With serial attacks against LinkedIn, eHarmony and now Last.fm, we should be worried and we must pay more attention to the security of our passwords used on web services.
Up to recently, I took risks with my passwords. This was careless and not reasonable given the threat levels in recent weeks as shown with the hacking of LinkedIn, eHarmony and now Last.fm. Here I share how to better protect your passwords.
Best practices to Secure your passwords
We are the weakest link!
Most of us have to deal with dozens if not hundreds of password, security codes, PIN codes, etc. I can’t remember them all and while I didn’t simply use the same weak password on all my web services, I certainly didn’t apply all security best-practices. I had somewhat easy to guess patterns of complex passwords across those services. Then when it got to a long list of web services, I had to start writing them down to remember! And what about using the same passwords at home and at work?
If this sounds like you, read on!
What is the real security value of having end-users to authenticate with a static password and accounts on multiple sites and services in a public environment? – Marcel van Wort
How can you secure your passwords?
At work, many organisations have strong authentication solutions already, relying on two-factor authentication solutions and Single-Sign-On and password policies to prevent capture, guessing/cracking and password expiration.
But for your personal web services, it is too often lacking basic security in particular when using static passwords. Apply some basic rules:
- Don’t store passwords in your browser
- Don’t store passwords in clear text documents on your devices
- Don’t use the same passwords across websites
- Always use complex passwords
- Wherever possible, use dynamic passwords and two-factor authentication.
That’s fairly simple; but as I did you’ll end up breaching those practices given the large number of web services we rely on.
Lastpass.com, the last password you’ll need to remember
A colleague introduced me to Lastpass.com as a solution to manage all my personal web services accounts (They also have an Enterprise ready version to apply the same practices at home and work). Check out their video below:
Lastpass.com addresses all the challenges we discussed above and help you apply these best practices with:
- Just the one master password to remember: the only password you need to remember is the one to access your “vault” which contains the accounts to each of your web services.
- When working on someone’s computer: you can use a One Time Password instead of using your master password to eliminate the risk of keyboard loggers
- Generate complex passwords: for each of your web services it lets you generate new very complex passwords to replace your “standard” passwords and ensure that each web service has a different account
- More secured with multi-factor authentication: if you’d like, it can do more than static passwords. It can also support multi-factor authentication using a USB key
- Reduce the risk of keyboard loggers: with one click login from the “vault” you never type in each of the passwords to access your web services, in particular when accessing them from public or untrusted computers. It also has a screen keyboard to use the mouse to “type” the passwords and further reduce the risks from keyboard loggers.
- It’s secured but also practical!… With synchronisation across browsers and devices, it is very practical, reducing the risk of taking inappropriate steps to bypass the inconvenience of complex password security. It’s accessible from all smartphones and you can share or delegate access to your web services with friends, colleagues and virtual assistants too!
- …Very practical!: It has some other very useful features such as automatic form filling to provide commonly requested information, removing the need for browser add-ins, it synchronises your browser bookmarks, storing secured notes and high-value information.
- It guides you get and stay secured: Finally, it lets you run security audit across all your web services to identify any weaknesses.
I don’t receive any affiliate commissions from Lastpass.com but it is so valuable I can only recommend it to all my friends and colleagues! Go ahead sign-up on Lastpass.com!
- LinkedIn password file disclosure: the biggest social engineering attack ever?
- Lastpass.com, the last password you’ll have to remember