3 tips to make you more secure online

#61
Passwords used to be great - in the 1960s. I remember it well. Today, they're all but useless for all of the reasons given above. If you work in IT, your employers might give you a one time password generator like these:-



The displayed number changes every 60 seconds and that is your password. The tokens are expensive and they need to be replaced every couple of years when the batteries run out. Also, you need a server to run the validation software and that's not cheap either. OK for companies but no good for individuals like us.

Lastpass is a great tool but a victim of it's own success. Lastpass remembers all your passwords so you don't have to. If somebody guesses your master password, you are stuffed. There are a couple of ways that you can improve the security of Lastpass and other online services for little or no cost.

The first way is to use Google Authenticator. This is a free app for your phone that behaves like the RSA tokens shown above.



Shown above are authenticator codes for two Gmail accounts. The numbers change every 60 seconds and they are generated using the time and a secret code shared between your phone and the service you are using. The algorithm used to generate the numbers is in the public domain so the app can be used with many other services including Dropbox, Lastpass and Facebook.

If you lose your phone you are comprehensively stuffed as Google Authenticator helpfully puts your user name beside the ever changing password and, without your phone, you can't access your services to revoke Google Authenticator access. Lastpass goes some way to solving this problem by providing single use, emergency passwords. You can generate 10 of them at a time in the security section of Lastpass. Don't write them down! Put them in encrypted storage somewhere like a USB drive small enough to carry on your keyring.

Perhaps the best solution to the password problem is a hardware authenticator. This is a small token that plugs in to the USB port on your computer. You can't access your services unless the token is plugged in.

One popular type of token is called a Yubikey. There are various types that come with different levels of functionality and price tags from about £20 to about £50.



The chip inside these devices is the same as the cryptographic processor embedded in Visa and Mastercard credit cards so it's very secure. If you are James Bond or Secret Squirrel you can buy FIPS certified versions of these devices for not much more than the standard and they are very, very secure. The authenticator with the WiFi logo isn't WiFi compatible but it is NFC compatible so you can use it with your phone.

A description of the features of each authenticator is shown here.

All of them can use a fairly new technique called fido to access services via a compatible browser. Not many web sites use fido but it's gaining in popularity.

All of the devices except the blue one can also be programmed with a static password, e.g. your Lastpass master password. They can generate one time passwords like the RSA tokens and the Google Authenticator app. Unlike RSA tokens, Yubikeys don't need a battery so they will last indefinitely and they manifest themselves to the operating system as a keyboard so you don't need to install drivers.

Yubikeys can store X.509 certificates to send encrypted mail via Outlook and PGP key pairs for encrypting files and text on your PC. The files can't be decrypted without the Yubikey device plugged in, so it's ideal for storing those emergency Lastpass passwords, your dealer's phone number and the dark net email address of a contract killer in case the mother-in-law pushes you too far this Christmas.

If you log in to UNIX/Linux boxes, this feature also allows you to forget about /etc/passwd and authenticate using key pairs. You can't log in without having the Yubikey plugged in and knowing the Yubikey password.

The Yubikey itself is protected by a password but it works like your bank card or the SIM card in your phone. Enter the wrong password 3 times and the Yubikey locks up and can't be used so it's safe from brute forcing.

I have been using a Yubikey for a couple of years and I find it very useful. I've been hacked twice and both times I lost moderate amounts of money. Had I bought a Yubikey before being hacked instead of after, it would have paid for itself a couple of times over.
 
Last edited:
#62
Some banks (Nationwide for me) give you a device that you stick your debit card in and which generates a code every time you set a new payee up so if anyone got into your account they'd need your debit card together with the gadget to move money out of your account.

card-reader-trans-400x300.png
 
#63
I just wrote my own crypto tool - you just type in a random memorable word and you can change the value from 0-10 and it will generate a few different strings - getting progressively more unhackable to brute force attacks and are not in any dictionary - also they can't be reversed.

The second last line is where words become unhackable - last line just makes it shorter :) You'll not find those in any tables or be able to hack without a super computer and lots of centuries of spare time.



And for those in doubt - try and reverse this back to a word: 2tG13Vym9hOBHoE9
 
#64
I just wrote my own crypto tool - you just type in a random memorable word and you can change the value from 0-10 and it will generate a few different strings - getting progressively more unhackable to brute force attacks and are not in any dictionary - also they can't be reversed.

The second last line is where words become unhackable - last line just makes it shorter :) You'll not find those in any tables or be able to hack without a super computer and lots of centuries of spare time.



And for those in doubt - try and reverse this back to a word: 2tG13Vym9hOBHoE9
Lovely.

How does this make Joe/Jane Average more secure online?
 

Similar threads


Latest Threads

Top