INFOSEC, and its subset COMSEC, takes many forms. Included in that is the security of your persona, your online identity- bank accounts, email accounts, even access to your blog and social media accounts. I am having to tighten my information security yet again.
In 2000, I bought a car from a used car lot. The finance guy used my personal information to steal my identity. It was a financial mess. I increased security by locking my credit reports. Now you need a password to unlock and access them.
Back in 2014, my ex-gf used my passwords to steal my emails, access my social media, and stalk me. She used the information that she obtained to try and get back at me after we broke up. It created all sorts of problems. She also stole the MICR data from the bottom of my checks and used that to go on an online shopping spree.
I massively tightened my information security. The problem is that passwords are a weak spot. If you have a password that is easy to remember, it is also easy to guess. Especially if the person attempting to guess your passwords is using computer assistance. Humans being who they are, they tend to fall into patterns and people tend to be lazy with passwords. More than 80% of people use the same password on more than one account, and people also tend to fall into predictable patterns when choosing passwords. For example, here are the 20 most common passwords of 2022:
- password and its variations, like password1, p@ssw0rd, etc.
Not wanting to get pwned like that, I tried using a passphrase, something like “4_$core&seVenYearsL8Tr” but it is hard to create and memorize a different passphrase for each account. As a result, I used a complicated phrase for one level of account (financial), a slightly less complicated one for email accounts, and an easier, less secure one for general things like online shopping. That didn’t work for long, because data breaches at different companies meant that one breach compromised multiple accounts. Also, that phrase is still weak. A strong passphrase needs to be random, need not be easy to memorize or type, needs to have a mix of character types, and should be at least 12, but preferably 15 or more characters long.
It was then that I began using LastPass. That software is great. It uses one passphrase to secure and encrypt your password file (called a wallet), and saves the wallet in that encrypted format. That wallet is saved on the LastPass server and is encrypted with 256 bit encryption. Not even LastPass has access to it. This allows me to have long, random, complicated passwords like Gyhu#wyr4o3fuX6$dD83 that are 12 to 20 characters long and are nearly impossible to guess, even for a computer. It’s served me well for about 8 years now. (There are others, 1password.com, for example)
The obvious weak spot is the master passphrase. Since that master passphrase needs to be somewhat easy to memorize, it by definition won’t be random. That is the weak spot. If the encrypted wallet were to fall into nefarious hands, a brute force attack could be used to crack the password wallet’s encryption and the bad guy now has your passwords.
Due to a phishing attack at LastPass, black hats managed to gain access to the servers and downloaded customer password files, including the customer’s unencrypted email address and their password wallets. This is a major breach, because the email address can be used to gain a lot of information about the owner of the wallet, making a brute force attack on the wallet’s master passphrase an easier prospect.
I saw this and was worried about my files being compromised, so I spent several days changing all of the passwords in my and my wife’s password wallets, thus making the compromised passwords outdated and useless. We also changed the master passphrases for our wallets. It appears as though we have come through the breach unscathed and our accounts remained secure. The weakness of this system was a single point of failure that was even discussed when I last posted about password wallets, but I considered it to be a low risk at the time.
Now that the black hats are doing things like this, I am worried about a similar event in the future, so we will be upgrading security again. It’s a major problem. In fact, 31% of people in the US have reported being the victims of a data breach within the last 18 months. Nearly two thirds of breaches are due to stolen or weak passwords, and 85% of cyber breaches due to a human element, such as phishing or reused passwords, so it is important to find a more secure way to INFOSEC. Currently, the most secure way to lock your information is to use multifactor authentication(MFA). The idea behind MFA is to have more than one way to authenticate yourself as the proper user of an account.
The first level of authentication in accessing any electronic account is user name and password. As we have been discussing, this is not a very good way of securing high value stuff. Sure, it may be fine for securing access to your CVS frequent shopper card, it won’t be enough for an account with saved credit card numbers or access to your online banking account. So we use a second, independent method of ensuring that whoever is attempting to access your account is actually you, and not some person intent on stealing your information.
The lowest level of MFA is to have the company you are logging into send you an email containing a link that you must click on to confirm your identity, with the next lowest level being an SMS message containing a 4-6 digit number whenever you log in from an unrecognized device. This sort of message is easier to beat than most other methods, as many phishing attempts center around gaining access to these. The texts/emails are unencrypted, and if intercepted can allow a black hat to have access to your account.
There are also Authenticator applications. This is a separate program that must be periodically used as a second means to verify who you are. You try to log into your bank account, for example, and the login process includes using this app to verify that it is actually you. Google authenticator, for example.
A third, more secure way is to use something else like biometrics. Your fingerprint, voiceprint, or face, for example. Even though it is more secure than an SMS message or email, biometrics have one key flaw- they can’t be changed if they are ever compromised. Your biometric data is stored in a digital format, and that means sooner or later, someone will figure out how to compromise them. This makes them predictable and this is the weakness.
Currently, the most secure way is to use a hardware key. A hardware key is a physical key, like a USB or NFC device that stores and generates a complex, unique code each time it is used. This becomes the second authenticator in the MFA chain. This is how banks, information companies, and other high security infomatics systems are authenticating users.
The two work together- you can’t access an account unless you have BOTH the username/password combo AND the physical hardware key. It becomes MUCH harder for someone to gain access to both means of authentication and provides a high level of security.
After quite a bit of research, I have decided to go with hardware keys. The one I have selected is Yubikey. I selected it because it works well with all of the browsers I use, it works with LastPass, and all of my banks and stockbroker accounts support it. The keys themselves come in a variety of forms: USB-A, USB-C, NFC, and others. Some of them even support biometrics, but I did not select that option.
I ordered two of the Yubikey 5 Series keys, and you can read more about them here. (pdf from Yubikey’s website) I will set my accounts up for both of them- one key I can carry, and a second, backup key that will stay in the safe to allow account access in the event my primary key is lost or damaged.
My keys will be here within the next two weeks, and I will review how easy they were to setup and use shortly thereafter.
As usual, the disclaimer: I don’t advertise, and receive no compensation whatsoever in exchange for my reviews or articles. I have no relationship with any products, companies, or vendors that I review here, other than being a customer. I pay what you would pay. I only post these things because I think that my readers would be interested.