Beef up your passwords
How to lock down your online and offline accounts.
Do you rely on a limited number of passwords to secure accounts both online and off? You’re not alone. The sad truth is, though, that this represents an opportunity for hackers and identity thieves who, once they crack one of your passwords, can often crack them all.
The way to solve this problem is to create unique, complex passwords for each account that you use, using a mix of upper and lowercase characters, numbers and even symbols. The trick then is remembering them all.
The solution lies in employing the services of a password manager. A good password management tool will generate strong random passwords, make them easy to access and protect them all behind a single, strong master password you can remember. You log into the password manager with the master password, and the rest of your passwords are then available.
PICK A PASSWORD
If you’re super-concerned or even paranoid about security, you’ll want to store your passwords offline, in which case you should look at KeePass ( keepass.info). Everything’s stored locally, and you can add an extra layer of protection to your passwords by locking them using both a master password and a key file, which you store on an external disk or drive.
It’s portable too, so you can store everything on a USB thumb drive and take your passwords with you on to other computers.
The biggest drawback with KeePass, however, is that it only works on your PC — if you want access to your passwords on your mobile, for example, then you’ll need to be within reach of your machine to access them. If you’re willing to store your passwords in the cloud (encrypted, of course), a more convenient option is to use a tool such as LastPass ( www.lastpass.com).
LastPass offers a similar feature set to KeePass, minus the key file option. Instead, what it gives you is more convenience — you can install apps on your devices (including mobile ones) and use browser plugins to make it easier to log into sites — see the guide on the opposite page — as well as generate strong, random passwords for new accounts. LastPass works with any service you access through your web browser, making it a good fit for your router, plus locally hosted servers such as Plex.
LastPass also offers secure notes and form filling tools, for storing other sensitive information. You can also ask LastPass to prompt you for your master password each time you open a particularly sensitive note. It also includes a security audit, which checks all your passwords for weak ones, duplicates, passwords you haven’t updated in a while and even accounts known to have been compromised.
All of this functionality — including syncing across mobile and desktop — is now completely free. Upgrade to the LastPass Premium package (US$24 per year) for more features, such as LastApp — a tool for using LastPass in conjunction with installed apps or programs on your device.
“A good password management tool will generate strong random passwords, make them easy to access and protect them all behind a single, strong master password you can remember.”
MULTI-FACTOR AUTHENTICATION
Even the strongest password can be guessed or cracked, so what happens if your password is leaked? The solution is to implement two-step verification or two-step authentication. This adds an extra step when logging into key accounts (including LastPass) on new devices. This can be as simple as an email notification, or you can implement a solution that requires your mobile phone or tablet to be at hand.
This latter option is best, because you’ll need physical access to your mobile device in order to verify the request. Here, you can opt to receive a code via text message, or you can install a special authentication app that generates codes offline that are tied to your account. If you’re using LastPass to protect your passwords, install the free LastPass Authenticator app to provide these codes — not only can you then switch on two-factor authentication for services and accounts that support it, but you can switch it on for LastPass, too, making it even more secure.
You can find out if your chosen service supports two-factor authentication by logging into it and exploring the security section of its settings — LastPass users should log into their account at www.lastpass.com and go to ‘Account Settings > Multifactor Options’, for example. From here, you can pair it with the free LastPass Authenticator app.
Other services make it relatively easy to add multi-factor authentication using LastPass Authenticator (if you can see an explicit reference to it, then choose the Google Authenticator option) by providing you with a QR code to scan into LastPass Authenticator using your mobile’s camera, which then automatically pairs your account with the app.
One tip for additional security: what happens if your smartphone or tablet gets stolen? Make sure you tap Settings in LastPass Authenticator and flick the ‘Use PIN Code’ switch to ‘On’ to protect it with a six-digit PIN. And remain wary of unexpected requests to use the authenticator app — it may indicate that a hacker has got your password and is hoping you can be tricked into verifying their request for access.
Other alternative password managers include 1Password ( 1password.com) which works across all your devices including Windows, Mac, Android and iOS. It also offers a web browser plugin.