Safer Internet: Browsing: Protect Passwords

Quotes

Identity: Credentials & Authentication

  • identity mother SSNCredentials: "The combination of your username and password. In some cases, additional pieces of information, such as your ZIP code or the answers to security questions, may be considered part of your credentials -- it's whatever a site or service needs to reliably identify you as the authorized user of a given account."


    Authentication: "The act of proving your identity to a computer system -- typically by entering your credentials and having them confirmed as matching the previously stored record." ~Take Control of Your Passwords
  • Authentication factors:
  • knowledge ("something you know"): strong password remembered or retrieved from a secure place; non-public answers to security questions
  • possession ("something you have"): card, physical token/device
  • inherence ("something you are"): biometrics; fingerprint sensor; facial recognition; handwriting/typing patterns; iris scan
  • recognize remember mesingle-factor authentication (SFA): e.g., password
  • passwords are not the most secure or convenient way to authenticate someone's identity -- additional steps, or even authentication factors, are better
  • two-step verification (2SV), e.g., bank login: password + temporary code (via SMS or email) or security question -- additional step(s), but actually another item someone could 'know/learn' -- if a thief possesses your device, or a hacker intercepts the message
  • two-factor authentication (2FA), e.g., bank ATM: card (have) + PIN (know) or fingerprint (are); bank login: password + temporary code (via physical token or authenticator app, e.g., Authy)
  • 2 factor"While two-step verification (2SV) merely expands single factor authentication (SFA) by requiring two distinct verification occurrences of one authentication factor, two-factor authentication (2FA) requires two occurrences that each falls under a different category of credential." ~Two-factor authentication (2FA) versus two-step verification (2SV) [authentication flowcharts]
  • The distinction between 2SV and 2FA can be confusing, and sometimes not labeled correctly by sites.

[2] Usernames

  • st peterIdeally, a site does not require a username to be an email address.
  • Hackers are less likely to link unique username to other accounts.
  • Some email providers allow "+" suffix, e.g., john.smith+facebook@gmail.com -- all such addresses still appear in your main Inbox; assuming this email feature is available -- and the site allows punctuation in a username -- this could provide some additional security (assuming hacker can't guess which suffix, if any, you've used), and as a bonus, some ability to track spam by source (you'd know who'd given or sold your email address)
  • It's better to use an email address independent of your ISP, e.g., gmail.com, yahoo.com, outlook.com; if an ISP-provided address, e.g., comcast.net, spectrum.net, ashlandhome.net, becomes inaccessible when you move or change providers, it can be difficult to access and change associated accounts.
  • homeworkA unique or obscure username (different from your primary email) that you can easily change could add somewhat to security and anonymity, but this is not always possible -- so focus on a strong password, better security answers, and 2-Factor Authentication, if available.
  • [Refs]: "Don't share your old AIM screen name"

Passwords

  • icons correct horse battery stapleRevisit section: Passwords Intro: Strength; Generation; Testing; Storing
  • xkcd correct horse battery stapleYou now have 2+ strong, memorable passwords -- 1 for each device, 1 for your password manager, right?
  • Diceware English -- 5+word sequences, with possible customization
  • My favorite strength checker: zxcvbn: numerical score with explanation; zxcvbn can be run locally (no network).
  • Now, generate and store strong, unique passwords for all of your online accounts.
  • No need to change a password just for the sake of change -- though some sites still require regular changes.
  • multiple haiku virginSite's "change password page" may be difficult to find, e.g., under Account, Settings, Profile, Security, etc.? -- or just use "Forgot Password" when logging in
  • Sites have different requirements / constraints -- exceed the minimum suggestion/requirement when possible -- as long and complex as permitted; why not 64 random characters? Simple substitutions, e.g., $ for S, 1 for L, don't really increase strength. Recommendations and requirements are continually evolving.
  • cat kbd1Password: Generate Password -- the longer, more diverse and random the better
  • However, if it's difficult to copy/paste in some situations, such as setting up email & cloud accounts on a new device without having PM available yet, e.g., Dropbox; AppleID; primary email, you might want more easily typeable passwords; btw, these are the kinds of key accounts where 2FA (2-factor authentication) is highly recommended.
  • 1Password: Weak Passwords
  • 1Password: Duplicate Passwords
  • grizzwells change or notChange any compromised passwords
  • You may receive an email from site, or read news about account breaches or site hacks
  • Your Password Manager might flag potential vulnerabilities, e.g., 1Password: Watchtower
  • ';--have i been pwned? site can check if you have an account (new or old username or email) that has been compromised in a data breach, and list which info was leaked; 'pwned' (gaming term): totally dominated, conclusively defeated
  • However, if vendor is slow to patch site vulnerabilities, you should probably update password again later to minimize risk.
  • first dateAvoid sharing passwords inadvertently or intentionally -- then, only with those you really trust (or backed up in SD box).
  • If sharing an account among family, e.g., Netflix, Amazon Prime Video, use device authentication if available, or 2FA to control access to account administration.
  • Is someone looking at your keyboard and/or screen?
  • In iOS, last typed character displays transiently before being masked by '•' (there is currently no setting to disable this)
  • [Refs]: "Drug dealer: Cops leaned me over 18th floor balcony to get my password"
  • blackboard I shall use strong passwords[Refs:Strength]: "'Dealing with NIST's about-face on password complexity"
  • [Refs]: "'123456' Maintains the Top Spot on SplashData's Annual 'Worst Passwords' List"
  • [Refs]: "Snowden's 'Sexy Margaret Thatcher' Password Isn't So Secure"
  • [Refs]: "Passphrases that You Can Memorize -- But That Even the NSA Can't Guess"
  • [Refs:Strength]: "Does your password pass muster? Password strength meters not all created equal"

[2] Biometrics

  • shaveA fingerprint sensor, e.g., Apple Touch ID, is very convenient; accuracy? not super strong (~6 characters?); if compromised, you can't change
  • Facial recognition, e.g., Apple Face ID, maybe more secure than fingerprint; accuracy? you can't change
  • Law enforcement or court might compel you to provide a fingerprint (or face?) -- though not passcode necessarily?
  • Set timeout or override to require passcode periodically; iOS11 quintuple-power-button-click
  • You still need a strong passcode
  • fingerprintsHow securely is vendor storing your biometric data?
  • Other sensors/methods being researched
  • [Refs:Bio]: "How to Discreetly Disable Touch ID and Face ID on an iPhone in iOS 11"
  • [Refs:Bio]: "Beyond Passwords: New Tools to Identify Humans"
  • [Refs:Bio]: "Passwords Suck, But What's Better?"

[1] Security Questions, Other

  • meaning of life"Your password should be secret, but...
  • Update any security questions and make them unique and unknown -- like passwords -- for each site, to avoid a hacker impersonating you and hijacking your account.
  • An answer's not secret if hackers can find it in public records, on social media sites, or previous site breaches.
  • Use multiple words, opposite, misspell, lie; create your own unusual security questions if possible
  • To help in recovering an account, include phone and email address
  • For your primary email account -- which is so critical for receiving password resets, etc. for other accounts -- provide an alternate email address to receive notifications about unexpected logins or password changes.
  • insecurityIf your Password Manager is storing all your passwords, there's no need for password "hints", which are a potential giveaway.
  • Besides username and passwords, save security questions/answers, which phone(s) you specified, recovery codes, and related info in a secure place, i.e., password manager, so that you can just copy/paste an answer if needed..
  • [Refs:Questions]: "Google Study Shows Security Questions Aren't All That Secure"

[1] Password Storage / Managers

  • memory upgrade"One Ring to rule them all." ~Lord of the Rings
  • Browser's built-in password-filling tools: less capable and maybe less secure
  • macOS: Safari > Preferences > AutoFill > User names and passwords; Credit cards: off
  • iOS: Settings > Safari > AutoFill > Names and Passwords; Credit Cards: off
  • Piece of paper well-hidden in your office?
  • MRI cloggedIt may seem convenient to login to 3rd party sites using your Facebook / Google+ / Twitter credentials -- don't
  • password no longer "unique"; possible OAuth / OpenID security problems
  • with a Password Manager, it's easy enough to store a separate user id & password
  • [3] An encrypted file is secure, but updates and backups are manual.
  • Use a password manager (PM) to save passwords for all your accounts.
  • iCloud Keychain Apple-only; built-in, free; primitive features, e.g., no organizing, printing; need very strong device passwords
  • All of the following support Android, iOS, Mac, Win
  • 1Password (1PW) desktop: $ (license or subscription); mobile: free ($ for pro version)
  • gary showerDashlane 1-device: free, annual $
  • LastPass desktop, mobile: free (w/ ads); $; also on Linux
  • KeePass free; different developers for different devices; also on Linux
  • [Ref:PM]: "Why not pick Keychain instead of 1Password or LastPass?"
  • [Refs:macOS]: "Apple's iCloud Keychain: It works, but with frustrating limitations"
  • Create one very strong password for PM known only by you (not PM vendor) -- back it up!!
  • pw new rulesDesirable Features:
  • PM generates very strong passwords for sites; 1PW includes DiceWare/multiple word option
  • If generator "formula" doesn't match site requirements, e.g., allowable punctuation, edit in generator, or Paste into text editor, edit to conform, Copy
  • PM offers to update password changes for existing accounts -- usually
  • safest to copy first, i.e., 1Password > Password Generator > [downarrow] > Copy to Clipboard Before Filling
  • if PM doesn't recognize that password changed after submission, manually edit entry and paste saved password
  • tattooPM encrypts passwords on your device; shares (sync / backup) between devices / cloud, e.g., Dropbox w/ 2FA
  • PM checks for vulnerable, weak passwords
  • PM organizes sites like bookmarks / favorites -- usually searchable
  • {TCYOP-3: Figure 13: 81; TCYOP-2: Figure 13: 73; TCYOP-1: Figure 12: 74}
  • To reduce confusion / increase security, you could remove browser bookmarks for any sites requiring login
  • PM integrates with your browser (and maybe system & other apps via icon menu)
  • netflix tattooPM has versions available for different platforms
  • PM navigates to correct site; PM automatically fills-in userid and password -- usually;
    exceptions can involve extra steps: userid/name confusion, multipurpose pages (e.g., OLLI), multi-page logins, copy/paste password or security questions into fields
  • PM generates Time-Based One Time Password (TOTP) codes, a more secure alternative to SMS -- see 2FA section
  • PM stores secure notes (including account security answers), autofills credit card numbers
  • eyelidsAshMUG: 1Password and password security video: 44:13; Peter De Groot; 9/15/2015;
    01:10 Why?
    03:10 Less Safe?
    05:30 1Password vs. LastPass
    06:40 Where to get 1Password
    08:15 Setup
    10:20 Strong passwords
    13:20 Preferences; relogin delay; sync
    17:25 Interface; categories, attachments
    21:40 Browser extensions
    22:40 Create an account; password generator, strength
    30:05 Create an account; customizing pw for sites; save new login; update weak pw
    34:30 Sign in
    35:55 iOS
    41:30 Fix logins
    43:00 Links & info
  • *If you're interested in trying 1Password, there's a 30-day free trial for macOS/Win;
    free version for iOS (Pro features $ but no family sharing via diff. Apple ID)
    if you decide to buy 1Password, many license/family/bundle options; which sync method & in 1Password6, both Agilebits & Apple App Store support iCloud sync;
    members of Tidbits.com can receive benefits, including 25% discount on macOS or Windows version of 1Password (directly from AgileBits), 30% off Take Control e-books, etc.
  • [Refs:PM]: "Five Best Password Managers"
  • [Refs:PM]: "The Most Common Hiding Places for Workplace Passwords"
  • [Refs:1PW]: "8 reasons to use 1Password that don't involve storing passwords"
  • [Refs:PM]: "LastPass was hacked: Here's what you have to do"

[2] 2-Factor Authentication (2FA) and 2-Step Verification (2SV)

  • 2fa urine sampleTo increase security, you could receive a one-time temporary (expiring) code:
  • [1] Sent from site via text message (SMS) to your phone (often considered 2SV since a hacker could steal phone, hijack phone # or intercept code)
  • [2] Sent from site via Internet to a device/app, e.g., Facebook app, popup on 'trusted' Apple device
  • [3] Generated by a physical security token, or synchronized authorization app using TOTP (Time-based One Time Password), e.g., 1Password, Authy, Google Authenticator, Microsoft Authenticator
  • google 2-stepEnter this code for a new device or browser
  • Allow a site to 'remember' you only on your own devices; removing cookies resets this
  • Without the code (or other backup methods), someone with your password would not be able to login from an unknown device.
  • Two-step verification(2SV)/two-factor authentication (2FA) is not available for every site, nor implemented same way
  • fb security optionsSites that support 2SV/2FA: twofactorauth.org Categories: Backup & Sync; Banking; Cloud Computing; Communication; Education; Email; Entertainment; Finance; Gaming; Investing; Payments; Retail; Social; e.g., Apple, Dropbox, Google, Facebook, Microsoft, Paypal, Twitter, Yahoo; legend: Docs (setup instructions), Email, SMS (Short Message Service), Phone Call, Email, Hardware Token, Software Token (maybe TOTP (Time-Based One Time Password)
  • SMS is most common and better than nothing, but phone number could be spoofed, text messages intercepted; charge$? SMS U.S. only for some sites?
  • Some cell carriers allow you to specify a PIN (different from last 4 digits of SSN) to prevent someone hijacking your phone # by calling customer support.
  • If new text messages (e.g., verification codes) appear on your unlocked screen, you might want to disable these notifications -- otherwise, someone with your stolen phone might be able to access your an account, not even knowing its passcode!
  • iOS: Settings > Notifications > Messages > Show on Lock Screen: off
  • 12 stepApple sends 2FA code directly to screen of 'trusted devices' via popup; some sites can send code to their proprietary app, e.g., Facebook
  • Some sites require an initial waiting period to prevent someone hacking your account, then immediately setting up 2FA, e.g., Apple
  • TOTP (a software token) is preferable to SMS; after initial key setup (via scanning QR code or manual entry), an app generates a code locally, e.g., 1Password, Authy, Google Authenticator, Microsoft Authenticator
  • Fewer sites currently support TOTP, e.g., AOL, Amazon, Dreamhost, Dropbox, Facebook, Github, Google, LastPass, LinkedIn, Microsoft(Outlook), Tumblr, Twitter; twofactorauth.org: "software token", or authy.com: "compatible with Authy" icon -- may indicate TOTP support
  • [Refs:2FA]: "EFF: A Guide to Common Types of Two-Factor Authentication on the Web"
  • fb 2FA options2FA setup process for each site is generally different
  • Start/practice with "less important" sites first, e.g., social media
  • Later, more critical sites (e.g., finance) and sites with more complex / multiple device dependencies, e.g., gmail, AppleID
  • These examples support both SMS and TOTP:
  • AOL: Account Options > Account Security > 2-Step Verification
  • Amazon: Your Account > Login & Security > Advanced Security Settings
  • Google: My Account > Sign-in & Security > Signing into Google > 2-Step Verification
  • Dropbox: (account) > Settings > Security > Two-step verification
  • Facebook: Settings > Security and Login > Setup Extra Security > Use two-factor authentication: Text Message, Code Generator (TOTP), Recovery Code
  • Live(Microsoft): Account > Security > more security options
  • While setting up 2FA, consider fallback strategies in case your primary device is not available to receive or generate a code, e.g., email, voice call, other SMS phone, authenticator app, recovery/backup code(s), security questions, etc.
  • Some sites allow you to specify a 2nd phone number (e.g., spouse) in case you can't access primary phone, e.g., Amazon, AOL, Apple, Chase, Evernote, Github, Gmail, Live, Paypal, Vanguard, Yahoo; for some sites, if this 2nd phone is already associated with another account, it'll be unlinked, e.g., Facebook
  • Some sites provide backup codes, if don't have your phone with you (or coverage not available, e.g., international travel) -- or a recovery key in lieu of using security questions, if your phone is stolen or lost, e.g., AOL, Apple, Dropbox, Evernote, Facebook, Github, Gmail, Live; securely store extra info in PM; it could be useful to 'tag' login entries in PM with "2FA" or "TOTP" to that you can list which items might need to be redone if you change a phone # or setup a new devices.
  • To setup TOTP, scan a QR code with your camera, or copy/paste a code manually.
  • 1Password provides integrated support for "One-time Passwords", so you do not need a separate app; a PM encrypts the info and can share across multiple devices
  • 1Password: (login item) > Edit > Label [...]: One-time Password; scan/enter > Save; to verify/use: copy from 1PW, paste into site prompt
  • If you need/prefer a separate app, consider Authy due to its multiple-device support and encryption, instead of Google or Microsoft Authenticator, i.e., you may have to setup everything again if you upgrade to a new phone
  • [Refs:2FA]: "It's Time to Enable Two-Step Authentication on Everything. Here's How"
  • [Refs:2FA]: "Apple's two-step verification goes away with iOS 11 and macOS High Sierra -- replaced by two-factor authentication"
  • [Refs:2FA]: "How to make two-factor authentication less of a pain"
  • [Refs:2FA]: "Use 1Password as an authenticator for sites with two-factor authentication"
  • [Refs:2FA]: "The 5 Best Alternatives To Google Authenticator"

References

1Password

2 Factor Authentication (2FA) / 2 Step Verification

Android

Biometrics, Fingerprints, Facial Recognition

DashLane

iCloud

iOS

LastPass

macOS

OAuth

Password Managers

Questions

Password Strength

Windows