secure password management, informal, @walmartlabs
Post on 02-Jul-2015
Embed Size (px)
DESCRIPTIONPresenting an informal lunch talk on using a password manager to handle personal internet accounts securely. Also discussing 2-factor authentication a bit. Discussion features Lastpass a little bit.
- 1. Secure Password Management Karl Mueller Sr. Solutions Architect, @Labs karl at walmartlabs.com March 21st , 2014
2. Who Am I? 20 years industry operations experience Joined Kosmix 2005 Acquired into @Walmartlabs, 2011 NOT a security expert! but neither are most people! 3. What is the problem? Sites get compromised Passwords can be recovered Even sites practicing good security!! Emails and passwords are re-used More and more online accounts! Most hackers are after lower-hanging fruit Some hackers target specific people, i.e. @N twitter 4. What is a solution? Unique, random, long passwords per site 8, 12, 16 characters even longer! Compromised? Limited vulnerability Password managers are one way to do this Password manager must be secured well Not perfect nothing is perfect 5. Considerations in a PM How is the data secured? Can I access my data on mobile? How? Is there two-factor authentication? Can the data be recovered without the master password? How do I back it up securely? Can it be used if company XX goes splat? 6. My choice: Lastpass Premium Premium ($12/yr) adds mobile support Encrypted cloud storage Secured and Encrypted by master password Good 2-factor authentication Usual support of forms, data, password generation 7. My choice: Lastpass Premium Works off-line Import/Export for backups CSV export available for non-lastpass PITA mostly disaster recovery, IMO All major browsers have plugins All mobile have fully-functional app ($$) 8. My choice: Lastpass Premium Lastpass never gets non-encrypted data Not perfect, but IMO the best option Other options are also good! Check 'em out Choosing a good password manager is a big deal! If somebody hacks Lastpass and releases booby-trapped code, all bets are off the table.. but that's true for everybody 9. Using Lastpass Create account Create MASTER PASSWORD No master password = NO DATA Add 2-factor authentication Read blogs on securing and using it Some security settings are important 10. Lastpass Vault (not mine) 11. Login buttons 12. Best Practices Master Pass Master password should be very good Write one or two copies down optional The MP is obviously critical Losing master password means no data Never use 'Remember me' option Be careful with Allow for XX hours 13. Best Practices - Sites Every site gets a long, unique password As long as allowed, if possible Use symbols if allowed Change ALL passwords to random ones in PM (Optional) except things like financial accounts trade-offs for those as well 14. Best Practices - Sites Consider 2nd , secure email for financial Maybe not really helpful Enable 2-factor and security notifications 15. 2-Factor Authentication Something you know + Something you have Possibilities: cell phone / SMS text FOB keys / custom solutions TOTP / Google Authenticator How secure it is varies, despite 2-factor Still a good thing - usually 16. 2-Factor Best Practices Enable on critical accounts if at all possible Especially: Lastpass (or other PM) Google Facebook Linkedin Banks and Financial (!!) twofactorauth.org has a list 17. 2-Factor Best Practices Realistically, it can often be bypassed Social engineering works really well Humans want to be helpful Password protection still the best option Reset password is almost universal Email security on accounts is paramount! Where you can't be secure, early notice is best 18. 2-Factor Best Practices Some 2-factor sites (like Google) can give you one-time- use codes. Codes can substitute for your 2-factor once. Good to have as backup or travel Carefully print or control where they are 19. 2-Factor Best Practices Be careful about critical 2-factor accounts You can lose access without it, sometimes! Understand how to transfer things like the Google Authenticator app to new phone Most sites, you can fix not having 2-factor with the master password, but not every one! Codes are a good idea to have printed out Secure those puppies! 20. Passwords Worst Practices Are you a worst practice-ing password-er? YOU ARE MAKING IT EASY!!! hackers