561 – Password clean up

clip_image001As most of us look to put 2020 firmly behind us and take some down-time over the festive season, there may be a list of jobs which get left to this time of year – filling out the annual tax return, maybe, or clearing out that drawer with miscellaneous stuff in it.

clip_image003You could set your sights higher, even – like gathering all the papers scattered throughout your house (user guides, receipts, utility bills etc etc) and putting them in one place, as recommended by Getting Things Done guru, David Allen.

Or just scan them all in then recycle…

Maybe it’s time to finally sort out all the passwords you use for different websites. Even though Multi-Factor Authentication is gradually replacing the need to enter a username & password every time you access a resource, there’s still often a need to create a username and password combo when you sign up for something. If you’ve used Edge or Chrome to remember your passwords, you might find there are many hundreds of them, and being weak carbon-based lifeforms, we’re quite likely to use the same ones for many sites. Naughty!

clip_image005There are browser addins and other tools you can use to remember the passwords you use, and (using LastPass as an example) can give you the option of generating something strong and unique at the point of signing up on a site, then syncing that username and password back to a central service so you don’t need to re-enter it next time (or remember something truly unmemorable). LastPass recently announced their 2020 stats – they’ve generated 94 million secure passwords and been used to log in more than 10 billion times.

Microsoft Edge offers some password management capabilities – as well as being able to remember passwords within the Edge browser, and sync them between different machines or mobile devices, Edge is also getting to be capable of suggesting and storing complex passwords for new sign-ups.

clip_image007Edge is beefing up its password security in other ways, offering proactive warnings if your passwords have shown up in databases of leaked credentials (at the moment, this is a test feature in the dev builds). One-by-one, you can use Edge’s “fix leaked passwords” function to check what the existing password is for each site, and then click a button to jump to the site to reset it – in some cases, going straight to the change password part of the site.

clip_image009Finally, the password sync feature is getting some extra legs – using the Microsoft Authenticator app on your phone and it’s new beta Autofill feature, you can use that app to provide the username/password for website or even mobile app logins. There’s a Chrome extension too, so if you want to switch back and forth between Edge & Chrome on a PC, your passwords will be available to both.

In some senses, storing passwords and allowing them to be automatically filled in feels like a security risk – anyone with access to your unlocked computer or phone could potentially access your online services. Using Autofill and Authenticator, though, the default setup is to require biometric authentication – so you’ll need a fingerprint or camera, or unlocking with a PIN, before the auto-fill will happen.

Also, it’s more important to have complex passwords that are hard to break or guess, and to have different ones for each and every site or app you use.

This is the final ToW for 2020. Let’s hope ’21 brings us all better luck.

In the meantime, have a great holiday season, stay safe, see you on The Other Side!

556 – Using MFA more widely

{10B132AF-CB81-488A-9B6B-27D6F996ACBA}Previous Tips have covered making use of 2FA – or 2 Factor Authentication – with your Microsoft Account (ie your account from Outlook.com/Hotmail/MSN/Passport etc) and how to manage passwords better, so you don’t end up with P@ssw0rd1 for every single one of your website logins. Dealing with passwords can be complicated and since humans are typically weak and seek the path of least resistance, this can often lead to huge security lapses.

So 2FA – or its cousin, Multi-Factor Authentication (MFA) – is a better way to secure things, as a remote system can validate that the user knows something which identifies them (their username & password, secret phrase, date of birth etc etc) but also has something that identifies them too; a security token, smart card, digital certificate or something else that has been issued, or even just a mobile phone that has been registered previously with whatever is trying to validate them.

Although such systems have been around for a while, the average punter in the EU has been more recently exposed to 2FA through a banking directive that requires it for many services that involve transfer of funds, setting up payments or even using credit cards. In some cases, the tech is pretty straightforward – you get a SMS text message with a 6-digit one-time code that you need to enter into the mobile app or website, thus proving you know something (you’re logged in) and you have something (your phone), so validating that it really is you. Or someone has stolen your phone and your credentials…

MFA is stronger than 2FA, as you can combine what you know and what you have, with what you are. An example could be installing a mobile banking app on your phone then enrolling your account number, username & password; the know is your credentials, and the have is a certificate or unique identifier associated with your phone, as it’s registered as a trusted device by the banking service that’s being accessed. Using your fingerprint to unlock the app would add a 3rd level of authentication – so the only likely way that your access to the service (for transferring funds or whatever) could be nefarious, is if you are physically being coerced into doing it.

2FA and MFA aren’t perfect but they’re a lot better than username & password alone, and Microsoft’s @Alex Weinert this week wrote that it’s time to give up on simpler 2FA like SMS and phone-call based validations, in favour of a stronger MFA approach. And what better way that to use the free Microsoft Authenticator app?

Once you have Authenticator set up and running, It’s really easy to add many {6CB942E5-5D57-48E1-BE97-E89CA2CF482B}services or apps to it – let’s use Twitter as an example. If you’re using a browser, go to Settings and look under Security and account access | Security | two-factor authentication.

{3D294F5C-25AA-4DA7-8C84-C13CF43B7321}If you enable 2FA and tick the box saying you want to use an authenticator app, it will ask you for your password again, then show you a QR code which can be used to enrol in the app.

In the Microsoft Authenticator app itself, add an account from the menu in the top right and then choose the option that it’s for “other” – presuming you’ve already have enrolled your Work or school Account (Microsoft/Office 365) and your Personal account (MSA, ie Outlook.com etc).

{E43FB7C2-CE71-430B-A0BC-21A7CB912CD0}

After tapping the option to add, point your phone at the QR code on the screen and you’re pretty much done; you’ll need to enter a one-time code to confirm it’s all set up – rather than getting an SMS, go into the list of accounts in the Authenticator app home screen, open the account you’ve just added then enter the 6-digit code that’s being displayed. This is the method you’ll use in future, rather than waiting to be sent the 6-digit code by text.

As you can see from the description, there are lots of other 3rd party apps and websites that support MFA using authenticator apps –

Tip o’ the Week 421 – Mind your passwords

clip_image001Passwords are a bane of IT usability – everyone chooses a password that’s too simple, until the systems make it too hard, and even the process of password entry is difficult.

So you write your passwords down (srsly, don’t do that), sometimes in an obvious way – there’s a (probably apocryphal) story of a senior healthcare professional who left their laptop (with lots of sensitive data on it, obviously) in a taxi… the standard disk encryption neatly foiled by a Postit note stuck to the lid with their username and password on it…

Corporate domain passwords will generally enforce a certain degree of complexity, frequency of changing, and may even add certificate or token based authentication that needs to be used in combination with other forms – so called secondary or multi-factor authentication (2FA/MFA. It’s getting pretty common now for web sites to offer or even force 2FA, achieved via texting a one-time login code, or using a mobile app to authenticate you. ToW #371 covered how to enable 2FA for your Microsoft Account (MSA) – you really should switch that on.

For most people’s private credentials (used for logging into websites concerned with personal lives rather than work), usernames & passwords – with the odd secret question thrown in – are the main way they’ll access sensitive information from their phone or PC. And forcing the changing of passwords on a very regular basis can be a bad idea, too, as people are more likely to use easily-guessable passwords that are in turn easy for them to remember.

clip_image002

Source: xkcd

The average person, apparently, is many times more likely to fall victim to some sort of computer-related incident than a more traditional robbery. You might be hoodwinked yourself, or through your lax credentials, your account might be compromised and used to scam other unsuspecting punters – as happens regularly on eBay.

The Man on the Clapham omnibus is also likely to use the same username & password for every website or other system they can, even though many know they shouldn’t. It’s easy to recall the same few sets of credentials, rather than having to go and look something up every time. Don’t do this.

If you want to scare yourself into action, have a look on https://haveibeenpwned.com/ and see if your (consumer) email address is on there; chances are, it might have leaked from one of the many high-profile data breaches that have happened over the years. Try entering a common password you might use on https://haveibeenpwned.com/Passwords and it’ll tell you if that password has ever been leaked… and advise you never to use that password again.

Password managers are a way to help combat the issue – so you could have a different password for each site, sometimes even a random password that the password manager itself will generate for you. Examples include 1Password, LastPass, KeePass, Dashlane, eWallet… many will be browser based or have extensions (even for Edge!), so you can log in easily despite the complexity of your passwords.  If the password manager has a cloud-storage vault, make sure it’s encrypted and there’s no way it could be compromised … and make sure you use a suitably complex but easy to remember password to unlock the password manager vault. Quis custodiet ipsos custodes?

If you use a password manager already, it may even have a report you can run to see how well protected you are…

clip_image003

Zoinks!

Summary

  • Use a different password on every website
  • Generate passwords that are long and complex
  • Use a password manager to keep track of the passwords for different websites you use
  • Use 2-Factor Authentication on every site that deals with sensitive or financial information