Insights For Success

Strategy, Innovation, Leadership and Security

lastpass

Ed's favourite things - Best Password Manager

GeneralEdward Kiledjian
safe-913452.jpg

There is no shortage of password managers. Anytime you listen to a podcast or read an online blog post, you will probably be bombarded with ads for tools like Lastpass, Dashlane or 1Password. Add to that list the neverending supply of free password managers (Keepass, BitWarden, RoboForm, etc.)

Free isn’t bad

The truth is there are a lot of very good free password managers. These are great options for users that can't or don't want to spend money. I'll mention my favourite free pic later in the article.

Favourite paid password manager

Before jumping to 1Password a couple of years ago, I had been a paid Lastpass customer for about ten years. I started looking for an alternative because of irritants and an issue I experienced when I needed support, and Lastpass was unresponsive. Plus Lastpass is unrefined and a little clunky. After testing 10 of the best rated paid password managers, I chose 1Password.

Here is why I chose it and why it may be a good fit for you. It supports all the platforms I use, such as Windows, Macs, Chromebooks, iOS devices and Android devices. WatchTower is a great feature Lastpass didn't offer that ensures you aren't reusing passwords, that you are using strong passwords and that you aren't using passwords that are part of a site breach (therefore would already be on a list of passwords hackers would use first to break accounts).

Tell me more, please

1PasswordX for easier browser integration

As a ChromeOS user, 1Password was off-limits for many years because it did not have a self-contained browser extension. The original version of 1Password required that you install the full client on Mac and Windows to support their light browser plug-in. This changed with the release of a product called 1Password X. 1PasswordX works in Google Chrome, Microsoft Edge (Chromium version), Firefox and Opera (Chromium version). 1PasswordX offers all of the password management functionality without requiring any client installation so it also works on ChromeOS.

1Password uses multiple Vaults

1Password has implemented a password grouping concept called a Vault. A Vault is a container that stores all of your 1Password information. During installation, you create a default vault and everything is stored there automatically. But if you are also storing business information, you can create a separate Vault for those.

Another interesting use of Vaults is to improve travel security. We live in a world where our personal privacy is constantly under attack. Nowhere is this more true than when crossing an international border. Border agents can order you to unlock your device and your password vaults. Which would give them access to all of your sites and personal information. You can mark certain Vaults as safe for travel and store the less sensitive passwords here. If your device is inspected at a border crossing, only the vaults marked as safe for travel will appear.

Biometric support

All versions of 1Password support biometric authentication (depending on the features available on the platform of use). Since your main unlock password should be painfully long, this is a wonderful feature to enable on smartphones and tablets.

1Password for the security-conscious

Security is a balancing act competing with usability. My default, 1Password encrypted all of your information (on device) using AES256 before the blob is sent to their servers. This means that if their servers are ever compromised, your passwords are safe, as long as you are using a good strong, long password. You can and should read about their security model here.

If you want, you can be extra paranoid and configure 1Password not to sync the vaults to their servers. This means you can manually copy the encrypted vaults to your devices using whatever mechanism you want. For users that want this standalone model, 1Password does sell a standalone license for Windows and MacOS. Know that the standalone license does not include 1PasswordX. Most users should opt for the “normal” subscription model.

1Password for files

1Password (like Lastpass) gives you 1GB of encrypted cloud storage to store sensitive information you may need while out (think scans of passports, credit cards, health cards, tax papers, etc).

Support

1Password is a Canadian company with Canadian support. Believe it or not, getting in touch with a real human is very easy, not buried 32 levels deep like other products. Their online support site is clean, has well-written articles with nice screenshots and video walkthroughs. This one item sets them apart from many of their competitors.

1Password isn’t perfect

Perfection doesn’t exist in nature or the computer world. By default, the Vaults lock after 1o minutes of inactivity to protect your information. I think this is a desirable feature, but some may find it slightly annoying. You can change this setting but.. should you? I say keep it as is.

A little annoyance is acceptable in exchange for better security. Lastpass has a forever free version that meets the requirements of “normal” users. 1Password does not offer a free version (only a 30-day trial). I believe in paying for good products to encourage the developers and ensure the product survives.

What is the best free password manager?

I tested about ten free password managers while investigating what product I should be using daily. And after reading privacy policies, reading the security model documentation, I tested about ten free password managers while investigating what product I should be using on a daily basis. And after reading privacy policies, reading security whitepapers and testing the products, the winner is…. Bitwarden.

There are three features 1Password offers that differentiate it from Bitwarden. If you don’t need these features, then BitWarden may be a better option for you. The three features are:

  • WatchTower’s password checkup features

  • physical hardware security key support (e.g. Yubico)

  • 1GB of encrypted storage

BitwarDen has the essential features every password manager should offer, such as the ability to manually synchronize your data on as many devices as you want, the ability to store an unlimited number of passwords. The free version of BitWarden allows you to share select passwords with one other person (e.g. spouse or partner).

Bitwarden supports a wide range of devices such as Windows, macOS and Linux. It supports all major browsers with a plug-in (Chrome, Firefox, Opera, Microsoft Edge, Safari, Brace). On mobile, it supports both IOS and Android. If you are an uber-geek, BitWarden supports Command Line Interface to its vaults (CLI).

BitWarden uses similar vault security as 1Password but… it does not submit itself to independent security auditing as 1Password does.

BitWarden apps and plug-ins aren’t as polished as 1Password but they are highly functional.

Anytime we talk about free products, I am reminded of the saying “If you aren’t paying for the product, you are the product”. I read the BitWarden privacy policy, Nothing glaringly bad popped out. They don’t sell or share your data for commercial purposes. Although they do have the right to share some anonymized data.

You will get ads for their premium version in their free products, which is understandable. Remember that if you decide to pay, take a look at 1Password first.

5 best Random Password Generators

GeneralEdward Kiledjian

1 - Random.org

Random.org has been one of my favorite sites for a long time. It uses atmospheric noise to generate its randomness which is much better than the logical pseudo-random generators used by many sites and service.

You choose the password parameters you need and it generates wonderfully random passwords to use with your password manager of choice.

Link

2 - Symantec Identity Safe

Symantec has been a mainstay of the security market since the 90s and they bought a company called PCTools (and its Secure Password Generator). As a PC Tool vendor, they will try to make you download their privacy tools but I wouldn't recommend their password vault.

Use the password generator on the right side of their site to generate high quality complicated passwords with the required complications. As an example, the above complications generated this password for me : dr-cr+wreF5p.

Link

3 - Wolfram Alpha

Wolfram Alpha is a powerful knowledge engine created by the brainiacs behind mathematica, It is a superb tool I use regularly for problem solving but it also generate random passwords. Head over to their knowledge engine and enter Generate Strong Password. Then press the equal sign. 

Then choose the complications you want and press the equal sign again to generate you password.

then it generates your wonderful password

you press on Plaintext and copy it into your favorite website or password manager.

Link

4 - Lastpass password generator

My 2 favourite password managers are Lastpass and 1Password. Both have the capbility to generate strong passwords and you should use that functionality if you have those those. Considering most of Lastpass is now free to use, you really have no excuse.

But Lastpass also offers a web based secure password generator which is clean, easy to use and efficient. 

When you scoll up on that page after choosing your complications, you get a wonderfully generated password of your can click the button and have another one created for you.

5 - GRC Ultra High Security Password Generator

GRC is the home of Gibson Research Corporation. It is owned by Steve Gibson the Grand Poobah of internet security. He found the first spyware and wrote the first anti-spyware app. He is considered one of the most prominent security professionals and makes tones of tools available on his site. 

His site generates perfectly random long complex 64/63 character passwords and he then explains why his passwords are high quality. If you are interested in geeking out, its a wonderful read. 

Protect your online accounts from compromise before its too late

General, technologyEdward Kiledjian
Image by David Goehring used under Creative Commons License

Image by David Goehring used under Creative Commons License

As more and more of our services are delivered through cloud services, it becomes increasingly important to protect our accounts. As a security professional there are a handful of steps I perform regularly that many of you don't so here they are:

  • Install a well respected antivirus/antimalware software on your PC with real-time protection enabled and regular automatic updating of its database. There are hundreds of online posts discussing which one is "the best" but keep it simple and pick one of the products from the big manufacturers.
  • At least once a month, scan your computer with an online antivirus scanner (different from the one installed on your PC). Here are some examples
    • ESET Online Scanner (link)
    • Kaspersky Security Scan (link)
    • TrendMicro Free Online Scanner (link)
    • Bitdefender QuickScan (link)
    • F-Secure Online Scanner (link)
    • Norton Security Scan (link)
  • Regularly update your Operating System and installed applications. Virus' and malware often use known vulnerabilities in existing commercial off the shelf software to compromise machines. 
  • Update your account recovery options regularly (monthly if possible)
    • Google Account recovery options page (link)
    • Microsoft Account recovery code\
      • Sign in to your Microsoft account.

      • Under Recovery Code, tap or click Set up.

      • If you've created a recovery code before, your screen will say Replace instead. Tap or click Replace.

      • Tap or click Print

  • Use 2-factor authentication for any online services that allow for it. There is a good list of sites that support it here (link)

  • Never reuse an online password on more than one site

  • Use complex random passwords. A good site that generates true random passwords online for free can be found here (link). Just take as many characters as the site allows

  • Use a password manager. Once you start using unique complex passwords for each site, you can no longer remember them so use a trustworthy password manager. A password manager stores all of your passwords for you and all you have to remember is one complex password to unlock the password vault. My personal password manager of choice is LastPass (link).

  • Clean up your social media permissions (link). Over time, you give various apps access to your social media accounts and most people just forget about it. It is a good idea to review everything that has access to your accounts and revoke the permissions from apps you no longer use.

What should users do about heartbleed

technologyEdward Kiledjian
Image by Travelhack under creative commons license

Image by Travelhack under creative commons license

Since this is a user oriented article I won't get into the technical details about what the heartbleed bug is but in simple terms it is a vulnerability in a very commonly used security protocol that could allow an attacker to "steal" 64 KB of server data (from memory) at a time.

Current estimates peg the impact of this bug at about 500,000 sites or ~20 of secured SSL sites on the internet. This bug has gone undetected by mainstream researchers for 2 years and could allow a technically savvy attacker to continually exploit a server in the hope of finding passwords, credit card or other valuable user information.

At this point I am not aware of this bug being exploited in the wild.

I'm a user and I'm panicking

First thing you need to do is calm down. It is a major vulnerability but the fix can only be applied by the operators of the affected sites (Google, Yahoo, etc). 

There is nothing for the user to fix or change on their on PCs. Users have to wait until websites update the software on the servers to a non-vulnerable version

Know that once the issue is fixed on a server, the server operator will invalidate the old (potentially) compromised security certificate and add it to a revocation list. The first thing you should do is

ensure your browser checks all SSL certificates against that revocation list. In chrome do this:

- Open a new tab

- In the URL address bar, type  chrome://settings/

- Click on show advanced settings

- Scroll down until you see the SSL/TLS section 

- Make sure this checkbox is ticked

Once a website upgrades the software, you should change your password on that site. Changing it before the bug is fixed is useless since it could potential be exploited and stollen again. Some sites (like Facebook and Yahoo) have admitted to using the vulnerable product and have confirmed their software is now upgraded. This means you can go ahead and change your password for those sites.

Other sites (like banking) will likely never admit to having the vulnerability (and not all versions are vulnerable) so you'll have to use the heartbleed site checker tool on sites like Lastpass (link).

What if the site doesn't notify you? Maybe change your password now anyway and change it again once a week for the next 2-3 weeks. Sometimes they won't admit to being vulnerable to hearbleed but may say "your account has been locked for security reasons please change your password."

You should be using a password manager so that you can protect each website with a long unique password. I use WolframAlpha to generate strong long unique passwords for each site (wrote an article about it LINK) and store them in Lastpass (since remembering them is impossible.)