In a world where many of us live large amount of our personal and professional lives in a web browser, there should be nothing more important than the security of our online material. We broadcast our positions, our shopping habits, and our private thoughts through a browser to the services we trust to keep that information safe. While we can hold the keepers of our info responsible for any vulnerability on their end, we own the keys to the front door. It is the responsibility of the user to keep them secure, and there are plenty of tools out there to help you do exactly that.
Passwords can be guessed ,leaked, or they can be unintentionally given out. There are still plenty of people out there that tape their password to the underside of their keyboard or on a sticky note in their desk. While this can be avoided, there are other ways to keep you secure. PayPal, Gmail, Facebook, and Dropbox are the leaders of a list that use an additional security layer called two-factor authentication (often seen as TFA or 2FA).
What TFA does is allow you to have a secondary password that you enter when you sign in to the service. The second password is usually generated fresh ever 30 (or so) seconds) and is handled though a smartphone app or small device. The generated password is usually just a few numbers, which is fine because it is usable for just long enough for you to sign in to the service, and then it changes.
Paypal, Battle.Net, and your bank account provide you with a keyfob that generates the key, as long as you are willing to pay for it (about $30 generally). The keyfobs only work for one service, so by the end of the day your keychain isn’t likely to fit in your pocket. The most common form of two-factor authentication is to just send the code to your phone. Facebook, for example, will send you a text message with the secondary password, which is only good for a few seconds. Google has a public service that any company can use to add TFA to their service, and the Google Authentication app dispenses the passwords from your phone. Dropbox is one such company that uses the Google Authenticator when you setup authentication on their service.
This adds a great layer of security to your services, but hinges on your ability to not lose your phone or a small thumb device. While it is less likely that your phone will be stolen to gain access to your services, it’s not impossible. More likely, however, is that your phone simply not be able to deliver the information to you. If your phone breaks, or you have exhausted the battery after a long day, you are no longer able to access your online services that you aren’t already signed in to.
Choosing a great password
Somewhere along the way we got confused about what a good password is. We listen to these security experts that tell us we should have four capital letters, two numbers, and a handful of special characters. I am immediately reminded of XKCD cartoonist Randall Monroe’s comic on password strength, which demonstrates the two sided problem with making your password a ridiculous array of randomness. Larger than this problem, however, are the users whose passwords are single dictionary words or dates that coincide with events that are easy to figure out.
Even today three of the top 10 passwords are “password”, “1234567?, and “qwerty”, and while a complicated jumble of letters and numbers are much more secure than those, you can still do better.
It never hurts to test your password. There are a handful of services out there that will tell you how secure you password is, but my personal favorite is howsecureismypassword.net. This service is free, easy to use, and gives you some base guidelines on making your password more secure. The best way to use a service like this is to come up with a password similar to the one you want to use, and enter it on the website — it’s probably not the smartest thing in the world to use your actual password.
This service will give you a good starting point, and a clear idea of what a strong password will look like. Once you have a great password, you will already be safer than most but there’s still more you can do.
As a standalone device, a Yubikey is a fantastic tool for any security conscious individual. This product allows a physical USB key to be your password for certain things. It can be setup, for example, so that your computer only unlocks when the Yubikey is inserted and the password from the Yubikey is offered. In most versions of the Yubikey there’s a button on board that transmits the password when you press it. As long as the private key from the Yubikey matches the one stored on your PC, the password generated by the Yubikey will unlock the device. There are variations of these devices that can even fit entirely inside the USB port, or run on NFC instead of having a physical button. These devices start at about $25.
When you use the Yubikey in conjunction with another security service, such as LastPass or Symantec VIP, Yubikey becomes a new kind of two-factor authentication. Instead of relying on keyfobs, apps, or SMS to receive what you need to login to your account, the Yupikey itself generates the key needed to access these services. This removes the potential threats generated by someone getting a hold of your phone or a malicious app on your phone intercepting the SMS.
Secure password storage
The truth is that two-factor authentication is exhausting, and the recovery process if anything happens to your phone is painfully tedious. It’s very secure, but really not something that I think the average user would put themselves through. Let’s face it, most people really doesn’t even like passwords. In a perfect world, the computer would just log them in to everything and no one would ever have to think about passwords because all of the security would just be done for them. This isn’t so much fantasy as an actual way to secure your digital services by allowing a program to generate your login credentials for all of the services you use.
The greatest example of this is LastPass. Lastpass is a quick install onto your computer and an add-on to your web browser. Every time you want to go to a website, LastPass will generate a secure password for that service and store it for you securely. It’s so secure that even you don’t know what it is, unless you write it down or memorize the randomly generated key.
After that, you can access the information from your LastPass vault, but typically you would only access that to add or remove security features or auto-fill information for specific websites. The whole idea is that you aren’t responsible for your security online, LastPass is. If you pay for the premium service, you can use the LastPass app to help keep yourself secure when not at the PC.
Just as your password is only as secure as you are, your LastPass account is guarded by a login that you control. While it is convenient to have one password to a system that authorizes secure passwords for everything, there’s not really a lot of benefit if someone gains access to your LastPass account. In the end, it all comes back to how secure you are with that one password. Unless, of course, you decided to take things one step further and add two factor authentication to your LastPass.
LastPass is a popular password manager, but it’s far from alone. There is also 1Password, RoboForm, KeePass, and others.
There’s no such thing as being 100% secure, unless you live your digital life on a airgap network and don’t use any of the online services available today. For the most part, however, people are a secure as they want to be. There’s no shortage of tools out there to improve that security, and especially in a world where the services we use are routinely under attack, it makes good sense to consider additional security options.