Wednesday, October 5, 2011

Guest Blog: Online Password Strategy

by Michael Puhala
Day job: Dir. of Sales Engineering, Lithium Technology
Twitter: @puhala
Personal site: www.puhala.com

Late last year, I posted an article about online password strategies.  For a refresher, you can visit that article here:


I mentioned technologies such as Lastpass, 1Password and Passpack that help manage your online security and provide some serious convenience in the process.  However, other than mentioning the technologies I liked, I did not really prescribe a specific path to help protect your identity and your accounts.

Consider this a mini guide in finally getting on-top of your online security practices.

Of course, the easiest thing to do is do nothing.  I am going to make some recommendations from the easiest to options that take a little more effort.  Obviously, the path of least resistance also is the most vulnerable in terms of online security.

Option 1 - Easy
If you are the kind of person who uses a single password for everything that requires you to sign-up, you should really rethink that strategy.  At the very least, use a different password for those accounts that are tied to online banking, and anything related to your personal finances (e.g. Paypal Account, money management, and commerce sites like Amazon.com).  This password should be at least eight characters long and have some combination of upper and lower case letters, numbers and special characters like punctuation.  Also, if you have not changed your passwords to these accounts in more than a couple of years, you should set a reminder to change your passwords at least every couple of years if not more frequently.

Option 2 - Moderate
Using a technology like Lastpass can not only help make your online activity more secure, it provides some added convenience like automatically logging you into frequently used sites after you put in your master password when you start your computing session.  In some ways, this option might seem less secure than putting in your password manually each and every time, but one way that potential threats make you vulnerable is through key-logging software that tracks your typing history and is an effective method to extract passwords.  If lastpass is automating the login, than you are not using the keyboard to type your password.  Lastpass gives you the option to login to the service using an on-screen keyboard which would also prevent key-logging.  Lastpass and other similar services also allow you to generate unique and random passwords for each site which is a great method to keep you secure.  Since you are not having to remember the passwords that are generated, you can use a stronger password combination and length than what you would typically try to remember.

Option 3 - More Involved
As you might guess, this is the option I recommend and use myself.  The most secure method of online password protection is called multi-factor authentication or two-factor authentication. This involves a two step process to gain access to a account.  Some companies like Google and PayPal offer two-factor authentication when logging into those systems.  Lastpass also offers two-factor authentication when logging into this system.  As Lastpass manages all of your online identities and stores this information in the cloud (encrypted of course), I prefer using a more secure system for gaining access to all of my online passwords.

Enter the Yubikey by Yubico.  This solution includes a USB key that is required to be plugged into the computer before gaining access to your Lastpass account.  It’s called two-factor authentication because both your master password is needed and the Yubikey USB device is used.  Brilliant!  So, even if someone has your master password, they can’t gain access to your password management system unless they also have the USB key.  Conversely, just having the USB key does you no good, because you also need the master password.  Also, the USB key is very nondescript.  Most people will pass if off as a thumb drive rather than a security device.  It can be placed on your keyring so that it’s always with you.

I’ve chosen to use a Yubikey together with Lastpass, however, I do not use Lastpass to gain access to my Gmail account as I want a separate layer of protection for my email system.  Gmail now offers its own two-factor authentication system.  Rather than a USB key, I downloaded an app to my Android phone that generates a real-time secondary passcode to be entered after you use your normal password.  Also, since Paypal is tied directly to my bank account, I use a separate hardware based security key to gain access to my Paypal account. The combination of these systems provides multiple layers of security.  For my banking information, I have configured Lastpass to prompt me for my master password (and Yubikey) before it will automatically login to my account.  You might see the precautions that I’ve taken as extreme, but my perspective is that it’s easier than ever for someone to hack their way into a whole treasure trove of personal information. 

For great technology advice sent directly to your inbox a few times a month, signup for my newsletter, called Citizen Savvy here.


Twitter: @puhala