Wednesday, December 20, 2017

My recommendations for passwords

Rules:
- Every site has a DIFFERENT password (i.e. no two sites should ever share a common password)
- Every password is complex, long and very random, e.g. password I just generated: PU#!$KnT8x^z82qG
- Every password is stored in a program called LastPass (https://www.lastpass.com/) which auto-fills the usernames and passwords for me when I visit sites.
- Every site that offers 2 Factor Authentication has it enabled, especially gmail/facebook, etc

My LastPass password vault is protected by a long password that I have never used anywhere else before and will never use again anywhere else, but it's still a password that I can remember, LastPass also has 2 Factor Auth enabled, and it signs out after a period of inactivity to protect the account from someone using my computer.

So, when signing up to a site, I generate a new RANDOM, LONG and COMPLEX password with LastPass and save the site/username/password combination in my LastPass vault.

When visiting that site, you ensure that you're signed in to LastPass and it will auto-fill the site's username password for you from your vault. LastPass is an add-in for Chrome, IE, etc, so it's very seamless. It'll even import any saved passwords from Chrome's password store for you.

The above process protects you in the event of your one password (that most people use for every site) being stolen from some random site you used 3 years ago, and then used everywhere else since. If that happens, your whole digital world can be compromised very quickly.

It's a bit of work to get up and running (i.e. you have to go to every site you use, change your password to a new gibberish one, save it away in LastPass, etc) but once you get used to it it's far easier and much more secure.

LastPass is free for basic functionality, but if you want it on your phone too (recommended) it's $24 per year - which is a bargain.

I am even rolling LastPass out at work with a 'corporate' account, which allows us to share site passwords between staff easily.

The above advice is what I give everybody these days, without doing something like the above you leave yourself very vulnerable to attack, manipulation, identity theft, etc.

I should also mention that SMS-based 2 Factor Authentication is VERY bad, and should be actively avoided/disabled wherever possible. You should instead use an Authenticator App on your phone (LastPass has one, Google has one also) which scans a QR code and generates one-time, time-based codes that roll every 30-60 seconds.

An example of why SMS is bad, this really happens a lot more often these days than people realise:
- Bad Guy gets some of your basic personal details (facebook, etc), email address and mobile phone number (where the 2FA SMS codes get sent to)
- Bad Guy calls your mobile phone provider (Telstra, optus, voda, etc) and pretends to be you, or your wife, in order to gain access to your account. Sometimes they even visit stores with fake ID and pretend to BE you.
- Bad Guy claims that your sim card is lost/broken, etc and does a SIM replacement for your number
- Your phone loses connection to the telco network, SMS and calls now go to the bad guy
- Bad Guy goes to gmail and fills out the 'forgot password' form, which sends a one time SMS code to your number, which bad guy is now in control of
- Bad Guy gains access to your gmail with a new password, and immediately removes your phone number from the recovery phone list and sets it to some other number he controls, probably changes the 2FA configuration also - you've now lost access to your email
- Bad Guy begins to pull info from your email, which has a wealth of knowledge these days and begins commandeering your other properties (twitter, facebook, internet banking, superannuation, website domain registrations and hosting, internet records, business records and relationships, extorting friends and family with fake please for monetary assistance, targeting friends and family with crypto-malware, any any number of other horrible things)
- there's scripts online that automate all this and soon your life is in somebody else's hands and you will spend weeks/months fighting to get control back.
- Bad guy signs in to your Apple/Samsung/etc accounts, and remote erases your devices (phones, tablets, computers) to make it even harder for you to get back in to everything

So, SMS == bad, because the phone companies are very keen to pump and dump calls. They make very little effort to verify the caller beyond basic personal information, which these days can be found very easily online.