INFOSEC, and its subset COMSEC, takes many forms. Included in that is the security of your persona, your online identity- bank accounts, email accounts, even access to your blog and social media accounts. I am having to tighten my information security yet again.

In 2000, I bought a car from a used car lot. The finance guy used my personal information to steal my identity. It was a financial mess. I increased security by locking my credit reports. Now you need a password to unlock and access them.

Back in 2014, my ex-gf used my passwords to steal my emails, access my social media, and stalk me. She used the information that she obtained to try and get back at me after we broke up. It created all sorts of problems. She also stole the MICR data from the bottom of my checks and used that to go on an online shopping spree.

I massively tightened my information security. The problem is that passwords are a weak spot. If you have a password that is easy to remember, it is also easy to guess. Especially if the person attempting to guess your passwords is using computer assistance. Humans being who they are, they tend to fall into patterns and people tend to be lazy with passwords. More than 80% of people use the same password on more than one account, and people also tend to fall into predictable patterns when choosing passwords. For example, here are the 20 most common passwords of 2022:

  1. password and its variations, like password1, p@ssw0rd, etc.
  2. 123456
  3. 123456789
  4. guest 
  5. qwerty 
  6. 12345678
  7. 111111
  8. 12345
  9. col123456
  10. 123123
  11. 1234567
  12. 1234
  13. 1234567890
  14. 000000
  15. 555555
  16. 666666
  17. 123321
  18. 654321
  19. 7777777
  20. 123

Not wanting to get pwned like that, I tried using a passphrase, something like “4_$core&seVenYearsL8Tr” but it is hard to create and memorize a different passphrase for each account. As a result, I used a complicated phrase for one level of account (financial), a slightly less complicated one for email accounts, and an easier, less secure one for general things like online shopping. That didn’t work for long, because data breaches at different companies meant that one breach compromised multiple accounts. Also, that phrase is still weak. A strong passphrase needs to be random, need not be easy to memorize or type, needs to have a mix of character types, and should be at least 12, but preferably 15 or more characters long.

It was then that I began using LastPass. That software is great. It uses one passphrase to secure and encrypt your password file (called a wallet), and saves the wallet in that encrypted format. That wallet is saved on the LastPass server and is encrypted with 256 bit encryption. Not even LastPass has access to it. This allows me to have long, random, complicated passwords like Gyhu#wyr4o3fuX6$dD83 that are 12 to 20 characters long and are nearly impossible to guess, even for a computer. It’s served me well for about 8 years now. (There are others, 1password.com, for example)

The obvious weak spot is the master passphrase. Since that master passphrase needs to be somewhat easy to memorize, it by definition won’t be random. That is the weak spot. If the encrypted wallet were to fall into nefarious hands, a brute force attack could be used to crack the password wallet’s encryption and the bad guy now has your passwords.

Due to a phishing attack at LastPass, black hats managed to gain access to the servers and downloaded customer password files, including the customer’s unencrypted email address and their password wallets. This is a major breach, because the email address can be used to gain a lot of information about the owner of the wallet, making a brute force attack on the wallet’s master passphrase an easier prospect.

I saw this and was worried about my files being compromised, so I spent several days changing all of the passwords in my and my wife’s password wallets, thus making the compromised passwords outdated and useless. We also changed the master passphrases for our wallets. It appears as though we have come through the breach unscathed and our accounts remained secure. The weakness of this system was a single point of failure that was even discussed when I last posted about password wallets, but I considered it to be a low risk at the time.

Now that the black hats are doing things like this, I am worried about a similar event in the future, so we will be upgrading security again. It’s a major problem. In fact, 31% of people in the US have reported being the victims of a data breach within the last 18 months. Nearly two thirds of breaches are due to stolen or weak passwords, and 85% of cyber breaches due to a human element, such as phishing or reused passwords, so it is important to find a more secure way to INFOSEC. Currently, the most secure way to lock your information is to use multifactor authentication(MFA). The idea behind MFA is to have more than one way to authenticate yourself as the proper user of an account.

The first level of authentication in accessing any electronic account is user name and password. As we have been discussing, this is not a very good way of securing high value stuff. Sure, it may be fine for securing access to your CVS frequent shopper card, it won’t be enough for an account with saved credit card numbers or access to your online banking account. So we use a second, independent method of ensuring that whoever is attempting to access your account is actually you, and not some person intent on stealing your information.

The lowest level of MFA is to have the company you are logging into send you an email containing a link that you must click on to confirm your identity, with the next lowest level being an SMS message containing a 4-6 digit number whenever you log in from an unrecognized device. This sort of message is easier to beat than most other methods, as many phishing attempts center around gaining access to these. The texts/emails are unencrypted, and if intercepted can allow a black hat to have access to your account.

There are also Authenticator applications. This is a separate program that must be periodically used as a second means to verify who you are. You try to log into your bank account, for example, and the login process includes using this app to verify that it is actually you. Google authenticator, for example.

A third, more secure way is to use something else like biometrics. Your fingerprint, voiceprint, or face, for example. Even though it is more secure than an SMS message or email, biometrics have one key flaw- they can’t be changed if they are ever compromised. Your biometric data is stored in a digital format, and that means sooner or later, someone will figure out how to compromise them. This makes them predictable and this is the weakness.

Currently, the most secure way is to use a hardware key. A hardware key is a physical key, like a USB or NFC device that stores and generates a complex, unique code each time it is used. This becomes the second authenticator in the MFA chain. This is how banks, information companies, and other high security infomatics systems are authenticating users.

The two work together- you can’t access an account unless you have BOTH the username/password combo AND the physical hardware key. It becomes MUCH harder for someone to gain access to both means of authentication and provides a high level of security.

After quite a bit of research, I have decided to go with hardware keys. The one I have selected is Yubikey. I selected it because it works well with all of the browsers I use, it works with LastPass, and all of my banks and stockbroker accounts support it. The keys themselves come in a variety of forms: USB-A, USB-C, NFC, and others. Some of them even support biometrics, but I did not select that option.

I ordered two of the Yubikey 5 Series keys, and you can read more about them here. (pdf from Yubikey’s website) I will set my accounts up for both of them- one key I can carry, and a second, backup key that will stay in the safe to allow account access in the event my primary key is lost or damaged.

My keys will be here within the next two weeks, and I will review how easy they were to setup and use shortly thereafter.


As usual, the disclaimer: I don’t advertise, and receive no compensation whatsoever in exchange for my reviews or articles. I have no relationship with any products, companies, or vendors that I review here, other than being a customer. I pay what you would pay. I only post these things because I think that my readers would be interested.

Categories: Training

18 Comments

John Fisher · December 30, 2022 at 4:16 pm

Thanks for this. I’ll be looking for your followup.

Toastrider · December 30, 2022 at 4:20 pm

If your passwords are stored with someone else — LastPass or whatever — you cannot guarantee their security. It’s the same as keeping files on ‘the cloud’.

    Divemedic · December 30, 2022 at 5:46 pm

    All passwords are stored on someone else’s computer. That’s why hardware keys come in. Even if someone has the password, they can’t gain access without the hardware key.

      Jonathan · December 31, 2022 at 11:27 am

      Yes, they are – but most computers only store the password for that site.

      So far, I have purposely NOT used an online password manager since it puts all my eggs in one (online) basket.

      What I’d like to see is an app that allows you to create and manage a password file that YOU can store when and how YOU want, online or offline.
      It would be even better if the file could be disguised as well as stored where you want.

      P.S. are you sure that the encryption can’t be broken? Given the leaks that the NSA has had that we know of, I’m sure there are leaks from both the NSA and encryption companies that we don’t know of.

        Divemedic · December 31, 2022 at 1:07 pm

        The best indicator of that is whether or not the government three letter agencies allow their use.

        You will note that the US government doesn’t want their agencies using TiKTok because the Chinese owned social media company is thought to be an intelligence gathering activity for the Chinese government. That indicates to me that US owned social media is compromised by the US government.

        The US government is using 256 bit encryption, indicating to me that (at least for the time being) that 256 bit encryption is safe. If the government wants the money in by bank accounts, there are easier way for them to get it than decrypting my password wallet.

        aczarnowski · January 10, 2023 at 4:35 pm

        I also prefer to avoid cloud storage for this task and am extremely happy with the KeePass collection of apps. I rsync my password database between Windows, Debian and Android and apps on each platform are happy with it.

Phil B · December 30, 2022 at 6:00 pm

I use the license plate numbers of my families previously owned vehicles – note that they have been on the scrap heap for well over 50 yeas so unlikely to be traced.

I can then write down the name of the vehicle as a reminder. For example (and I’ll add the manufacturer in brackets):

(Vauxhall) Viva, (Triumph) Daytona, (Honda) SS50 which gives a password of

ABB762VGKM97LBNN58H

There are British registrations with a 3 letter, up to 3 number and letter (indicating the year) number plate.

Not 100 % secure but memorable, and writing down the vehicle name as a prompt means not forgetting the password.

However, being paranoid, I’ll look into the Yubikey thing.

It's just Boris · December 30, 2022 at 8:39 pm

On a related note, think very very carefully before allowing a company you buy something from online, save your credit card info. If they get hacked, there goes your cc info. Alternately or in addition, use a credit card that lets you generate a specific number for a given merchant (so it won’t work anywhere else) with a specified credit limit (so not much more can be ordered anyway). Citibank (sigh) has this feature. While it can be clumsy to use, it’s security along a separate axis from the login info.

joe · December 30, 2022 at 9:31 pm

was at the dr office today and to log on the doc had to swipe his card over a reader to unlock on log on his computer…that was something i hadn’t seen before…i’ve been debating using a vault…i tried lastpass until i couldn’t remember the master password…doh…since they have been hacked think i’ll give bitwarden a try…

    Divemedic · December 31, 2022 at 11:08 am

    What happened to LastPass can easily happen to ANY password company that stores user wallets on their server. Going with a different company doesn’t mitigate that.

      joe · December 31, 2022 at 12:18 pm

      yes sir, i realize that…but since i had an account with them recently, it probably won’t let me create another one…

It's just Boris · December 30, 2022 at 11:43 pm

Neither our “working household funds” bank, stockbroker, or retirement account broker, are listed on Yubico’s website. Unfortunate.

Anonymous · December 31, 2022 at 1:09 am

https://www.explainxkcd.com/wiki/index.php/936:_Password_Strength

https://diceware.com

ubuntu$ sudo apt install diceware

Steve S6 · December 31, 2022 at 11:03 am

If you want to increase computer security look into Qubes OS. Linux based uses virtual machines for isolation. Example, have one for banking, one for on-line shopping, one for email. If one VM gets hacked that is the only thing they get and by segregating activity you are less likely to get hacked. Funky link you want to open? Disposable VM. When you close it the entire thing disappears like it never was including any breaches. The VMs are like having separate physical computers. Like most Linux systems there’s a bit of a learning curve but not horrible.

    Jonathan · December 31, 2022 at 11:22 am

    I am in need of a new computer and plan to move back to Linux from Windows 8 since I don’t trust anything newer out of MS.

    I’ll look into this.

greg · December 31, 2022 at 12:27 pm

I used VeriSign token hardware authenticator since it was a option when Paypal very first started over 20 years ago. The batteries finally died after a long long time. Now paypal won’t issue these random number generators. Different pass word on every single log on and password only good for 30 seconds. Well worth any inconvenience.

Anonymous · December 31, 2022 at 8:56 pm

If anyone wants to try hacking into my passwords, they’ll need to know what vehicles I’ve owned in the last 40 years and their year.

If it’s an ag site then farm implements..

KBYN · January 3, 2023 at 1:36 am

I use LastPass with a Yubikey 5. It’s easy and secure. I think you’ll be happy with the setup.

Comments are closed.