163: Proper Password Management: Aaron Traffas

Auction professionals are responsible for large amounts of sensitive information, both for themselves and their clients. One of the keys to keeping that information safe online is implementing a system to handle passwords. In this episode, host Aaron Traffas talks about the requirements for creating good passwords and explores some of the features of a popular password management system.

Subscribe on iTunes | Google Play | Stitcher

Today’s Sponsors
Sharp Auction Engine
BidWrangler

Episode Links
https://www.grc.com/haystack.htm
http://www.auctioneertech.com

The Fast Talking Podcast is a small business building podcast as seen through the lens of auctioneers and auction professionals. Focusing on social media, marketing strategies, finance, operations, human resources, and time management, we provide focused discussions on important topics weekly.

-----

Episode 163: Transcription

Hello and welcome to the  Fast Talking Podcast. My name is Aaron Traffas and I'm excited to be your guest host for today's episode. Auctioneers are stewards of large amounts of sensitive information, both for ourselves and our clients, so today we're going to talk about the first step to keeping that information safe.

I wrote the article that inspired this episode about a month ago on my auction technology blog at auctioneertech.com because I realized there are many of us who would like to do better when it comes to internet security. The tech news now seems to report, with increasing regularity, about massive database breaches of popular websites that expose all our passwords to the web. I'm going to talk today about what makes good passwords and go over the features of LastPass, which is one of the more popular password management systems available.

Secure passwords

The first requirement for proper password hygiene is a secure password. A secure password is one with enough entropy and length to resist brute force attacks. Now, let me explain what that means. Entropy, in this context, is the amount of randomness in a password. A password that comprises words in the dictionary has a very low entropy, while a password made up of random characters has high entropy. A brute force attack uses a powerful computer to try every possible combination of characters until it finds a match. Modern offline brute force attacks can attempt billions or even trillions of combinations each second, so it won't take very long to crack your password made up of your kids initials followed by your wedding date.

Entropy is important because modern password cracking processes are smarter than just starting with A and then trying AB and then ABC. They use patterns derived from millions of leaked passwords to determine commonalities likely found in your password, and they try those first before moving on to more random combinations.

Password length is important because it’s how we can easily make the brute-forcing process take much longer. Each character in the alphabet can be upper and lower case, which means that every letter we add forces an additional 52 attempts. Adding numbers and special characters to the password alphabet can increase the character depth to 92. We'll put the link in the show notes to the great Password Haystacks tool at grc.com/haystack that can analyze your password strength and length and tell you how long a brute force attack would take on the password you give it. Don’t worry – nothing is sent through the internet. It’s all done with your browser, which is important for reasons we’ll talk about shortly.

Different passwords

After making a password secure, the second part of proper password management is using a different password for each site or service. I mentioned earlier the myriad password leaks from major internet businesses in the last few years. The frequency of these leaks seems to be increasing. When passwords are leaked from one service, every user who used the same password on a different service is suddenly vulnerable. If every password you use is unique to each service, then a password breach only impacts your account at the service that was breached and you don't have to worry about attackers using your password from one site to gain access to your account on another site.

Rotating password

Now, I want to mention password rotation, which many people think is also important. If our password is one that we’ve reused on multiple sites, then the longer we use it, the better the chances are that it’ll have been involved in a breach of some service and is available to the hacking community. The reason some banks frustrate us by forcing us to change our passwords regularly is that it increases the likelihood that we're using a unique password that's not known by anybody else. But, if we make sure from the start that we use a different and secure password for each site, there’s not really any need to ever change our passwords.

In my article, I used auction123 as an example of a bad password and had an example of a good password that was 64 characters long and full of gibberish that included braces, tildes, pipes and other punctuation that's not used every day. I'll also mention that a simple replacement of characters with punctuation - like changing an "S" to a dollar sign or an "A" to the at sign - is one of the first things that hackers try. As a general rule, if you can read your password to someone in under a minute, it's probably not a good password.

LastPass

Now that we've talked about why it's important to have a strong, long and different password for each site, it should be obvious that it's impossible to accomplish that without using a tool of some kind. I don't want this episode to be a commercial for LastPass, but I want to talk about some of the features that a password management system offers, and LastPass is both the one that I'm familiar with and the one that is most frequently recommended by the security experts I follow in the industry. There are others out there, like 1Password, KeePass and Dashlane, many of which offer similar features to what we're getting ready to talk about, and anything is probably better than nothing.

To use LastPass, you install the mobile app on your phone and use extensions to your web browser on your computer. Once you've logged in to LastPass, it then logs you in everywhere else by automatically filling in the username and password for each site you visit and each app you use on your phone or tablet. Passwords are only the beginning, as you can store notes, SSNs, QR codes, images and credit card information completely securely. Shopping becomes much easier when you can have LastPass populate your credit card information and addresses into web forms.

It features two-factor authentication, which is crucial to any security system. This means when you log in to LastPass, you can — and you should — make it require a separate security code from an app on your phone in addition to your master password. This means if someone ever gets your master password, he can't log in unless he also has your phone in his possession.

The first time you log in to a site, it pops-up an option to automatically store that password so you never have to worry about it again. When you’re creating accounts, it generates extremely secure passwords so you don’t have the stress of having to come up with something yourself. It can also audit your security, letting you know which sites have weak or compromised passwords and offering you the ability to easily change them. For many sites, it can actually change your passwords for you to something much more secure.

You can also share passwords securely with other LastPass users, which lets us share the ability to log in with employees without giving those employees the actual passwords. If an employee leaves, we simply turn off the sharing of that password with that user instead of having to actually change passwords to the different sites that employee was using.

The best part about LastPass is that all your content — passwords, SSNs, notes and even images — is encrypted by your browser or the mobile app before it’s sent to the LastPass servers. LastPass never has access to the master password since it, too, is encrypted before it leaves your computer. Even if the LastPass servers are compromised, all a hacker would have access to is the encrypted data which is useless to anyone other than you, so long as your master password has enough entropy and length to prevent cracking.

LastPass has a free plan, which is a great way for you to try it and see how it works. To sync your mobile devices and computer, though,  you'll need to upgrade to LastPass Premium, which, in my opinion, at $1 per month, would be a steal at 10 times the price.

Wrap-up

In summary, proper password hygiene isn't hard. Make sure your passwords are long and free of patterns like words or dates. Make sure you don't reuse passwords on more than one site. In order to satisfy these two requirements, you need a password management system. If you don't have one, get one immediately. LastPass seems to be the one most recommended by the security community, but any system is better than no system.

I'd like to thank Andy for giving me the opportunity to guest host the Fast Talking Podcast this week. The show is built for you, the fast talking nation. We're always looking for suggestions and feedback, so if you have an idea for great topic or guest you think would be a good fit, leave a comment on  fasttalkingpodcast.com or find us @auctionpodcast on Twitter or facebook.com/fasttalkingpodcast. My blog is auctioneertech.com and if you'd like to contact me personally, find me on Twitter @traffas or, better yet, email aaron.traffas@purplewave.com

With that, we want to thank you  for gifting us with your time. As always, be sure to like, favorite and share this podcast in whichever venue you choose to listen. We enjoy creating this podcast for you and strive to share this industry we love with more and more people each week. I'm Aaron Traffas. Thanks for listening. Now go sell something.