SlideShare ist ein Scribd-Unternehmen logo

Secure Password Management, Informal, @WalmartLabs

Als ODP, PDF herunterladen
Karl Mueller
Karl Mueller

Presenting an informal lunch talk on using a password manager to handle personal internet accounts securely. Also discussing 2-factor authentication a bit. Discussion features Lastpass a little bit.

Technologie
1 von 32
Secure Password Management Karl Mueller Sr. Solutions Architect, @Labs karl – at – walmartlabs.com March 21st , 2014
Who Am I? ● 20 years industry operations experience ● Joined Kosmix 2005 ● Acquired into @Walmartlabs, 2011 ● NOT a security expert! – but neither are most people!
What is the problem? ● Sites get compromised ● Passwords can be recovered – Even sites practicing good security!! ● Emails and passwords are re-used ● More and more online accounts! ● Most hackers are after lower-hanging fruit ● Some hackers target specific people, i.e. @N twitter
What is a solution? ● Unique, random, long passwords per site – 8, 12, 16 characters – even longer! ● Compromised? Limited vulnerability ● Password managers are one way to do this ● Password manager must be secured well ● Not perfect – nothing is perfect
Considerations in a PM ● How is the data secured? ● Can I access my data on mobile? How? ● Is there two-factor authentication? ● Can the data be recovered without the master password? ● How do I back it up securely? ● Can it be used if company XX goes splat?
My choice: Lastpass Premium ● Premium ($12/yr) adds mobile support ● Encrypted cloud storage ● Secured and Encrypted by master password ● Good 2-factor authentication ● Usual support of forms, data, password generation
My choice: Lastpass Premium ● Works off-line ● Import/Export for backups ● CSV export available for non-lastpass – PITA – mostly disaster recovery, IMO ● All major browsers have plugins ● All mobile have fully-functional app ($$)
My choice: Lastpass Premium ● Lastpass never gets non-encrypted data ● Not perfect, but IMO the best option ● Other options are also good! Check 'em out ● Choosing a good password manager is a big deal! ● If somebody hacks Lastpass and releases booby-trapped code, all bets are off the table.. but that's true for everybody
Using Lastpass ● Create account ● Create MASTER PASSWORD ● No master password = NO DATA ● Add 2-factor authentication ● Read blogs on securing and using it ● Some security settings are important
Lastpass Vault (not mine)
Login buttons
Best Practices – Master Pass ● Master password should be very good – Write one or two copies down – optional – The MP is obviously critical – Losing master password means no data ● Never use 'Remember me' option ● Be careful with “Allow for XX hours”
Best Practices - Sites ● Every site gets a long, unique password – As long as allowed, if possible – Use symbols if allowed ● Change ALL passwords to random ones in PM – (Optional) except things like financial accounts – trade-offs for those as well
Best Practices - Sites ● Consider 2nd , secure email for financial ● Maybe not really helpful ● Enable 2-factor and security notifications
2-Factor Authentication ● Something you know + Something you have ● Possibilities: – cell phone / SMS text – FOB keys / custom solutions – TOTP / Google Authenticator ● How secure it is varies, despite 2-factor ● Still a good thing - usually
2-Factor Best Practices ● Enable on critical accounts if at all possible ● Especially: – Lastpass (or other PM) – Google – Facebook – Linkedin – Banks and Financial (!!) ● twofactorauth.org has a list
2-Factor Best Practices ● Realistically, it can often be bypassed ● Social engineering works really well – Humans want to be helpful ● Password protection still the best option ● “Reset password” is almost universal – Email security on accounts is paramount! ● Where you can't be secure, early notice is best
2-Factor Best Practices ● Some 2-factor sites (like Google) can give you one-time- use codes. ● Codes can substitute for your 2-factor once. ● Good to have as backup or travel ● Carefully print or control where they are
2-Factor Best Practices ● Be careful about critical 2-factor accounts ● You can lose access without it, sometimes! ● Understand how to transfer things like the Google Authenticator app to new phone ● Most sites, you can fix not having 2-factor with the master password, but not every one! ● Codes are a good idea to have printed out – Secure those puppies!
Passwords – Worst Practices ● Are you a worst practice-ing password-er? ● YOU ARE MAKING IT EASY!!! – hackers <3 you – feel the love ● Bad ideas: Using personal data of any kind – birthdays, anniversaries, dates – addresses, cities, locations – favorite colors, items, activities, ... – old phone numbers and account numbers – anything relating to your children or spouse ● Dictionary words of any kind, even modified ● DO NOT DO THIS!
How to make Secure Passwords ● Completely random is best ● Long, complex passwords are 2nd best ● Length of password matters - a lot – encryption and hashes both benefit ● If you have to remember it, use strategies
Bad password example ● Example: Take two words, bunny + carrot ● Combine them and scramble a bit – Bunn33%carrot ● This is much less secure than you might think – Though.. still better than most out there
Good password example ● Start with a phrase, a made-up story is good – “My bunny is weird, he only eats green carrots” ● Take first letters, scramble a bit – Add punction/symbols – replace some letters with non-expected – add some words at the end that are easy to add length to the password
Good password example “My bunny is weird, he only eats green carrots” mY!biW+He0eatsgreencarrots ● Sufficient Random-ish chars important (8+) ● Extra words or characters help – even if simple ● You'll have to type this out, don't be too crazy ● You need to remember it – Putting it on a post-it kind of beats the point of it
App-specific passwords ● Offered by Google, Microsoft, Facebook, etc. ● Creates a one-use password (or several) – Sometimes it can be named, i.e. “iPhone email” ● Limited ability to change account ● You can disable all app-specific passwords from master account controls ● Use for iphone email, IM chats, etc. ● Avoid using your real passwords whenever you can
2-Factor Example: Google ● Implements TOTP ● Scans a QR code (or type in) for shared secret ● Generates a 6-digit code based on secret securely ● Codes last about 30 seconds, then change ● Turns your mobile device into RSA FOB ● Works very easily in practice ● Add everywhere you can!
2-Factor Example: Google
2-Factor Example: Google
Final Suggestions ● Never, ever give out passwords ● IT and sites almost never can use it ● Don't save your corporate credentials – ever ● Be very careful giving out information ● Be very careful using devices not yours
Final Suggestions ● Passwords Managers are worthless without good device and computer security! – phishing – malware / viruses – social engineering – saved passwords in browser ● Use passcodes on your phone ● Configure phone to erase itself after X tries
Final Suggestions ● Email account is critical ● Almost all sites have “reset password” ● Can usually bypass 2-factor as well (!!!)
Q&A Questions?

Empfohlen

I forgot my password – what a secure password reset needs to have and why
I forgot my password – what a secure password reset needs to have and whyI forgot my password – what a secure password reset needs to have and why
I forgot my password – what a secure password reset needs to have and whyMichal Špaček
 
Darknet
DarknetDarknet
DarknetShubham Dwivedi
 
Acpe 2014 Internet Anonymity Using Tor
Acpe 2014 Internet Anonymity Using TorAcpe 2014 Internet Anonymity Using Tor
Acpe 2014 Internet Anonymity Using TorJack Maynard
 
XSS PHP CSP ETC OMG WTF BBQ
XSS PHP CSP ETC OMG WTF BBQXSS PHP CSP ETC OMG WTF BBQ
XSS PHP CSP ETC OMG WTF BBQMichal Špaček
 
Liferay as solution for legacy applications
Liferay as solution for legacy applicationsLiferay as solution for legacy applications
Liferay as solution for legacy applicationsManish Kumar Jaiswal
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Tor the onion router
Tor the onion routerTor the onion router
Tor the onion routerAshly Liza
 
Tor Presentation
Tor PresentationTor Presentation
Tor PresentationHassan Faraz
 

Empfohlen

I forgot my password – what a secure password reset needs to have and why
I forgot my password – what a secure password reset needs to have and whyI forgot my password – what a secure password reset needs to have and why
I forgot my password – what a secure password reset needs to have and whyMichal Špaček
 
Darknet
DarknetDarknet
DarknetShubham Dwivedi
 
Acpe 2014 Internet Anonymity Using Tor
Acpe 2014 Internet Anonymity Using TorAcpe 2014 Internet Anonymity Using Tor
Acpe 2014 Internet Anonymity Using TorJack Maynard
 
XSS PHP CSP ETC OMG WTF BBQ
XSS PHP CSP ETC OMG WTF BBQXSS PHP CSP ETC OMG WTF BBQ
XSS PHP CSP ETC OMG WTF BBQMichal Špaček
 
Liferay as solution for legacy applications
Liferay as solution for legacy applicationsLiferay as solution for legacy applications
Liferay as solution for legacy applicationsManish Kumar Jaiswal
 
OWASP Secure Coding
OWASP Secure CodingOWASP Secure Coding
OWASP Secure Codingbilcorry
 
Tor the onion router
Tor the onion routerTor the onion router
Tor the onion routerAshly Liza
 
Tor Presentation
Tor PresentationTor Presentation
Tor PresentationHassan Faraz
 
Password Managers - Lastpass
Password Managers - LastpassPassword Managers - Lastpass
Password Managers - LastpassBertold Kolics
 
Developing Better Software
Developing Better SoftwareDeveloping Better Software
Developing Better SoftwareHean Hong Leong
 
Password management for you
Password management for youPassword management for you
Password management for youChit Ko Ko Win
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Alan Richardson
 
Simple Computer Tips - Screen Shots, Passwords, etc
Simple Computer Tips - Screen Shots, Passwords, etcSimple Computer Tips - Screen Shots, Passwords, etc
Simple Computer Tips - Screen Shots, Passwords, etcHolly Akers
 
LastPass Password Manager - the last password you'll ever have to remember
LastPass Password Manager - the last password you'll ever have to rememberLastPass Password Manager - the last password you'll ever have to remember
LastPass Password Manager - the last password you'll ever have to rememberiSiteBuild.com
 
Email privacy
Email privacyEmail privacy
Email privacyBertold Kolics
 
Passwords
PasswordsPasswords
PasswordsKevin OBrien
 
Two-factor authentication
Two-factor authenticationTwo-factor authentication
Two-factor authenticationebalaskas
 
Strong business needs strong foundations
Strong business needs strong foundationsStrong business needs strong foundations
Strong business needs strong foundationsLeesa Watego
 
Securing your digital life - Jason Addie
Securing your digital life - Jason AddieSecuring your digital life - Jason Addie
Securing your digital life - Jason AddieDataFest Tbilisi
 
Everyday computer tips
Everyday computer tipsEveryday computer tips
Everyday computer tipsHolly Akers
 
Building it right with Joomla 3 !
Building it right with Joomla 3 !Building it right with Joomla 3 !
Building it right with Joomla 3 !Parth Lawate
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crackKlaus Drosch
 
How Not To Screw Up With QR Codes - at TeaCampLondon
How Not To Screw Up With QR Codes - at TeaCampLondonHow Not To Screw Up With QR Codes - at TeaCampLondon
How Not To Screw Up With QR Codes - at TeaCampLondonTerence Eden
 
Ecommerce Marketing & Optimization Workshop
Ecommerce Marketing & Optimization WorkshopEcommerce Marketing & Optimization Workshop
Ecommerce Marketing & Optimization WorkshopBrendan Tully
 
Pair programming
Pair programmingPair programming
Pair programmingthehoagie
 
2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptx2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptxssuser2f0fb0
 
Online Self Defense - Passwords
Online Self Defense - PasswordsOnline Self Defense - Passwords
Online Self Defense - PasswordsBarry Caplin
 
DEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansDEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansFelipe Prado
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Weitere ähnliche Inhalte

Ähnlich wie Secure Password Management, Informal, @WalmartLabs

Password Managers - Lastpass
Password Managers - LastpassPassword Managers - Lastpass
Password Managers - LastpassBertold Kolics
 
Developing Better Software
Developing Better SoftwareDeveloping Better Software
Developing Better SoftwareHean Hong Leong
 
Password management for you
Password management for youPassword management for you
Password management for youChit Ko Ko Win
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Alan Richardson
 
Simple Computer Tips - Screen Shots, Passwords, etc
Simple Computer Tips - Screen Shots, Passwords, etcSimple Computer Tips - Screen Shots, Passwords, etc
Simple Computer Tips - Screen Shots, Passwords, etcHolly Akers
 
LastPass Password Manager - the last password you'll ever have to remember
LastPass Password Manager - the last password you'll ever have to rememberLastPass Password Manager - the last password you'll ever have to remember
LastPass Password Manager - the last password you'll ever have to rememberiSiteBuild.com
 
Two-factor authentication
Two-factor authenticationTwo-factor authentication
Two-factor authenticationebalaskas
 
Strong business needs strong foundations
Strong business needs strong foundationsStrong business needs strong foundations
Strong business needs strong foundationsLeesa Watego
 
Securing your digital life - Jason Addie
Securing your digital life - Jason AddieSecuring your digital life - Jason Addie
Securing your digital life - Jason AddieDataFest Tbilisi
 
Everyday computer tips
Everyday computer tipsEveryday computer tips
Everyday computer tipsHolly Akers
 
Building it right with Joomla 3 !
Building it right with Joomla 3 !Building it right with Joomla 3 !
Building it right with Joomla 3 !Parth Lawate
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crackKlaus Drosch
 
How Not To Screw Up With QR Codes - at TeaCampLondon
How Not To Screw Up With QR Codes - at TeaCampLondonHow Not To Screw Up With QR Codes - at TeaCampLondon
How Not To Screw Up With QR Codes - at TeaCampLondonTerence Eden
 
Ecommerce Marketing & Optimization Workshop
Ecommerce Marketing & Optimization WorkshopEcommerce Marketing & Optimization Workshop
Ecommerce Marketing & Optimization WorkshopBrendan Tully
 
Pair programming
Pair programmingPair programming
Pair programmingthehoagie
 
2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptx2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptxssuser2f0fb0
 
Online Self Defense - Passwords
Online Self Defense - PasswordsOnline Self Defense - Passwords
Online Self Defense - PasswordsBarry Caplin
 
DEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansDEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansFelipe Prado
 

Ähnlich wie Secure Password Management, Informal, @WalmartLabs (20)

Password Managers - Lastpass
Password Managers - LastpassPassword Managers - Lastpass
Password Managers - Lastpass
 
Developing Better Software
Developing Better SoftwareDeveloping Better Software
Developing Better Software
 
Password management for you
Password management for youPassword management for you
Password management for you
 
Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014Black Ops Testing Workshop from Agile Testing Days 2014
Black Ops Testing Workshop from Agile Testing Days 2014
 
Simple Computer Tips - Screen Shots, Passwords, etc
Simple Computer Tips - Screen Shots, Passwords, etcSimple Computer Tips - Screen Shots, Passwords, etc
Simple Computer Tips - Screen Shots, Passwords, etc
 
LastPass Password Manager - the last password you'll ever have to remember
LastPass Password Manager - the last password you'll ever have to rememberLastPass Password Manager - the last password you'll ever have to remember
LastPass Password Manager - the last password you'll ever have to remember
 
Email privacy
Email privacyEmail privacy
Email privacy
 
Passwords
PasswordsPasswords
Passwords
 
Two-factor authentication
Two-factor authenticationTwo-factor authentication
Two-factor authentication
 
Strong business needs strong foundations
Strong business needs strong foundationsStrong business needs strong foundations
Strong business needs strong foundations
 
Securing your digital life - Jason Addie
Securing your digital life - Jason AddieSecuring your digital life - Jason Addie
Securing your digital life - Jason Addie
 
Everyday computer tips
Everyday computer tipsEveryday computer tips
Everyday computer tips
 
Building it right with Joomla 3 !
Building it right with Joomla 3 !Building it right with Joomla 3 !
Building it right with Joomla 3 !
 
How to choose a password that’s hard to crack
How to choose a password that’s hard to crackHow to choose a password that’s hard to crack
How to choose a password that’s hard to crack
 
How Not To Screw Up With QR Codes - at TeaCampLondon
How Not To Screw Up With QR Codes - at TeaCampLondonHow Not To Screw Up With QR Codes - at TeaCampLondon
How Not To Screw Up With QR Codes - at TeaCampLondon
 
Ecommerce Marketing & Optimization Workshop
Ecommerce Marketing & Optimization WorkshopEcommerce Marketing & Optimization Workshop
Ecommerce Marketing & Optimization Workshop
 
Pair programming
Pair programmingPair programming
Pair programming
 
2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptx2 Laymans Course - LAMP V2.pptx
2 Laymans Course - LAMP V2.pptx
 
Online Self Defense - Passwords
Online Self Defense - PasswordsOnline Self Defense - Passwords
Online Self Defense - Passwords
 
DEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humansDEF CON 23 - Ryan Mitchell - separating bots from humans
DEF CON 23 - Ryan Mitchell - separating bots from humans
 

Kürzlich hochgeladen

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsJoaquim Jorge
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessPixlogix Infotech
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUK Journal
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking MenDelhi Call girls
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Scriptwesley chun
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men08448380779 Call Girls In Friends Colony Women Seeking Men
08448380779 Call Girls In Friends Colony Women Seeking Men
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Automating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps ScriptAutomating Google Workspace (GWS) & more with Apps Script
Automating Google Workspace (GWS) & more with Apps Script
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
Bajaj Allianz Life Insurance Company - Insurer Innovation Award 2024
 

Secure Password Management, Informal, @WalmartLabs

  • 1. Secure Password Management Karl Mueller Sr. Solutions Architect, @Labs karl – at – walmartlabs.com March 21st , 2014
  • 2. Who Am I? ● 20 years industry operations experience ● Joined Kosmix 2005 ● Acquired into @Walmartlabs, 2011 ● NOT a security expert! – but neither are most people!
  • 3. What is the problem? ● Sites get compromised ● Passwords can be recovered – Even sites practicing good security!! ● Emails and passwords are re-used ● More and more online accounts! ● Most hackers are after lower-hanging fruit ● Some hackers target specific people, i.e. @N twitter
  • 4. What is a solution? ● Unique, random, long passwords per site – 8, 12, 16 characters – even longer! ● Compromised? Limited vulnerability ● Password managers are one way to do this ● Password manager must be secured well ● Not perfect – nothing is perfect
  • 5. Considerations in a PM ● How is the data secured? ● Can I access my data on mobile? How? ● Is there two-factor authentication? ● Can the data be recovered without the master password? ● How do I back it up securely? ● Can it be used if company XX goes splat?
  • 6. My choice: Lastpass Premium ● Premium ($12/yr) adds mobile support ● Encrypted cloud storage ● Secured and Encrypted by master password ● Good 2-factor authentication ● Usual support of forms, data, password generation
  • 7. My choice: Lastpass Premium ● Works off-line ● Import/Export for backups ● CSV export available for non-lastpass – PITA – mostly disaster recovery, IMO ● All major browsers have plugins ● All mobile have fully-functional app ($$)
  • 8. My choice: Lastpass Premium ● Lastpass never gets non-encrypted data ● Not perfect, but IMO the best option ● Other options are also good! Check 'em out ● Choosing a good password manager is a big deal! ● If somebody hacks Lastpass and releases booby-trapped code, all bets are off the table.. but that's true for everybody
  • 9. Using Lastpass ● Create account ● Create MASTER PASSWORD ● No master password = NO DATA ● Add 2-factor authentication ● Read blogs on securing and using it ● Some security settings are important
  • 12. Best Practices – Master Pass ● Master password should be very good – Write one or two copies down – optional – The MP is obviously critical – Losing master password means no data ● Never use 'Remember me' option ● Be careful with “Allow for XX hours”
  • 13. Best Practices - Sites ● Every site gets a long, unique password – As long as allowed, if possible – Use symbols if allowed ● Change ALL passwords to random ones in PM – (Optional) except things like financial accounts – trade-offs for those as well
  • 14. Best Practices - Sites ● Consider 2nd , secure email for financial ● Maybe not really helpful ● Enable 2-factor and security notifications
  • 15. 2-Factor Authentication ● Something you know + Something you have ● Possibilities: – cell phone / SMS text – FOB keys / custom solutions – TOTP / Google Authenticator ● How secure it is varies, despite 2-factor ● Still a good thing - usually
  • 16. 2-Factor Best Practices ● Enable on critical accounts if at all possible ● Especially: – Lastpass (or other PM) – Google – Facebook – Linkedin – Banks and Financial (!!) ● twofactorauth.org has a list
  • 17. 2-Factor Best Practices ● Realistically, it can often be bypassed ● Social engineering works really well – Humans want to be helpful ● Password protection still the best option ● “Reset password” is almost universal – Email security on accounts is paramount! ● Where you can't be secure, early notice is best
  • 18. 2-Factor Best Practices ● Some 2-factor sites (like Google) can give you one-time- use codes. ● Codes can substitute for your 2-factor once. ● Good to have as backup or travel ● Carefully print or control where they are
  • 19. 2-Factor Best Practices ● Be careful about critical 2-factor accounts ● You can lose access without it, sometimes! ● Understand how to transfer things like the Google Authenticator app to new phone ● Most sites, you can fix not having 2-factor with the master password, but not every one! ● Codes are a good idea to have printed out – Secure those puppies!
  • 20. Passwords – Worst Practices ● Are you a worst practice-ing password-er? ● YOU ARE MAKING IT EASY!!! – hackers <3 you – feel the love ● Bad ideas: Using personal data of any kind – birthdays, anniversaries, dates – addresses, cities, locations – favorite colors, items, activities, ... – old phone numbers and account numbers – anything relating to your children or spouse ● Dictionary words of any kind, even modified ● DO NOT DO THIS!
  • 21. How to make Secure Passwords ● Completely random is best ● Long, complex passwords are 2nd best ● Length of password matters - a lot – encryption and hashes both benefit ● If you have to remember it, use strategies
  • 22. Bad password example ● Example: Take two words, bunny + carrot ● Combine them and scramble a bit – Bunn33%carrot ● This is much less secure than you might think – Though.. still better than most out there
  • 23. Good password example ● Start with a phrase, a made-up story is good – “My bunny is weird, he only eats green carrots” ● Take first letters, scramble a bit – Add punction/symbols – replace some letters with non-expected – add some words at the end that are easy to add length to the password
  • 24. Good password example “My bunny is weird, he only eats green carrots” mY!biW+He0eatsgreencarrots ● Sufficient Random-ish chars important (8+) ● Extra words or characters help – even if simple ● You'll have to type this out, don't be too crazy ● You need to remember it – Putting it on a post-it kind of beats the point of it
  • 25. App-specific passwords ● Offered by Google, Microsoft, Facebook, etc. ● Creates a one-use password (or several) – Sometimes it can be named, i.e. “iPhone email” ● Limited ability to change account ● You can disable all app-specific passwords from master account controls ● Use for iphone email, IM chats, etc. ● Avoid using your real passwords whenever you can
  • 26. 2-Factor Example: Google ● Implements TOTP ● Scans a QR code (or type in) for shared secret ● Generates a 6-digit code based on secret securely ● Codes last about 30 seconds, then change ● Turns your mobile device into RSA FOB ● Works very easily in practice ● Add everywhere you can!
  • 29. Final Suggestions ● Never, ever give out passwords ● IT and sites almost never can use it ● Don't save your corporate credentials – ever ● Be very careful giving out information ● Be very careful using devices not yours
  • 30. Final Suggestions ● Passwords Managers are worthless without good device and computer security! – phishing – malware / viruses – social engineering – saved passwords in browser ● Use passcodes on your phone ● Configure phone to erase itself after X tries
  • 31. Final Suggestions ● Email account is critical ● Almost all sites have “reset password” ● Can usually bypass 2-factor as well (!!!)