PSA

[misterb]

I'm new here, but I appreciate this forum for the quality of information shared. I don't have a lot to share yet in the marketing realm, however I did think it might be useful to give you guys a peak into info security for a fortune 100 financial institution.

Do you ever wonder what happens to all of the data that all of the companies lose during the big data breaches that keep happening? I can tell you one thing that happens - their's a group of bad actors that hoover it all up, store it, correlate it and are RELENTLESSLY testing against the big banks and other sites to see if anyone was dumb enough to re-use their passwords on multiple sites. And/Or, they gain control of your email accounts and get enough information about the victim to reset their passwords on said sites. We have to invest a ton of resources to counter these efforts, and it's a constant cat and mouse game. What's CRAZY to me is how much work they put in for the payoff. We call these bad actors "harvesters" and they typically sell off the compromised accounts @$10-$15 each on the dark web. If these guys instead focused their efforts in THIS (marketing) space, they'd be killing it. Maybe they are and this is just a hobby for them, I guess we'll never know.

 

[Ryuzaki]

I suspect this will always be a problem out of shear laziness and attempts to create convenience (using the same password or 2 or 3 versions of the same passwords). Double authentication is nice because you can force people to enter a verification code from a dongle, text message, or answer a security question.

As I think my way through this problem, the obvious next step is password management software, whether that's a spreadsheet on a USB drive (you can lose it or have it stolen) or a file uploaded to someone else's server so you can sync across devices. Of course then you want to password protect them and even encrypt them, but they're still now in a format and in a place that creates another method of being unsafe. Even if you were to keep it on your own computer, you're putting all of your passwords in one spot and they can all be taken in one go.

Is password protection and encryption really the best we have to offer ourselves these days concerning this problem? I don't mean to sound like I'm belittling encryption, but there's some serious math wizards out there with ungodly dedication and computing power that might be willing to take the ride to the dark side.

 

[turbin3]

Here's what I like to do. I use KeePass as my password manager. It's a desktop app, though there is a mobile version available on Android, if you use the F-Droid package manager.

For passwords, I never even bother writing passwords anymore. I generate them. I try to generate ridiculous ones too, preferably 60-80 characters or more, or whatever a given site/platform can handle. KeePass has a built-in generator.

For critical services, like banking sites, I actually generate user names in the same way. Idea being, totally random and crazy user name and password. Mathematically, this means it's a no-go for someone to crack your logins with a typical dictionary attack, in a realistic amount of time. Increasing the time cost of that opportunity is important.

Each site gets a different username and password. Mandatory.

2FA is a good step as well. Where possible, depending on the service, I like to use one of those RFID key generators. For example, that's an option with AWS.

For access beyond my normal computer, I keep my KeePass DB file copied and up to date on some form of encrypted USB, and preferably several copies for safe keeping.

For secure USBs, look for something that has AES 256 encryption. Also, if it meets some form of FIPS 140 standards, that would be good too. I quite like the Apricorn Aegis Secure Key, but there are a lot of other good options out there too.

 

[SmokeTree]

I use KeePass as my password manager

This. I use Keeweb (https://keeweb.info/), which is compatible with Keepass but also has a pretty nice UI for both Windows and Linux, where I do most of my dev/server work. I use the generator as well that @turbin3 mentioned to generate a unique and long random password for everything that requires a password. I have a process that runs nightly that backs up the DB to 2 locations, one of them to a VPS and the other to an external drive. I also back the database up to a nice durable thumb drive for an offline backup (my fav: https://www.newegg.com/Product/Product.aspx?item=N82E16820233804).

For servers themselves, all logins are based on a key-pair with a passphrase. In order to log into the server, it requires me to have the private key file and also know the passphrase. That goes a long way for security. Here's a brief example of how that's set up (https://www.digitalocean.com/community/tutorials/how-to-set-up-ssh-keys--2)