A unique password, 2FA, AND a unique email address.
I use https://lastpass.com/ for generating passwords. $12/year and works on Linux & Android. Would prefer open source, but nothing else comes close. I tend to generate 32 char passwords with a mix of upper, lower, number, and special. Only a few websites insist on shorter passwords - or have character restrictions.
It does make logging in to some frequently used sites a bit of a pain (looking at you PayPal!) but I think it is worth it.
On to unique email addresses. I do this for two reasons.
1. Allows me to easily see where an email has come from & filter if necessary. I can tell if your company has leaked / lost / sold my address.
2. If I have reused a password, a database leak doesn't compromise other sites. An attacker doesn't know the login details for LinkedIn based on my GoToMyPC email.
I tend to use something like lnkdn@ mydomain / gtmypc@ ... / twttr@ ... - but if your mail provider lets you use a catch-all, it can be anything you like.
One word of warning - it really confuses people when you give the email over the phone! I usually say "I'm creating a unique email address for you so that the message doesn't go into spam. Ok? sound of me hitting random keys It's yourcompany@ ...."
KeePassX (https://www.keepassx.org/) is free and open source password manager. Having never tried LastPass I can't vouch that it's feature compatible, but it covers all my needs.
I did look at KeePassX - but it doesn't seem to have reliable autofill in Chrome & Firefox (where I use 99% of my passwords). It also means I have to manually synchronise the database between phone, PC, etc.
I just keep the keepass.db file in a cloud storage folder that is synced across devices. Works perfectly and because of the encryption it hardly even matters that cloud storage is (currently) on a US server.
The "perform autotype" option in KeepassX Linux seems to work well enough for me in Firefox, Chromium and most applications (it basically seems to send <user><TAB><password><ENTER> which usually does the trick--and afaik it has some settings you can tweak when it doesnt, but I never bothered with those).
But if Lastpass works for you, that's cool. Getting to use a password manager in the first place is the most important step, IMHO.
> I did look at KeePassX - but it doesn't seem to have reliable autofill in Chrome & Firefox
It does have browser integration, for both Chrome - ChromeIPass extension, and Firefox - KeeFox extension. Both extension work via KeePassHttp plugin. Works well on Arch Linux.
I meant KeePass http://keepass.info/ writing about browser integration (in my case I run it on mono), not the KeePassX. KeePassX is a very simple app in comparison with KeePass, so I prefer KeePass over KeePassX.
Now invoking it by saying genpw would generate a pseudorandom string of 16 characters length. You could specify the length by passing a parameter to it, e.g. genpw 8.
O...K... but where do you store them? How do you sync them between devices? How do you auto fill them in the browser? How do you change them when a service is compromised? How do you securely share them with other users?
LastPass does all of that. And I don't even have to drop into the terminal.
I feel like it's almost certain that Lastpass is owned, as are other popular online password stores.
No security is perfect; all you can do is make it more expensive than it's worth to the attacker.
How much would it be worth to have all the passwords to every account of every Lastpass user? Does Lastpass really have the resources and skill to protect something that valuable? Is it even possible?
Well as long as you 'feel' that way, it must be true.
Lastpass (supposedly) stores the encrypted password vault, never the decrypted. Decryption occurs on the users end. You would need to either have a keylogger on the target users machine to grab their master password, or compromise the software. Neither is impossible, but both are a little harder than simply break in and access Lastpass's storage.
I say supposedly because I do not know of any 3rd party verification.
> You would need to either have a keylogger on the target users machine to grab their master password, or compromise the software. Neither is impossible, but both are a little harder than simply break in and access Lastpass's storage.
That reasoning only holds if it's in fact significantly harder to compromise the software than it is to "simply break in and access Lastpass's storage". If you believe that might be possible, then the security of your password vault basically depends on the differential difficulty compared to "simply break in and compromise the login form / browser extension / update channel to make it do <whatever>".
My point is not that this would be easy, rather that if someone went as far to break in and grab the storage[0], given the sheer value of the data, the barrier to go a step further and compromise the software isn't big enough to make me go "okay well that's all right then, that might happen, but this surely won't".
The biggest difference in risk between those two scenarios is that yes some cybercriminal that is "just poking around" might easier stumble upon access and just grab the vault than to set up a compromised login form and wait--not so much more difficult but just more effort.
[0] which I agree is fair to trust Lastpass to have properly encrypted, cause if you can't trust the people you pay $12/year to keep your most sensitive data secure, then who can you trust?
I didn't make that claim; why add that attitude to an otherwise pleasant conversation?
When disagreeing, please reply to the argument instead of calling names. E.g. "That is idiotic; 1 + 1 is 2, not 3" can be shortened to "1 + 1 is 2, not 3."
Yes you did make that claim. You said that you feel there is a high likelihood that lastpass is compromised. You have no evidence or proof of this, just a gut feeling presented as some sort of fact or 'just asking questions.'
"I feel like it's almost certain that Lastpass is owned"
I use LastPass, but I'm still fearful about it. It's such a rich target, and all a hacker would really have to do is to intercept when you put your decryption key in and send it off to their own server. Then they'd have access to all your accounts. They'd have to put that backdoor into the extension, but the point is, it's doable, and most people wouldn't have any way of knowing that it happened.
"LastPass says they never receive my Master Password. Don’t I send it to the LastPass servers when I log in?
No, when you login to LastPass, two things are generated from your Master Password using our code discussed previously before anything is sent to the server: the password hash and the decryption key. This is all done locally.
The password hash is sent to our servers to verify you. Once verified, we send back your encrypted Vault. We are only sent your hash, not your Master Password.
The decryption key, which NEVER leaves your computer, is then used to decrypt your Vault once it comes back."
The point was "all a hacker would really have to do is to intercept when you put your decryption key in and send it off to their own server" (emphasis added).
However this is more about keeping the Lastpass software secure than it is about keeping the encrypted user vaults secure. The documentation you quoted really obscures this by use of the passive voice, casting the end-user somehow as an active agent deliberately doing all the encryption/hashing and sending, implying that they are in full control :) Try this on for a change:
"LastPass says they never receive my Master Password. Doesn't the LastPass Software send it to the LastPass servers when I log in?
No, when you login to LastPass, the LastPass Software generates two things when you give it your Master Password, before the LastPass Software sends anything to the server: the password hash and the decryption key. The LastPass Software does all this locally.
The LastPass Software sends your password hash to our servers to verify you. Once verified, our server sends back your encrypted Vault. The LastPass Software only sends your hash to our server, not your Master Password that you just entered into the LastPass Software.
The LastPass Software then uses this decryption key, which should NEVER leave your computer, to decrypt your Vault once it comes back."
-
The above is IMHO a much better way to word the same documentation, since it doesn't try to gloss over a rather important part of the attack surface. It's not really fair to on the one hand congratulate a user for being security-aware enough to use a password manager, but then ignore this part. Good security software documentation should proudly present the last few exposed parts of the attack surface, especially if they are minor ones, so that a user can assess the limits of their trust--there are always limits, no sense in pretending there aren't, and it's better to know them so that the user gets to decide what they're okay with.
I am switching away from unique mail addresses … I used a mix of catch-all and plus characters:
The former reduces the efficiency of your spam filter, the later is not (fully) supported by many websites. AirBnB for example allowed me to set an mail address with a plus character, however, login did not work anymore, so I was locked out and had to create a new account … AirBnB support refused to change my mail address since they apparently did not get the plus character 'trick'.
In my experience adding the domain of the recipient often leads to problems.
Rep: "Can you verify your email address?"
Me: "er, em-verizon@example.com"
Rep: "Hey, I didn't know you worked for Verizon!"
Me: "no..."
And now the call gets excruciatingly slow and unfriendly because the rep thinks I'm trying to hack something.
Also, more than one web forum has silently binned me until I removed the domain from my email address. Had one where I could post for a few days, then the admin deleted me and sent that email address a crazy anti-spam rant thinking I was a bot.
I still like using unique email addresses but I make sure they're obscure.
I use the domain backwards e.g. nozirev@mydomain.com.Customer service agents don't notice, and it's easy for me to tell where the email was supposed to have originated.
Yep, I highly recommend LastPass as well. The password generation, sync, platform support, and browser extension features are great. It's fairly easy to setup exclusion filters for not remembering passwords, as well as controlling if matching works on the first level domain (*.domain.com) or exact host.. The former generally works well for most sites, but the latter is essential for my own domains (where I have multiple different services, accounts for testing, etc).
I've been using a catch all domain for at least 15 years. One thing I learned early is to use a subdomain, which avoids getting dictionary spam attacks.
For the last many years, I just forward it to a gmail account, where there is a corresponding filter to label it into an "accounts" group. I get essentially zero spam to this.
Also, I've had multiple times where it confused reps as well. It's kind of funny when it happens, but also sad that having "theircompany@sub.my domain.com" makes them go "oh, did you used to work here or something?".
What provider do you use that allows for catch-all? I really like GMail but the lack of support is really annoying, and a lot of sites & dump leaks are beginning to ignore the "+word" notation for email addresses.
If a lot of people start doing this thing, then it will be trivial for an attacker to figure out name+service1@domain can be changed to name+service2@domain
"service1" could be generated randomly as well, and stored along with the password in a password manager.
Another nice property of this suffix is that one can identify who gave away their email address / which site it was scraped from when receiving spam; not sure where I have seen this written down originally.
I think when spammers see a "+" they just strip everything after it down, i.e. me+spam@example.org -> me@example.org. Not to say many sites just don't accept "+" (or, worse, cease to accept such addresses).
Unique, non-guessable, machine-generated addresses are the way to go (do with emails just like password managers do with passwords), but no common person can use those, because they'll need a domain and self-hosted MDA.
Then I could just make my rand(service1) chars larger. No point in adding it to email address at all. Email leak (privacy) is an issue that this could help with but I do not see any benefit in terms of securing my account
How do you generate new emails? Say, I see a new websites I need a new email? What do you do? Is there a chrome extension that can do it with one click?
My personal domain is set to forward all email to my Gmail. Since Google is my registrar, it's expectedly simple to configure this. I haven't setup outbound addresses; services rarely need email sent to them, and replying from my Gmail hasn't caused me any problems yet.
Yeah but doesn't prevent the attack. Username is still in the email address. Ideally I'd like <domain>+<nonce>@gmail.com that forwards all to my email.
I use the excellent 1Password, syncing over WiFi with my phone as the source of truth for my vault. 2FA enabled for everything that supports it and backup codes stored physically. Works great and password managers are one of the few times when something is both more convenient and more secure.
Also, use 2FA wherever available. Google Authenticator is good enough.
Store your backup codes somewhere safe (your keepass db, for example. Although that goes a bit counter to the point of 2FA, if someone cracks your keepass db, you're pretty screwed regardless).
This is not a problem with 1Password, which syncs TOTP keys as part of your secure keychain, making it easy to use multiple devices, or even just your desktop.
Not only do you get the same issue with SMS authentication (have to set it up again when you get a new number), but on top of it SMS auth is not as readily available and has proprietary requirements (namely, you have to have a mobile number with text support, it has to be available at your current location, it may cost money, the auth service has to support whichever country code you're under, ...).
Also, as other people mentioned, it's technically possible to back up your initial seed.
SMS auth is a disgrace, when we have 2fa standards.
Using KeePassX/LastPass/1Password is a bit problematic. They become a single point of failure. Someone can get my master password (https://github.com/cxxr/lostpass) or can pwn LastPass. To improved that my passwords becomes <last_pass_gen_pass> + <random_nonce_that_i_know_how_to_generate_in_my_head> + <helper_password>
I divided accounts into tiers:
Tier0: The most important account: Macbook, Gmail, Github
Tier1: Still important, but not as much as Tier0: Youtube
Tier2: I don't really care.
Tier3: Testing accounts for local dev server: Single simple password like qwerty1234.
I just need to remember 5 passwords(Gmail, Macbook, Github, LastPass, helper password). I think this strategy gives a nice balance between connivance and security.
It's not a terrible idea, but it does fall apart if you need to change one of the passwords (say, because you were using this strategy for a number of services including gotomypc). Now you need to have multiple master passwords, or you need to increment the service name (gotomypc2?), and then you're remembering the increment as well as the service and master password.
It's a cute trick, but I don't think it really scales well for the number of accounts we tend to have these days, and the frequency with which passwords must be changed due to hacks, password aging policies, validation ("must have 1 punctuation character"), etc.
As for entropy, it's limited by the master password, and whatever obscurity the hashing and service name provide. If you have a short master password, you're not getting the as much uniqueness as you might think by looking at the length of the hash output.
In addition, I try use different E-Mail adresses whenever I sign up, a catchall makes sure they end up in the same inbox. This might not stop a sophisticated targeted attack, but it should throw off a lot of automated runs since the email they got is seemingly not used at another service. A litte obscurity to strengthen the rest of my security ;)
No, only once to decrypt the lastpass database. You can even set to only ask every 30 days, however I feel that this defeats the security features a little
I use https://www.passwordstore.org/ to generate passwords which are then encrypted using my GPG keys. My passwords directory is a git repo which I sync to GitHub. Since I don't possess a Yubikey or similar, I've stored a copy of my secret key in Protonmail.
KeePassX and Syncthing over WiFi. No browser add-ons. I decided to give it a try after the LastPass acquisition to see how feasible it was, and haven't looked back really. It helps that I'm mostly on Android mobile devices. KeePass2Android is what I use on the phone.
I use a password safe file (https://pwsafe.org/) which I then store randomly generated passwords per site and have a strong password on the safe itself.
I like this as a solution as it's not dependent on any third parties like cloud services, its pretty portable and I have a unique password per site, so I'm not really that bothered when the inevitable breaches happen.
Downside to this approach is that I have to have a device which has the password safe to hand to use it (there are clients for Windows/Linux/Mac/iOS/Android), I'm responsible for managing the file and if I lose the file + passphrase I'm stuffed :)
I have a "things I don't care about password" that's long, easy to type, and easy to remember. It's about 20 characters, which is sufficient for most services that don't have two-factor authentication, but annoying because some archaic systems STILL have a maximum password limit for ridiculous reasons that suggest one-way hashes are not being used.
Wherever two-factor is available, it's turned on. Usually through my phone, which has its own passcode and won't display text messages on my screen. I'm curious as to how secure this really is, but I suspect this is reasonably difficult enough to hack that someone would have to be targeting me specifically to be able to reliably pull my SMS token out of the air and match it up to my login before I used it within a few seconds and invalidated it. If someone decides to target me specifically, I have bigger problems.
For my email, my banking sites, and all the things that I really would rather someone else please not log into, I have a unique password. This is still long and easy to type; the only advantage of these passwords is that I am sure to not share them in any modified form anywhere else on the internet, which protects against these sorts of cross-site password theft attacks. (Even for my shared password I have a pattern that makes it uniqueish, but that pattern is simple enough that a human could probably reverse engineer it.)
The only real exception to this strategy is things that can be password-less, though that carries its own weirdness. All of my remotely-accessible SSH servers use private key authentication and have passwords enabled for sudo, but don't allow SSHing in using that password. (So they are effectively single-factor for login and userland access, which can still do a lot of damage but requires a computationally difficult key, and two-factor for root access.) This carries its own issues; I have to keep my private key files somewhere, and even if I use multiple keys for each machine I log in from, all it takes is one rogue login to hose my server. I either put all my eggs into one basket by using some sort of encrypted store, or I spread out my attack surface, increasing its complexity, and decreasing the chance that I'll have successfully patched all the holes up. I also don't like that there's no way I could reasonably memorize a private key, so the option of NOT storing it kind of doesn't exist. At best I can try to protect the key in some way.
I only use Apple on a daily basis, so I use the inbuilt iCloud Keychain which syncs my passwords across Apple devices. I use the built in password generator to generate secure passwords that are unique for each website. For the times I do log in to a PC, I can call up my passwords on my iPhone to type them in manually.
Random password, FastMail email alias, fake but plausible name and date or birth, all dumped in to 1Password.
Would love to find a credit card which allowed me to offer up fake billing details - obviously the CC provider would need to know who I was, but there's no reason who I'm paying needs to.
I simply use keepassx with the database being synced between all my devices (Linux, Windows, Android) via Syncthing. I also have a scrambled printout in my bank safe (30€/year) that I update every couple of months.
I use https://lastpass.com/ for generating passwords. $12/year and works on Linux & Android. Would prefer open source, but nothing else comes close. I tend to generate 32 char passwords with a mix of upper, lower, number, and special. Only a few websites insist on shorter passwords - or have character restrictions.
For 2FA I use either SMS or Authy https://www.authy.com/ Take a look at https://www.turnon2fa.com/ to see which sites support 2FA.
It does make logging in to some frequently used sites a bit of a pain (looking at you PayPal!) but I think it is worth it.
On to unique email addresses. I do this for two reasons.
1. Allows me to easily see where an email has come from & filter if necessary. I can tell if your company has leaked / lost / sold my address.
2. If I have reused a password, a database leak doesn't compromise other sites. An attacker doesn't know the login details for LinkedIn based on my GoToMyPC email.
I tend to use something like lnkdn@ mydomain / gtmypc@ ... / twttr@ ... - but if your mail provider lets you use a catch-all, it can be anything you like.
One word of warning - it really confuses people when you give the email over the phone! I usually say "I'm creating a unique email address for you so that the message doesn't go into spam. Ok? sound of me hitting random keys It's yourcompany@ ...."