Safer Internet: Browsing: Protect Passwords

Quotes

Identity

  • homeworkCredentials: "The combination of your username and password. In some cases, additional pieces of information, such as your ZIP code or the answers to security questions, may be considered part of your credentials -- it's whatever a site or service needs to reliably identify you as the authorized user of a given account."


    Authentication: "The act of proving your identity to a computer system -- typically by entering your credentials and having them confirmed as matching the previously stored record." ~Take Control of Your Passwords
  • Authentication factors:
  • knowledge ("something you know"): strong password remembered or retrieved from a secure place; non-public answers to security questions
  • possession ("something you have"): card, physical token/device
  • inherence ("something you are"): biometrics, fingerprint sensor, handwriting/typing patterns; iris scan
  • single-factor authentication (SFA): e.g., password
  • recognize forgotpasswords are not the most secure or convenient way to authenticate someone's identity -- additional steps, or even authentication factors, are better
  • two-step verification (2SV), e.g., bank login: password + temporary code (via SMS or email) or security question -- additional step(s), but yet another item you 'know/learn', and which a hacker could discover or intercept; note: username often guessable/obvious, so not really a separate step
  • two-factor authentication (2FA), e.g., bank ATM: card (have) + PIN (know) or fingerprint (are)

Strong Passwords

  • correct horse battery stapleRevisit section: Passwords Intro: Strength; Generation; Testing; Storing
  • "Your password should be secret, but 'secrets' make really bad passwords -- especially when they are just discoverable or guessable facts." ~Alec Muffett
  • Diceware English
  • My favorite strength checker: zxcvbn: numerical score with explanation; zxcvbn can be run locally (no network).
  • Now that you have 2+ strong, memorable passwords -- 1 for each device, 1 for your password manager (or encrypted file) -- you can generate and store strong passwords for all of your online accounts.
  • correct horse battery stapleSite's "change password page" may be difficult to find, e.g., under Account, Settings, Profile, Security, etc.? -- or just use "Forgot Password" when logging in
  • If a site allows only a short, weak password, consider creating an unusual username -- together they'll be stronger
  • multiple haikuSites have different requirements / constraints -- exceed the minimum suggestion/requirement when possible -- as long and complex as permitted; why not 64 random characters?
  • [Refs]: "'123456' Maintains the Top Spot on SplashData's Annual 'Worst Passwords' List"
  • [Refs]: "Snowden's 'Sexy Margaret Thatcher' Password Isn't So Secure"
  • [Refs]: "Passphrases that You Can Memorize -- But That Even the NSA Can't Guess"
  • meaning of lifeFor email, configure backup phone(s) & alternate recovery email account
  • If possible, create a user id different from your email address or name;
    this could provide some anonymity and a 2nd step, and make it a little more difficult for hackers.
  • Review / update any secret / security questions; same answer on more than one site is not secret/secure
  • Provide answers that aren't public or obvious, e.g., opposite, lie; create your own unusual security questions if possible
  • [Refs:Questions]: "Google Study Shows Security Questions Aren't All That Secure"
  • blackboard I shall use strong passwordsSave passwords, user id, security questions/answers, and related info secure place, i.e., password manager -- next.
  • [Refs]: "Drug dealer: Cops leaned me over 18th floor balcony to get my password"
  • [Refs:Strength]: "Does your password pass muster? Password strength meters not all created equal"

[1] Biometrics

  • shavea fingerprint sensor (Touch ID) is very convenient, but set timeout to require passcode
  • fingerprint not super strong (~6 characters?); if compromised, you can't change
  • a court can compel you to provide a fingerprint (though not passcode necessarily?)
  • other sensors/methods being researched
  • [Refs:Bio]: "Beyond Passwords: New Tools to Identify Humans"
  • [Refs:Bio]: "Passwords Suck, But What's Better?"

[1] Password Storage / Managers

  • memory upgrade"One Ring to rule them all." ~Lord of the Rings
  • Browser's built-in password-filling tools: less capable and maybe less secure
  • macOS: Safari > Preferences > AutoFill > User names and passwords; Credit cards: off
  • iOS: Settings > Safari > AutoFill > Names and Passwords; Credit Cards: off
  • Piece of paper well-hidden in your office?
  • MRI cloggedIt may seem convenient to login to 3rd party sites using your Facebook / Google+ / Twitter credentials -- don't
  • password no longer "unique"; possible OAuth / OpenID security problems
  • with PM, it's easy enough to store yet another user id & password
  • [2] An encrypted file is secure, but updates and backups are manual.
  • Use a password manager (PM) to save passwords for all your accounts.
  • e.g., 1Password (1PW) desktop: $ (license or subscription); mobile: free ($ for pro version)
  • gary showerDashlane 1-device: free, annual $
  • LastPass desktop, mobile: free (w/ ads); $
  • iCloud Keychain Apple-only; free (but primitive features, e.g., no organizing, printing); need strong device passwords
  • [Ref:PM]: "Why not pick Keychain instead of 1Password or LastPass?"
  • [Refs:macOS]: "Apple's iCloud Keychain: It works, but with frustrating limitations"
  • Create one very strong password for PM known only by you (not PM vendor) -- back it up!!
  • Desirable Features:
  • pw new rulesPM generates very strong passwords for sites; 1PW iOS version includes DiceWare option
  • If generator "formula" doesn't match site requirements, e.g., allowable punctuation, edit in generator, or Paste into text editor, edit, Copy
  • PM offers to update password changes for existing accounts -- usually
  • safest to copy first, i.e., 1Password > Password Generator > [downarrow] > Copy to Clipboard Before Filling
  • if PM doesn't recognize that password changed after submission, manually edit entry and paste saved password
  • PM encrypts passwords on your device; shares (sync / backup) between devices / cloud, e.g., Dropbox w/ 2FA
  • PM checks for vulnerable, weak passwords
  • tattooPM organizes sites like bookmarks / favorites -- usually searchable
  • {TCYOP-3: Figure 13: 81; TCYOP-2: Figure 13: 73; TCYOP-1: Figure 12: 74}
  • To reduce confusion / increase security, you could remove browser bookmarks for any sites requiring login
  • PM integrates with your browser (and maybe system & other apps via icon menu)
  • PM has versions available for different platforms
  • PM navigates to correct site; PM automatically fills-in userid and password -- usually;
    exceptions can involve extra steps: userid/name confusion, multipurpose pages (e.g., OLLI), multi-page logins, copy/paste password or security questions into fields
  • PM stores secure notes (including account security answers), autofills credit card numbers
  • AshMUG: 1Password and password security video: 44:13; Peter De Groot; 9/15/2015;
    01:10 Why?
    03:10 Less Safe?
    05:30 1Password vs. LastPass
    06:40 Where to get 1Password
    08:15 Setup
    10:20 Strong passwords
    13:20 Preferences; relogin delay; sync
    17:25 Interface; categories, attachments
    21:40 Browser extensions
    22:40 Create an account; password generator, strength
    30:05 Create an account; customizing pw for sites; save new login; update weak pw
    34:30 Sign in
    35:55 iOS
    41:30 Fix logins
    43:00 Links & info
  • eyelids*If you're interested in trying 1Password, there's a 30-day free trial for macOS/Win;
    free version for iOS (Pro features $ but no family sharing via diff. Apple ID)
    if you decide to buy 1Password, many license/family/bundle options; which sync method & in 1Password6, both Agilebits & Apple App Store support iCloud sync;
    members of Tidbits.com can receive benefits, including 25% discount on macOS or Windows version of 1Password (directly from AgileBits), 30% off Take Control e-books, etc.
  • [Refs:PM]: "Five Best Password Managers"
  • [Refs:PM]: "The Most Common Hiding Places for Workplace Passwords"
  • [Refs:1PW]: "8 reasons to use 1Password that don't involve storing passwords"
  • [Refs:PM]: "LastPass was hacked: Here's what you have to do"

[2] 2-Factor Authentication (2FA) and 2-Step Verification (2SV)

  • 2 factor"While two-step verification (2SV) merely expands single factor authentication (SFA) by requiring two distinct verification occurrences of one authentication factor, two-factor authentication (2FA) requires two occurrences that each falls under a different category of credential." ~Two-factor authentication (2FA) versus two-step verification (2SV) [authentication flowcharts]
  • Sites don't always make this distinction between 2SV and 2FA -- 2FA is best, but 2SV is still better than SFA
  • e.g., 2FA = something you know, e.g., site password + something you have/are, e.g., verified device
  • List of websites and whether or not they support 2FA/2SV Backup & Sync; Banking; Cloud Computing; Communication; Education; Email; Entertainment; Finance; Gaming; Investing; Payments; Retail; Social, e.g., Apple, Dropbox, Google, Facebook, Microsoft, Paypal, Twitter, Yahoo
  • 2fa urine sampleA temporary code could be:
  • [1] Sent from site via text message (SMS) to your phone; charge$? SMS U.S. only for some sites? could hacker redirect phone #?
  • [2] Sent from site via Internet to smartphone app, e.g., Facebook
  • [3:2FA] Generated by a physical security token, code on a registered device, or synchronized authorization app, e.g., Authy
  • Best to start with "simpler sites" first, e.g., banks, social media; later, more complex / multiple device dependencies, e.g., gmail, AppleID
  • google 2-stepEnter code for a new device or browser; it usually expires in 30 seconds, and after erasing cookies
  • Someone with your password would not be able to login from an unknown device;
    even with an intercepted code, it likely would already be expired
  • Some cell carriers allow you to specify a PIN (different from last 4 digits of SSN) to prevent someone hijacking your phone #
  • Some sites provide backup codes, e.g., Google, if don't have your phone with you (or coverage not available), e.g., international travel
  • Some sites require an initial waiting period to prevent someone hacking your account, then immediately setting up 2FA, e.g., Apple
  • Some sites provide a recovery key in lieu of using security questions, if your phone is stolen or lost
  • Securely store & backup any security questions/answers, backup codes, recovery code
  • If new text messages (e.g., verification codes) appear on your unlocked screen, you might disable these notifications -- otherwise, someone might be able to reset your account with your stolen phone, not even knowing its passcode!
  • iOS: Settings > Notifications > Messages > Show on Lock Screen: off
  • Examples:
  • Amazon: Your Account > Settings > Login & Security Settings > Change Account Setting > Advanced Security Setting
  • Facebook: Settings > Security > Login Approvals
  • [Refs:2FA]: "It's Time to Enable Two-Step Authentication on Everything. Here's How"
  • [Refs:2FA]: "How to make two-factor authentication less of a pain"

References

1Password

2 Factor Authentication (2FA) / 2 Step Verification

Android

Biometrics, Fingerprints

DashLane

iCloud

iOS

LastPass

macOS

OAuth

Password Managers

Questions

Password Strength

Windows