Today, we have a little deviation from my normal ranting and raving. We’ve all heard about the various system breaches over the last few years. Just to name a few in order of most records breached: Yahoo, Adult Friend Finder, eBay, Equifax, Target, Anthem, Sony PlayStation Network, JP Morgan Chase, Home Depot, RSA Security, Adobe, etc. You have been affected. Let me reiterate this – at least one of your accounts and passwords is out there on the dark web to be traded like a stolen credit card. How can you possibly protect yourself, when those we trust can’t seem to handle it?
Limit your attack profile
This concept is the cornerstone of corporate cybersecurity policies. Limiting how much would happen to you, if your information was exposed, is all you can really do. But how does one go about limiting the information that’s out there in the vast Internet? It’s actually pretty simple – don’t trust anyone with the same information. What this means is each website you have an account with needs to have a separate, unique password. I know what you’re thinking – I can’t remember the ones I have now! Have no fear, that’s where the “password manager” comes into play.
The Password Manager
A password manager (or password safe) is a simple program that allows you to enter your information for each website and save it. It’s encrypted, so you don’t have to worry about being hacked from that side. Better yet, you only have to remember one password to get all this security. There are many programs out there, and any one of them will work. I personally don’t like ones that are integrated into my browser. I prefer to copy and paste usernames and passwords into websites rather than have a button on the manager that does that behind the scenes, but there are simpler options out there if you prefer. Just find one you like, and that synchronizes with some sort of online storage system like Dropbox, Box, Sync, Drive, etc. That way you always have a backup of your passwords. I also strongly recommend one that integrates with your smartphone.
I personally use KeePass for my password safe and have now for close to 10 years. The idea of a password manager is that you have one password to get into it, and you store all your account information in that one place. Unlike using an MS Word file, or even a Google Doc (I know people who do this), a password manager encrypts its contents, which means when you aren’t logged into it, it’s very difficult for hackers to break. KeePass is very simple to download and install. Simply click the “downloads” tab:
Choose the most current version “installer”:
Save the file locally, and install it once it’s downloaded.
Once it’s installed, you’ll have a blank slate:
Select File->New to create a new database file. Ideally, this file is on Dropbox, or any other file sharing service. This ensures that your database of passwords will be available to you. Create the database and give it a solid password. This is the one password you will have to remember – so make it good and make it long and strong. How does one do that, you ask? Well, let me just digress a little to explain.
How to Create Secure Passwords
The best way to create a long, complex, hard-to-guess password is to take a phrase that you know well, even one that you use often, and take the first letter of each word for use in your password. For instance, “What you see is what you get” becomes “WYSIWYG.” Add a few characters at the end of the phrase, such as holding down the shift key and going through 1-5: !@#$%. This gives you a password of WYSIWYG!@#$%. That’s a pretty good password. Combine two phrases for an even better one. Longer passwords are better, but this one password has to be something you can remember without writing it down. Having your password written down is like leaving your door unlocked. Just don’t do it. A note about using the characters above the numbers on a standard keyboard – be careful with that if you intend to use this on your smartphone. Character patterns aren’t the same on smartphone keyboards so the easy pattern on your keyboard might be on three screens on your smartphone keyboard. If you have a phone that supports biometric ID, like the fingerprint reader in the iPhone, this is less of an issue. The great news is, this is the last password you have to create or remember. From here, the password manager does the work. As a side note, the NIST has revised their recommendations for passwords recently. They actually are recommending long phrases rather than combinations of upper and lower case letters, numbers and the like. This is because the length is the critical issue of how long your password will hold up to a “brute force” attack. So, if you prefer, instead of “WYSIWYG” use the entire phrase and call it a night.
Create a new entry for each website you need to log into. Go to the Edit menu and select “Add Entry”:
From there the following dialog will pop up:
Here is where you can enter a name for the entry (usually the website), a username, and use the “generate a password” option.
Remember how I said this was the last password you’d ever have to remember? This is the key. You click on the little icon to bring up a password generator.
This little beauty gives you complex rules broken down into checkboxes and an optional length. The only thing you might contend with here is you need the length to match the maximum length of the website you are creating a login for. All are not created equal.
A 20-character password is exceptional for security. Some websites will tell you their password complexity requirements. Check the appropriate boxes here to create a password that abides by their policy. All you have to do is click “OK.”
The ellipses button allows you to view the password:
I usually title the entry with the website name. Also, there are a few text boxes for you to enter data you might need to remember, like the website address, or make some notes. I like to enter any security questions here that the website asked me to enter. Again, all this data will be encrypted. Once you’re done, close and save the file.
Now when you have to log into that website, you open KeePass, navigate to your entry, view the password and “copy and paste” it into the password field for your website.
It’s a little more work, but again, this ensures you are safe.
Again, there are versions for your phone. Check out all the options on the KeePass website. I’ve been using MiniKeePass for my iPad and iPhones, and KyPass for my Mac. This way, I always have my passwords accessible, if I need them. The iPad and iPhone versions even have a nice “copy” option that makes it really easy to copy and paste your passwords.
This was just a preview of my upcoming ebook on staying safe online, or information security for the rest of us.