SlideShare a Scribd company logo

Secure Password Management with LastPass

Download as ODP, PDF
Karl Mueller
Karl Mueller

Presenting an informal lunch talk on using a password manager to handle personal internet accounts securely. Also discussing 2-factor authentication a bit. Discussion features Lastpass a little bit.

Technology
1 of 32
Secure Password Management Karl Mueller Sr. Solutions Architect, @Labs karl – at – walmartlabs.com March 21st , 2014
Who Am I? ● 20 years industry operations experience ● Joined Kosmix 2005 ● Acquired into @Walmartlabs, 2011 ● NOT a security expert! – but neither are most people!
What is the problem? ● Sites get compromised ● Passwords can be recovered – Even sites practicing good security!! ● Emails and passwords are re-used ● More and more online accounts! ● Most hackers are after lower-hanging fruit ● Some hackers target specific people, i.e. @N twitter
What is a solution? ● Unique, random, long passwords per site – 8, 12, 16 characters – even longer! ● Compromised? Limited vulnerability ● Password managers are one way to do this ● Password manager must be secured well ● Not perfect – nothing is perfect
Considerations in a PM ● How is the data secured? ● Can I access my data on mobile? How? ● Is there two-factor authentication? ● Can the data be recovered without the master password? ● How do I back it up securely? ● Can it be used if company XX goes splat?
My choice: Lastpass Premium ● Premium ($12/yr) adds mobile support ● Encrypted cloud storage ● Secured and Encrypted by master password ● Good 2-factor authentication ● Usual support of forms, data, password generation
My choice: Lastpass Premium ● Works off-line ● Import/Export for backups ● CSV export available for non-lastpass – PITA – mostly disaster recovery, IMO ● All major browsers have plugins ● All mobile have fully-functional app ($$)
My choice: Lastpass Premium ● Lastpass never gets non-encrypted data ● Not perfect, but IMO the best option ● Other options are also good! Check 'em out ● Choosing a good password manager is a big deal! ● If somebody hacks Lastpass and releases booby-trapped code, all bets are off the table.. but that's true for everybody
Using Lastpass ● Create account ● Create MASTER PASSWORD ● No master password = NO DATA ● Add 2-factor authentication ● Read blogs on securing and using it ● Some security settings are important
Lastpass Vault (not mine)
Login buttons
Best Practices – Master Pass ● Master password should be very good – Write one or two copies down – optional – The MP is obviously critical – Losing master password means no data ● Never use 'Remember me' option ● Be careful with “Allow for XX hours”
Best Practices - Sites ● Every site gets a long, unique password – As long as allowed, if possible – Use symbols if allowed ● Change ALL passwords to random ones in PM – (Optional) except things like financial accounts – trade-offs for those as well
Best Practices - Sites ● Consider 2nd , secure email for financial ● Maybe not really helpful ● Enable 2-factor and security notifications
2-Factor Authentication ● Something you know + Something you have ● Possibilities: – cell phone / SMS text – FOB keys / custom solutions – TOTP / Google Authenticator ● How secure it is varies, despite 2-factor ● Still a good thing - usually
2-Factor Best Practices ● Enable on critical accounts if at all possible ● Especially: – Lastpass (or other PM) – Google – Facebook – Linkedin – Banks and Financial (!!) ● twofactorauth.org has a list
2-Factor Best Practices ● Realistically, it can often be bypassed ● Social engineering works really well – Humans want to be helpful ● Password protection still the best option ● “Reset password” is almost universal – Email security on accounts is paramount! ● Where you can't be secure, early notice is best
2-Factor Best Practices ● Some 2-factor sites (like Google) can give you one-time- use codes. ● Codes can substitute for your 2-factor once. ● Good to have as backup or travel ● Carefully print or control where they are
2-Factor Best Practices ● Be careful about critical 2-factor accounts ● You can lose access without it, sometimes! ● Understand how to transfer things like the Google Authenticator app to new phone ● Most sites, you can fix not having 2-factor with the master password, but not every one! ● Codes are a good idea to have printed out – Secure those puppies!
Passwords – Worst Practices ● Are you a worst practice-ing password-er? ● YOU ARE MAKING IT EASY!!! – hackers <3 you – feel the love ● Bad ideas: Using personal data of any kind – birthdays, anniversaries, dates – addresses, cities, locations – favorite colors, items, activities, ... – old phone numbers and account numbers – anything relating to your children or spouse ● Dictionary words of any kind, even modified ● DO NOT DO THIS!
How to make Secure Passwords ● Completely random is best ● Long, complex passwords are 2nd best ● Length of password matters - a lot – encryption and hashes both benefit ● If you have to remember it, use strategies
Bad password example ● Example: Take two words, bunny + carrot ● Combine them and scramble a bit – Bunn33%carrot ● This is much less secure than you might think – Though.. still better than most out there
Good password example ● Start with a phrase, a made-up story is good – “My bunny is weird, he only eats green carrots” ● Take first letters, scramble a bit – Add punction/symbols – replace some letters with non-expected – add some words at the end that are easy to add length to the password
Good password example “My bunny is weird, he only eats green carrots” mY!biW+He0eatsgreencarrots ● Sufficient Random-ish chars important (8+) ● Extra words or characters help – even if simple ● You'll have to type this out, don't be too crazy ● You need to remember it – Putting it on a post-it kind of beats the point of it
App-specific passwords ● Offered by Google, Microsoft, Facebook, etc. ● Creates a one-use password (or several) – Sometimes it can be named, i.e. “iPhone email” ● Limited ability to change account ● You can disable all app-specific passwords from master account controls ● Use for iphone email, IM chats, etc. ● Avoid using your real passwords whenever you can
2-Factor Example: Google ● Implements TOTP ● Scans a QR code (or type in) for shared secret ● Generates a 6-digit code based on secret securely ● Codes last about 30 seconds, then change ● Turns your mobile device into RSA FOB ● Works very easily in practice ● Add everywhere you can!
2-Factor Example: Google
2-Factor Example: Google
Final Suggestions ● Never, ever give out passwords ● IT and sites almost never can use it ● Don't save your corporate credentials – ever ● Be very careful giving out information ● Be very careful using devices not yours
Final Suggestions ● Passwords Managers are worthless without good device and computer security! – phishing – malware / viruses – social engineering – saved passwords in browser ● Use passcodes on your phone ● Configure phone to erase itself after X tries
Final Suggestions ● Email account is critical ● Almost all sites have “reset password” ● Can usually bypass 2-factor as well (!!!)
Q&A Questions?

Recommended

I forgot my password – what a secure password reset needs to have and why
I forgot my password – what a secure password reset needs to have and whyI forgot my password – what a secure password reset needs to have and why
I forgot my password – what a secure password reset needs to have and whyMichal Špaček
 
Darknet
DarknetDarknet
DarknetShubham Dwivedi
 
Acpe 2014 Internet Anonymity Using Tor
Acpe 2014 Internet Anonymity Using TorAcpe 2014 Internet Anonymity Using Tor
Acpe 2014 Internet Anonymity Using TorJack Maynard
 
XSS PHP CSP ETC OMG WTF BBQ
XSS PHP CSP ETC OMG WTF BBQXSS PHP CSP ETC OMG WTF BBQ
XSS PHP CSP ETC OMG WTF BBQMichal Špaček
 
Liferay as solution for legacy applications
Liferay as solution for legacy applicationsLiferay as solution for legacy applications
Liferay as solution for legacy applicationsManish Kumar Jaiswal
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Tor the onion router
Tor the onion routerTor the onion router
Tor the onion routerAshly Liza
 
Tor Presentation
Tor PresentationTor Presentation
Tor PresentationHassan Faraz
 

Recommended

I forgot my password – what a secure password reset needs to have and why
I forgot my password – what a secure password reset needs to have and whyI forgot my password – what a secure password reset needs to have and why
I forgot my password – what a secure password reset needs to have and whyMichal Špaček
 
Darknet
DarknetDarknet
DarknetShubham Dwivedi
 
Acpe 2014 Internet Anonymity Using Tor
Acpe 2014 Internet Anonymity Using TorAcpe 2014 Internet Anonymity Using Tor
Acpe 2014 Internet Anonymity Using TorJack Maynard
 
XSS PHP CSP ETC OMG WTF BBQ
XSS PHP CSP ETC OMG WTF BBQXSS PHP CSP ETC OMG WTF BBQ
XSS PHP CSP ETC OMG WTF BBQMichal Špaček
 
Liferay as solution for legacy applications
Liferay as solution for legacy applicationsLiferay as solution for legacy applications
Liferay as solution for legacy applicationsManish Kumar Jaiswal
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Tor the onion router
Tor the onion routerTor the onion router
Tor the onion routerAshly Liza
 
Tor Presentation
Tor PresentationTor Presentation
Tor PresentationHassan Faraz
 
Mc physics colloquium2018-03-30.-handouts
Mc physics colloquium2018-03-30.-handoutsMc physics colloquium2018-03-30.-handouts
Mc physics colloquium2018-03-30.-handoutsKevin Wall
 
Password Managers - Lastpass
Password Managers - LastpassPassword Managers - Lastpass
Password Managers - LastpassBertold Kolics
 
Developing Better Software
Developing Better SoftwareDeveloping Better Software
Developing Better SoftwareHean Hong Leong
 
Password management for you
Password management for youPassword management for you
Password management for youChit Ko Ko Win
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Alan Richardson
 
Simple Computer Tips - Screen Shots, Passwords, etc
Simple Computer Tips - Screen Shots, Passwords, etcSimple Computer Tips - Screen Shots, Passwords, etc
Simple Computer Tips - Screen Shots, Passwords, etcHolly Akers
 
LastPass Password Manager - the last password you'll ever have to remember
LastPass Password Manager - the last password you'll ever have to rememberLastPass Password Manager - the last password you'll ever have to remember
LastPass Password Manager - the last password you'll ever have to rememberiSiteBuild.com
 
Email privacy
Email privacyEmail privacy
Email privacyBertold Kolics
 
Passwords
PasswordsPasswords
PasswordsKevin OBrien
 
Two-factor authentication
Two-factor authenticationTwo-factor authentication
Two-factor authenticationebalaskas
 
Strong business needs strong foundations
Strong business needs strong foundationsStrong business needs strong foundations
Strong business needs strong foundationsLeesa Watego
 
Securing your digital life - Jason Addie
Securing your digital life - Jason AddieSecuring your digital life - Jason Addie
Securing your digital life - Jason AddieDataFest Tbilisi
 
Everyday computer tips
Everyday computer tipsEveryday computer tips
Everyday computer tipsHolly Akers
 
Building it right with Joomla 3 !
Building it right with Joomla 3 !Building it right with Joomla 3 !
Building it right with Joomla 3 !Parth Lawate
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crackKlaus Drosch
 
How Not To Screw Up With QR Codes - at TeaCampLondon
How Not To Screw Up With QR Codes - at TeaCampLondonHow Not To Screw Up With QR Codes - at TeaCampLondon
How Not To Screw Up With QR Codes - at TeaCampLondonTerence Eden
 
Ecommerce Marketing & Optimization Workshop
Ecommerce Marketing & Optimization WorkshopEcommerce Marketing & Optimization Workshop
Ecommerce Marketing & Optimization WorkshopBrendan Tully
 
Pair programming
Pair programmingPair programming
Pair programmingthehoagie
 
2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptx2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptxssuser2f0fb0
 
Online Self Defense - Passwords
Online Self Defense - PasswordsOnline Self Defense - Passwords
Online Self Defense - PasswordsBarry Caplin
 
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 

More Related Content

Similar to Secure Password Management with LastPass

Mc physics colloquium2018-03-30.-handouts
Mc physics colloquium2018-03-30.-handoutsMc physics colloquium2018-03-30.-handouts
Mc physics colloquium2018-03-30.-handoutsKevin Wall
 
Password Managers - Lastpass
Password Managers - LastpassPassword Managers - Lastpass
Password Managers - LastpassBertold Kolics
 
Developing Better Software
Developing Better SoftwareDeveloping Better Software
Developing Better SoftwareHean Hong Leong
 
Password management for you
Password management for youPassword management for you
Password management for youChit Ko Ko Win
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Alan Richardson
 
Simple Computer Tips - Screen Shots, Passwords, etc
Simple Computer Tips - Screen Shots, Passwords, etcSimple Computer Tips - Screen Shots, Passwords, etc
Simple Computer Tips - Screen Shots, Passwords, etcHolly Akers
 
LastPass Password Manager - the last password you'll ever have to remember
LastPass Password Manager - the last password you'll ever have to rememberLastPass Password Manager - the last password you'll ever have to remember
LastPass Password Manager - the last password you'll ever have to rememberiSiteBuild.com
 
Two-factor authentication
Two-factor authenticationTwo-factor authentication
Two-factor authenticationebalaskas
 
Strong business needs strong foundations
Strong business needs strong foundationsStrong business needs strong foundations
Strong business needs strong foundationsLeesa Watego
 
Securing your digital life - Jason Addie
Securing your digital life - Jason AddieSecuring your digital life - Jason Addie
Securing your digital life - Jason AddieDataFest Tbilisi
 
Everyday computer tips
Everyday computer tipsEveryday computer tips
Everyday computer tipsHolly Akers
 
Building it right with Joomla 3 !
Building it right with Joomla 3 !Building it right with Joomla 3 !
Building it right with Joomla 3 !Parth Lawate
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crackKlaus Drosch
 
How Not To Screw Up With QR Codes - at TeaCampLondon
How Not To Screw Up With QR Codes - at TeaCampLondonHow Not To Screw Up With QR Codes - at TeaCampLondon
How Not To Screw Up With QR Codes - at TeaCampLondonTerence Eden
 
Ecommerce Marketing & Optimization Workshop
Ecommerce Marketing & Optimization WorkshopEcommerce Marketing & Optimization Workshop
Ecommerce Marketing & Optimization WorkshopBrendan Tully
 
Pair programming
Pair programmingPair programming
Pair programmingthehoagie
 
2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptx2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptxssuser2f0fb0
 
Online Self Defense - Passwords
Online Self Defense - PasswordsOnline Self Defense - Passwords
Online Self Defense - PasswordsBarry Caplin
 

Similar to Secure Password Management with LastPass (20)

Mc physics colloquium2018-03-30.-handouts
Mc physics colloquium2018-03-30.-handoutsMc physics colloquium2018-03-30.-handouts
Mc physics colloquium2018-03-30.-handouts
 
Password Managers - Lastpass
Password Managers - LastpassPassword Managers - Lastpass
Password Managers - Lastpass
 
Developing Better Software
Developing Better SoftwareDeveloping Better Software
Developing Better Software
 
Password management for you
Password management for youPassword management for you
Password management for you
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014
 
Simple Computer Tips - Screen Shots, Passwords, etc
Simple Computer Tips - Screen Shots, Passwords, etcSimple Computer Tips - Screen Shots, Passwords, etc
Simple Computer Tips - Screen Shots, Passwords, etc
 
LastPass Password Manager - the last password you'll ever have to remember
LastPass Password Manager - the last password you'll ever have to rememberLastPass Password Manager - the last password you'll ever have to remember
LastPass Password Manager - the last password you'll ever have to remember
 
Email privacy
Email privacyEmail privacy
Email privacy
 
Passwords
PasswordsPasswords
Passwords
 
Two-factor authentication
Two-factor authenticationTwo-factor authentication
Two-factor authentication
 
Strong business needs strong foundations
Strong business needs strong foundationsStrong business needs strong foundations
Strong business needs strong foundations
 
Securing your digital life - Jason Addie
Securing your digital life - Jason AddieSecuring your digital life - Jason Addie
Securing your digital life - Jason Addie
 
Everyday computer tips
Everyday computer tipsEveryday computer tips
Everyday computer tips
 
Building it right with Joomla 3 !
Building it right with Joomla 3 !Building it right with Joomla 3 !
Building it right with Joomla 3 !
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crack
 
How Not To Screw Up With QR Codes - at TeaCampLondon
How Not To Screw Up With QR Codes - at TeaCampLondonHow Not To Screw Up With QR Codes - at TeaCampLondon
How Not To Screw Up With QR Codes - at TeaCampLondon
 
Ecommerce Marketing & Optimization Workshop
Ecommerce Marketing & Optimization WorkshopEcommerce Marketing & Optimization Workshop
Ecommerce Marketing & Optimization Workshop
 
Pair programming
Pair programmingPair programming
Pair programming
 
2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptx2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptx
 
Online Self Defense - Passwords
Online Self Defense - PasswordsOnline Self Defense - Passwords
Online Self Defense - Passwords
 

Recently uploaded

Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...itnewsafrica
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsRavi Sanghani
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPathCommunity
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxLoriGlavin3
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsNathaniel Shimoni
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesKari Kakkonen
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024TopCSSGallery
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observabilityitnewsafrica
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesManik S Magar
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationKnoldus Inc.
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Hiroshi SHIBATA
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxLoriGlavin3
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityIES VE
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesThousandEyes
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesBernd Ruecker
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch TuesdayIvanti
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Kaya Weers
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfpanagenda
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructureitnewsafrica
 

Recently uploaded (20)

Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
Abdul Kader Baba- Managing Cybersecurity Risks and Compliance Requirements i...
 
Potential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and InsightsPotential of AI (Generative AI) in Business: Learnings and Insights
Potential of AI (Generative AI) in Business: Learnings and Insights
 
UiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to HeroUiPath Community: Communication Mining from Zero to Hero
UiPath Community: Communication Mining from Zero to Hero
 
The State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptxThe State of Passkeys with FIDO Alliance.pptx
The State of Passkeys with FIDO Alliance.pptx
 
Time Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directionsTime Series Foundation Models - current state and future directions
Time Series Foundation Models - current state and future directions
 
Testing tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examplesTesting tools and AI - ideas what to try with some tool examples
Testing tools and AI - ideas what to try with some tool examples
 
Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024Top 10 Hubspot Development Companies in 2024
Top 10 Hubspot Development Companies in 2024
 
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security ObservabilityGlenn Lazarus- Why Your Observability Strategy Needs Security Observability
Glenn Lazarus- Why Your Observability Strategy Needs Security Observability
 
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotesMuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
MuleSoft Online Meetup Group - B2B Crash Course: Release SparkNotes
 
Data governance with Unity Catalog Presentation
Data governance with Unity Catalog PresentationData governance with Unity Catalog Presentation
Data governance with Unity Catalog Presentation
 
Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024Long journey of Ruby standard library at RubyConf AU 2024
Long journey of Ruby standard library at RubyConf AU 2024
 
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptxThe Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
The Fit for Passkeys for Employee and Consumer Sign-ins: FIDO Paris Seminar.pptx
 
Decarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a realityDecarbonising Buildings: Making a net-zero built environment a reality
Decarbonising Buildings: Making a net-zero built environment a reality
 
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data PrivacyTrustArc Webinar - How to Build Consumer Trust Through Data Privacy
TrustArc Webinar - How to Build Consumer Trust Through Data Privacy
 
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyesHow to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
How to Effectively Monitor SD-WAN and SASE Environments with ThousandEyes
 
QCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architecturesQCon London: Mastering long-running processes in modern architectures
QCon London: Mastering long-running processes in modern architectures
 
2024 April Patch Tuesday
2024 April Patch Tuesday2024 April Patch Tuesday
2024 April Patch Tuesday
 
Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)Design pattern talk by Kaya Weers - 2024 (v2)
Design pattern talk by Kaya Weers - 2024 (v2)
 
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdfSo einfach geht modernes Roaming fuer Notes und Nomad.pdf
So einfach geht modernes Roaming fuer Notes und Nomad.pdf
 
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical InfrastructureVarsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
Varsha Sewlal- Cyber Attacks on Critical Critical Infrastructure
 

Secure Password Management with LastPass

  • 1. Secure Password Management Karl Mueller Sr. Solutions Architect, @Labs karl – at – walmartlabs.com March 21st , 2014
  • 2. Who Am I? ● 20 years industry operations experience ● Joined Kosmix 2005 ● Acquired into @Walmartlabs, 2011 ● NOT a security expert! – but neither are most people!
  • 3. What is the problem? ● Sites get compromised ● Passwords can be recovered – Even sites practicing good security!! ● Emails and passwords are re-used ● More and more online accounts! ● Most hackers are after lower-hanging fruit ● Some hackers target specific people, i.e. @N twitter
  • 4. What is a solution? ● Unique, random, long passwords per site – 8, 12, 16 characters – even longer! ● Compromised? Limited vulnerability ● Password managers are one way to do this ● Password manager must be secured well ● Not perfect – nothing is perfect
  • 5. Considerations in a PM ● How is the data secured? ● Can I access my data on mobile? How? ● Is there two-factor authentication? ● Can the data be recovered without the master password? ● How do I back it up securely? ● Can it be used if company XX goes splat?
  • 6. My choice: Lastpass Premium ● Premium ($12/yr) adds mobile support ● Encrypted cloud storage ● Secured and Encrypted by master password ● Good 2-factor authentication ● Usual support of forms, data, password generation
  • 7. My choice: Lastpass Premium ● Works off-line ● Import/Export for backups ● CSV export available for non-lastpass – PITA – mostly disaster recovery, IMO ● All major browsers have plugins ● All mobile have fully-functional app ($$)
  • 8. My choice: Lastpass Premium ● Lastpass never gets non-encrypted data ● Not perfect, but IMO the best option ● Other options are also good! Check 'em out ● Choosing a good password manager is a big deal! ● If somebody hacks Lastpass and releases booby-trapped code, all bets are off the table.. but that's true for everybody
  • 9. Using Lastpass ● Create account ● Create MASTER PASSWORD ● No master password = NO DATA ● Add 2-factor authentication ● Read blogs on securing and using it ● Some security settings are important
  • 12. Best Practices – Master Pass ● Master password should be very good – Write one or two copies down – optional – The MP is obviously critical – Losing master password means no data ● Never use 'Remember me' option ● Be careful with “Allow for XX hours”
  • 13. Best Practices - Sites ● Every site gets a long, unique password – As long as allowed, if possible – Use symbols if allowed ● Change ALL passwords to random ones in PM – (Optional) except things like financial accounts – trade-offs for those as well
  • 14. Best Practices - Sites ● Consider 2nd , secure email for financial ● Maybe not really helpful ● Enable 2-factor and security notifications
  • 15. 2-Factor Authentication ● Something you know + Something you have ● Possibilities: – cell phone / SMS text – FOB keys / custom solutions – TOTP / Google Authenticator ● How secure it is varies, despite 2-factor ● Still a good thing - usually
  • 16. 2-Factor Best Practices ● Enable on critical accounts if at all possible ● Especially: – Lastpass (or other PM) – Google – Facebook – Linkedin – Banks and Financial (!!) ● twofactorauth.org has a list
  • 17. 2-Factor Best Practices ● Realistically, it can often be bypassed ● Social engineering works really well – Humans want to be helpful ● Password protection still the best option ● “Reset password” is almost universal – Email security on accounts is paramount! ● Where you can't be secure, early notice is best
  • 18. 2-Factor Best Practices ● Some 2-factor sites (like Google) can give you one-time- use codes. ● Codes can substitute for your 2-factor once. ● Good to have as backup or travel ● Carefully print or control where they are
  • 19. 2-Factor Best Practices ● Be careful about critical 2-factor accounts ● You can lose access without it, sometimes! ● Understand how to transfer things like the Google Authenticator app to new phone ● Most sites, you can fix not having 2-factor with the master password, but not every one! ● Codes are a good idea to have printed out – Secure those puppies!
  • 20. Passwords – Worst Practices ● Are you a worst practice-ing password-er? ● YOU ARE MAKING IT EASY!!! – hackers <3 you – feel the love ● Bad ideas: Using personal data of any kind – birthdays, anniversaries, dates – addresses, cities, locations – favorite colors, items, activities, ... – old phone numbers and account numbers – anything relating to your children or spouse ● Dictionary words of any kind, even modified ● DO NOT DO THIS!
  • 21. How to make Secure Passwords ● Completely random is best ● Long, complex passwords are 2nd best ● Length of password matters - a lot – encryption and hashes both benefit ● If you have to remember it, use strategies
  • 22. Bad password example ● Example: Take two words, bunny + carrot ● Combine them and scramble a bit – Bunn33%carrot ● This is much less secure than you might think – Though.. still better than most out there
  • 23. Good password example ● Start with a phrase, a made-up story is good – “My bunny is weird, he only eats green carrots” ● Take first letters, scramble a bit – Add punction/symbols – replace some letters with non-expected – add some words at the end that are easy to add length to the password
  • 24. Good password example “My bunny is weird, he only eats green carrots” mY!biW+He0eatsgreencarrots ● Sufficient Random-ish chars important (8+) ● Extra words or characters help – even if simple ● You'll have to type this out, don't be too crazy ● You need to remember it – Putting it on a post-it kind of beats the point of it
  • 25. App-specific passwords ● Offered by Google, Microsoft, Facebook, etc. ● Creates a one-use password (or several) – Sometimes it can be named, i.e. “iPhone email” ● Limited ability to change account ● You can disable all app-specific passwords from master account controls ● Use for iphone email, IM chats, etc. ● Avoid using your real passwords whenever you can
  • 26. 2-Factor Example: Google ● Implements TOTP ● Scans a QR code (or type in) for shared secret ● Generates a 6-digit code based on secret securely ● Codes last about 30 seconds, then change ● Turns your mobile device into RSA FOB ● Works very easily in practice ● Add everywhere you can!
  • 29. Final Suggestions ● Never, ever give out passwords ● IT and sites almost never can use it ● Don't save your corporate credentials – ever ● Be very careful giving out information ● Be very careful using devices not yours
  • 30. Final Suggestions ● Passwords Managers are worthless without good device and computer security! – phishing – malware / viruses – social engineering – saved passwords in browser ● Use passcodes on your phone ● Configure phone to erase itself after X tries
  • 31. Final Suggestions ● Email account is critical ● Almost all sites have “reset password” ● Can usually bypass 2-factor as well (!!!)