Presenting an informal lunch talk on using a password manager to handle personal internet accounts securely. Also discussing 2-factor authentication a bit. Discussion features Lastpass a little bit.

1. Secure Password Management
Karl Mueller
Sr. Solutions Architect, @Labs
karl – at – walmartlabs.com
March 21st
, 2014

2. Who Am I?
● 20 years industry operations experience
● Joined Kosmix 2005
● Acquired into @Walmartlabs, 2011
● NOT a security expert!
– but neither are most people!

3. What is the problem?
● Sites get compromised
● Passwords can be recovered
– Even sites practicing good security!!
● Emails and passwords are re-used
● More and more online accounts!
● Most hackers are after lower-hanging fruit
● Some hackers target specific people, i.e. @N twitter

4. What is a solution?
● Unique, random, long passwords per site
– 8, 12, 16 characters – even longer!
● Compromised? Limited vulnerability
● Password managers are one way to do this
● Password manager must be secured well
● Not perfect – nothing is perfect

5. Considerations in a PM
● How is the data secured?
● Can I access my data on mobile? How?
● Is there two-factor authentication?
● Can the data be recovered without the master password?
● How do I back it up securely?
● Can it be used if company XX goes splat?

6. My choice: Lastpass Premium
● Premium ($12/yr) adds mobile support
● Encrypted cloud storage
● Secured and Encrypted by master password
● Good 2-factor authentication
● Usual support of forms, data, password generation

7. My choice: Lastpass Premium
● Works off-line
● Import/Export for backups
● CSV export available for non-lastpass
– PITA – mostly disaster recovery, IMO
● All major browsers have plugins
● All mobile have fully-functional app ($$)

8. My choice: Lastpass Premium
● Lastpass never gets non-encrypted data
● Not perfect, but IMO the best option
● Other options are also good! Check 'em out
● Choosing a good password manager is a big deal!
● If somebody hacks Lastpass and releases booby-trapped
code, all bets are off the table.. but that's true for
everybody

9. Using Lastpass
● Create account
● Create MASTER PASSWORD
● No master password = NO DATA
● Add 2-factor authentication
● Read blogs on securing and using it
● Some security settings are important

10. Lastpass Vault (not mine)

11. Login buttons

12. Best Practices – Master Pass
● Master password should be very good
– Write one or two copies down – optional
– The MP is obviously critical
– Losing master password means no data
● Never use 'Remember me' option
● Be careful with “Allow for XX hours”

13. Best Practices - Sites
● Every site gets a long, unique password
– As long as allowed, if possible
– Use symbols if allowed
● Change ALL passwords to random ones in PM
– (Optional) except things like financial accounts
– trade-offs for those as well

14. Best Practices - Sites
●
Consider 2nd
, secure email for financial
● Maybe not really helpful
● Enable 2-factor and security notifications

15. 2-Factor Authentication
● Something you know + Something you have
● Possibilities:
– cell phone / SMS text
– FOB keys / custom solutions
– TOTP / Google Authenticator
● How secure it is varies, despite 2-factor
● Still a good thing - usually

16. 2-Factor Best Practices
● Enable on critical accounts if at all possible
● Especially:
– Lastpass (or other PM)
– Google
– Facebook
– Linkedin
– Banks and Financial (!!)
● twofactorauth.org has a list

17. 2-Factor Best Practices
● Realistically, it can often be bypassed
● Social engineering works really well
– Humans want to be helpful
● Password protection still the best option
● “Reset password” is almost universal
– Email security on accounts is paramount!
● Where you can't be secure, early notice is best

18. 2-Factor Best Practices
● Some 2-factor sites (like Google) can give you one-time-
use codes.
● Codes can substitute for your 2-factor once.
● Good to have as backup or travel
● Carefully print or control where they are

19. 2-Factor Best Practices
● Be careful about critical 2-factor accounts
● You can lose access without it, sometimes!
● Understand how to transfer things like the Google
Authenticator app to new phone
● Most sites, you can fix not having 2-factor with the master
password, but not every one!
● Codes are a good idea to have printed out
– Secure those puppies!

20. Passwords – Worst Practices
● Are you a worst practice-ing password-er?
● YOU ARE MAKING IT EASY!!!
– hackers <3 you – feel the love
● Bad ideas: Using personal data of any kind
– birthdays, anniversaries, dates
– addresses, cities, locations
– favorite colors, items, activities, ...
– old phone numbers and account numbers
– anything relating to your children or spouse
● Dictionary words of any kind, even modified
● DO NOT DO THIS!

21. How to make Secure Passwords
● Completely random is best
●
Long, complex passwords are 2nd
best
● Length of password matters - a lot
– encryption and hashes both benefit
● If you have to remember it, use strategies

22. Bad password example
● Example: Take two words, bunny + carrot
● Combine them and scramble a bit
– Bunn33%carrot
● This is much less secure than you might think
– Though.. still better than most out there

23. Good password example
● Start with a phrase, a made-up story is good
– “My bunny is weird, he only eats green carrots”
● Take first letters, scramble a bit
– Add punction/symbols
– replace some letters with non-expected
– add some words at the end that are easy to add length
to the password

24. Good password example
“My bunny is weird, he only eats green carrots”
mY!biW+He0eatsgreencarrots
● Sufficient Random-ish chars important (8+)
● Extra words or characters help – even if simple
● You'll have to type this out, don't be too crazy
● You need to remember it
– Putting it on a post-it kind of beats the point of it

25. App-specific passwords
● Offered by Google, Microsoft, Facebook, etc.
● Creates a one-use password (or several)
– Sometimes it can be named, i.e. “iPhone email”
● Limited ability to change account
● You can disable all app-specific passwords from master
account controls
● Use for iphone email, IM chats, etc.
● Avoid using your real passwords whenever you can

26. 2-Factor Example: Google
● Implements TOTP
● Scans a QR code (or type in) for shared secret
● Generates a 6-digit code based on secret securely
● Codes last about 30 seconds, then change
● Turns your mobile device into RSA FOB
● Works very easily in practice
● Add everywhere you can!

27. 2-Factor Example: Google

28. 2-Factor Example: Google

29. Final Suggestions
● Never, ever give out passwords
● IT and sites almost never can use it
● Don't save your corporate credentials – ever
● Be very careful giving out information
● Be very careful using devices not yours

30. Final Suggestions
● Passwords Managers are worthless without good device
and computer security!
– phishing
– malware / viruses
– social engineering
– saved passwords in browser
● Use passcodes on your phone
● Configure phone to erase itself after X tries

31. Final Suggestions
● Email account is critical
● Almost all sites have “reset password”
● Can usually bypass 2-factor as well (!!!)

32. Q&A
Questions?