Secure Password Management, Informal, @WalmartLabs


Published on

Presenting an informal lunch talk on using a password manager to handle personal internet accounts securely. Also discussing 2-factor authentication a bit. Discussion features Lastpass a little bit.

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Secure Password Management, Informal, @WalmartLabs

  1. 1. Secure Password Management Karl Mueller Sr. Solutions Architect, @Labs karl – at – March 21st , 2014
  2. 2. Who Am I? ● 20 years industry operations experience ● Joined Kosmix 2005 ● Acquired into @Walmartlabs, 2011 ● NOT a security expert! – but neither are most people!
  3. 3. What is the problem? ● Sites get compromised ● Passwords can be recovered – Even sites practicing good security!! ● Emails and passwords are re-used ● More and more online accounts! ● Most hackers are after lower-hanging fruit ● Some hackers target specific people, i.e. @N twitter
  4. 4. What is a solution? ● Unique, random, long passwords per site – 8, 12, 16 characters – even longer! ● Compromised? Limited vulnerability ● Password managers are one way to do this ● Password manager must be secured well ● Not perfect – nothing is perfect
  5. 5. Considerations in a PM ● How is the data secured? ● Can I access my data on mobile? How? ● Is there two-factor authentication? ● Can the data be recovered without the master password? ● How do I back it up securely? ● Can it be used if company XX goes splat?
  6. 6. My choice: Lastpass Premium ● Premium ($12/yr) adds mobile support ● Encrypted cloud storage ● Secured and Encrypted by master password ● Good 2-factor authentication ● Usual support of forms, data, password generation
  7. 7. My choice: Lastpass Premium ● Works off-line ● Import/Export for backups ● CSV export available for non-lastpass – PITA – mostly disaster recovery, IMO ● All major browsers have plugins ● All mobile have fully-functional app ($$)
  8. 8. My choice: Lastpass Premium ● Lastpass never gets non-encrypted data ● Not perfect, but IMO the best option ● Other options are also good! Check 'em out ● Choosing a good password manager is a big deal! ● If somebody hacks Lastpass and releases booby-trapped code, all bets are off the table.. but that's true for everybody
  9. 9. Using Lastpass ● Create account ● Create MASTER PASSWORD ● No master password = NO DATA ● Add 2-factor authentication ● Read blogs on securing and using it ● Some security settings are important
  10. 10. Lastpass Vault (not mine)
  11. 11. Login buttons
  12. 12. Best Practices – Master Pass ● Master password should be very good – Write one or two copies down – optional – The MP is obviously critical – Losing master password means no data ● Never use 'Remember me' option ● Be careful with “Allow for XX hours”
  13. 13. Best Practices - Sites ● Every site gets a long, unique password – As long as allowed, if possible – Use symbols if allowed ● Change ALL passwords to random ones in PM – (Optional) except things like financial accounts – trade-offs for those as well
  14. 14. Best Practices - Sites ● Consider 2nd , secure email for financial ● Maybe not really helpful ● Enable 2-factor and security notifications
  15. 15. 2-Factor Authentication ● Something you know + Something you have ● Possibilities: – cell phone / SMS text – FOB keys / custom solutions – TOTP / Google Authenticator ● How secure it is varies, despite 2-factor ● Still a good thing - usually
  16. 16. 2-Factor Best Practices ● Enable on critical accounts if at all possible ● Especially: – Lastpass (or other PM) – Google – Facebook – Linkedin – Banks and Financial (!!) ● has a list
  17. 17. 2-Factor Best Practices ● Realistically, it can often be bypassed ● Social engineering works really well – Humans want to be helpful ● Password protection still the best option ● “Reset password” is almost universal – Email security on accounts is paramount! ● Where you can't be secure, early notice is best
  18. 18. 2-Factor Best Practices ● Some 2-factor sites (like Google) can give you one-time- use codes. ● Codes can substitute for your 2-factor once. ● Good to have as backup or travel ● Carefully print or control where they are
  19. 19. 2-Factor Best Practices ● Be careful about critical 2-factor accounts ● You can lose access without it, sometimes! ● Understand how to transfer things like the Google Authenticator app to new phone ● Most sites, you can fix not having 2-factor with the master password, but not every one! ● Codes are a good idea to have printed out – Secure those puppies!
  20. 20. Passwords – Worst Practices ● Are you a worst practice-ing password-er? ● YOU ARE MAKING IT EASY!!! – hackers <3 you – feel the love ● Bad ideas: Using personal data of any kind – birthdays, anniversaries, dates – addresses, cities, locations – favorite colors, items, activities, ... – old phone numbers and account numbers – anything relating to your children or spouse ● Dictionary words of any kind, even modified ● DO NOT DO THIS!
  21. 21. How to make Secure Passwords ● Completely random is best ● Long, complex passwords are 2nd best ● Length of password matters - a lot – encryption and hashes both benefit ● If you have to remember it, use strategies
  22. 22. Bad password example ● Example: Take two words, bunny + carrot ● Combine them and scramble a bit – Bunn33%carrot ● This is much less secure than you might think – Though.. still better than most out there
  23. 23. Good password example ● Start with a phrase, a made-up story is good – “My bunny is weird, he only eats green carrots” ● Take first letters, scramble a bit – Add punction/symbols – replace some letters with non-expected – add some words at the end that are easy to add length to the password
  24. 24. Good password example “My bunny is weird, he only eats green carrots” mY!biW+He0eatsgreencarrots ● Sufficient Random-ish chars important (8+) ● Extra words or characters help – even if simple ● You'll have to type this out, don't be too crazy ● You need to remember it – Putting it on a post-it kind of beats the point of it
  25. 25. App-specific passwords ● Offered by Google, Microsoft, Facebook, etc. ● Creates a one-use password (or several) – Sometimes it can be named, i.e. “iPhone email” ● Limited ability to change account ● You can disable all app-specific passwords from master account controls ● Use for iphone email, IM chats, etc. ● Avoid using your real passwords whenever you can
  26. 26. 2-Factor Example: Google ● Implements TOTP ● Scans a QR code (or type in) for shared secret ● Generates a 6-digit code based on secret securely ● Codes last about 30 seconds, then change ● Turns your mobile device into RSA FOB ● Works very easily in practice ● Add everywhere you can!
  27. 27. 2-Factor Example: Google
  28. 28. 2-Factor Example: Google
  29. 29. Final Suggestions ● Never, ever give out passwords ● IT and sites almost never can use it ● Don't save your corporate credentials – ever ● Be very careful giving out information ● Be very careful using devices not yours
  30. 30. Final Suggestions ● Passwords Managers are worthless without good device and computer security! – phishing – malware / viruses – social engineering – saved passwords in browser ● Use passcodes on your phone ● Configure phone to erase itself after X tries
  31. 31. Final Suggestions ● Email account is critical ● Almost all sites have “reset password” ● Can usually bypass 2-factor as well (!!!)
  32. 32. Q&A Questions?