Day job: Dir. of Sales Engineering, Lithium Technology
Twitter: @puhala
Personal site: www.puhala.com
Late last year, I posted an article about online password strategies. For a refresher, you can visit that article here:
I mentioned technologies such
as Lastpass, 1Password and Passpack that help manage your online
security and provide some serious convenience in the process. However,
other than mentioning the technologies I liked, I did not really
prescribe a specific path to help protect your identity and your
accounts.
Consider this a mini guide in finally getting on-top of your online security practices.
Consider this a mini guide in finally getting on-top of your online security practices.
Of course, the easiest thing to do is do nothing. I
am going to make some recommendations from the easiest to options that
take a little more effort. Obviously, the path of least resistance also
is the most vulnerable in terms of online security.
Option 1 - Easy
If you are the kind of
person who uses a single password for everything that requires you to
sign-up, you should really rethink that strategy. At the very least,
use a different password for those accounts that are tied to online
banking, and anything related to your personal finances (e.g. Paypal
Account, money management, and commerce sites like Amazon.com). This
password should be at least eight characters long and have some
combination of upper and lower case letters, numbers and special
characters like punctuation. Also, if you have not changed your
passwords to these accounts in more than a couple of years, you should
set a reminder to change your passwords at least every couple of years
if not more frequently.
Option 2 - Moderate
Using a technology
like Lastpass can not only help make your online activity more secure,
it provides some added convenience like automatically logging you into
frequently used sites after you put in your master password when you
start your computing session. In some ways, this option might seem less
secure than putting in your password manually each and every time, but
one way that potential threats make you vulnerable is through
key-logging software that tracks your typing history and is an effective
method to extract passwords. If lastpass is automating the login, than
you are not using the keyboard to type your password. Lastpass gives
you the option to login to the service using an on-screen keyboard which
would also prevent key-logging. Lastpass and other similar services
also allow you to generate unique and random passwords for each site
which is a great method to keep you secure. Since you are not having to
remember the passwords that are generated, you can use a stronger
password combination and length than what you would typically try to
remember.
Option 3 - More Involved
As you might
guess, this is the option I recommend and use myself. The most secure
method of online password protection is called multi-factor
authentication or two-factor authentication. This involves a two step
process to gain access to a account. Some companies like Google and
PayPal offer two-factor authentication when logging into those systems.
Lastpass also offers two-factor authentication when logging into this
system. As Lastpass manages all of your online identities and stores
this information in the cloud (encrypted of course), I prefer using a
more secure system for gaining access to all of my online passwords.
Enter the Yubikey by Yubico. This solution includes a
USB key that is required to be plugged into the computer before gaining
access to your Lastpass account. It’s called two-factor authentication
because both your master password is needed and the Yubikey USB device
is used. Brilliant! So, even if someone has your master password, they
can’t gain access to your password management system unless they also
have the USB key. Conversely, just having the USB key does you no good,
because you also need the master password. Also, the USB key is very
nondescript. Most people will pass if off as a thumb drive rather than a
security device. It can be placed on your keyring so that it’s always
with you.
I’ve chosen to use a Yubikey together with Lastpass,
however, I do not use Lastpass to gain access to my Gmail account as I
want a separate layer of protection for my email system. Gmail now
offers its own two-factor authentication system. Rather than a USB key,
I downloaded an app to my Android phone that generates a real-time
secondary passcode to be entered after you use your normal password.
Also, since Paypal is tied directly to my bank account, I use a
separate hardware based security key to gain access to my Paypal
account. The combination of these systems provides multiple layers of
security. For my banking information, I have configured Lastpass to
prompt me for my master password (and Yubikey) before it will
automatically login to my account. You might see the precautions that
I’ve taken as extreme, but my perspective is that it’s easier than ever
for someone to hack their way into a whole treasure trove of personal
information.
For great technology advice sent directly to your inbox a few times a month, signup for my newsletter, called Citizen Savvy here.
LastPass: http://www.lastpass.com
Yubico: http://www.yubico.com
Twitter: @puhala
Google+: http://gplus.to/puhala
Thanks Chris for the guest post opportunity!
ReplyDeleteAnytime, Michael. Thanks for sharing here.
ReplyDelete