Tuesday, 19 September 2017

Password Management


The thing that was repeated the most during OWASP was the importance of not re-using passwords. I don't know about you, but my ability to remember more than 5 things is woeful, and I definitely have more than 5 accounts, so for a long time, I had two categories for passwords: passwords for important things (bank accounts, gaming accounts), and then the same password (or a variant) for everything else that I don't care about people stealing.

Well, there's a better way: password managers. Instead of remembering a host of passwords, you just need to remember one - the master password for your vault.

Personally, I use LastPass, but there are lots of different password managers out there, so pick one that suits your needs. The free version of LastPass is more than enough for what I need it to do. You can sign up for a free account on their website (https://www.lastpass.com/). I have their Chrome plugin, which can auto-fill passwords for you, but you can use it through their web interface, you'll just need to copy+paste your password.


Say I want to create a reddit account. When I go to the sign-in page, after typing in a username, I can hit the circle-arrow-clock button thing to open the password generation dialogue. Clicking more options brings up the option to vary what kind of password is generated, including how long it is, and whether it includes uppercase, lowercase, numbers and special characters - because even though security standards now say that forcing users to pick complex passwords makes them more likely to pick some weak, common password like p@ssw0rd!, it is a lot of effort to upgrade legacy systems.


So adjust the options until you get a password that the site allows and click fill.


reddit thinks this is a very strong password - hooray!

If you have the Chrome plugin, it'll pop-up asking if you want to save the password to your vault.


Next time you're on the login page, you'll see the LastPass icon in the bottom right, and how many sites match this particular site (it says 3 for me, because I now have 3 reddit accounts).

Clicking that will show all the matching accounts and selecting one will populate the login with your username and password.

Alternatively, if you don't want LastPass doing this for you, you can opt to copy the password to your clipboard and paste it in instead.


If you're using this from the web interface, you can open up the site, and copy the password.


Hahahaha, and because I'm a dope, while trying to demo something for this blog post, I managed to change my password without updating it in LastPass - reddit doesn't change the page once the password has been updated, and LastPass didn't detect it.

So..... one thing I like to do when generating passwords is to copy it before I fill it (you'll notice that there's a small "copy" button just above "Fill" in the password generation prompt), just in case this happens. But I didn't do it that time, because it's way past my bedtime. Anyway, with my new new reddit account:


You can see there's a "show password history" button.

And it brings up a prompt where you can look at your old passwords.


I kinda wish I had this around when I was in high school, so I can see all my tryhard-passwords like, "randomIzAwsome!!1!!!!"

There's also a Security Challenge feature, that looks at the overall security level of all of your passwords.


It has an option to check whether your email address has been included in any breaches, but I showed you how to do that on https://haveibeenpwned.com/ a couple of posts ago.


I still have a few weak passwords hanging around from those crappy throwaway accounts I mentioned earlier. Some of the blank ones are from when the chrome plugin seems to have picked up some credentials that aren't really credentials, and when it tried to import my credentials that I had saved to my computer. I should get around to cleaning it up some day.

LastPass has an automatic password change feature that's in beta, where it'll try and change your password for you, but it doesn't seem to work on reddit. I will get around to changing those weak passwords as well (great security role model I am!).

There's also a LastPass app for iPhone / Android, which you can use to check your passwords when you're away from the computer. Keeping the password vault updated while on your phone requires an internet connection, but I had no problems accessing an offline copy when we were travelling around in Japan. It did require manually typing in a password from the phone to the laptop (as I don't have it on the laptop as it's shared), but that's the only real struggle I've had with it. As you aren't typing in passwords, it makes it less likely that someone can steal your credentials with a keylogger.

It does take a bit of setting up initially, as you have to get all of your passwords into the vault, but once you've put in that bit of effort, I've found managing passwords is a breeze. I've long since retired my throwaway password, as LastPass makes it so easy to generate random passwords even for throwaway accounts. (I was going to make a demo using Ashley Madison instead, but I couldn't work out how to make an account (or so I claim. (No, really, I couldn't. The only thing I could see was a login button, and something asking for my relationship status and sexual orientation. Oh, I guess that might have brought up the registration screen. I was too scared to click it and find out. Oh well!))).

No comments: