Connect with us

Security

Forgot password? Five reasons why you need a password manager

Published

on

old bunch of keys, rusty keys


Getty Images/iStockphoto

For years, I’ve been reading predictions about new technologies that will render passwords obsolete. Then I click through and inspect the details and I wind up shaking my head. There are plenty of clever identity technologies working their way into the mainstream, but passwords will remain a necessary evil for many years to come.

And unless you want to be a sitting duck on the Internet, you need a strategy for managing those passwords. Large organizations can create sensible password policies and use single-sign-on software, but small businesses and individuals are on their own.

Also: The Best Password Managers of 2019 CNET 

As best practices go, the rules for creating passwords are simple: Use a random combination of numbers, symbols, and mixed-case letters; never reuse passwords; turn on two-factor authentication if it’s available.

There’s some disagreement on whether you should change passwords regularly. I think there’s a strong case to be made for changing passwords every year or so, if only to avoid being innocently caught up in a database breach.

And, as far as I am concerned, the most important rule of all is use a password manager.

I have used several software-based password managers over the years and can’t imagine trying to get through the day without one.

I know people who keep password lists in an encrypted file of some sort. That’s exactly what a software-based password manager does. But that’s where the resemblance stops.

In this article, I explain why I consider a password manager essential, with links to five programs that I recommend. I also tackle some of the arguments I routinely hear from skeptics.

The case for password managers

The five programs that I have examined for this article are all similar in their core features. On a Windows PC or a Mac, you install a program that does the work of saving sets of credentials in a database whose contents are protected with AES-256 encryption. To unlock the password database, you enter a decryption key (your master password) that only you know.

Password managers that sync your password database to the cloud use end-to-end encryption. The data is encrypted before it leaves your device, and it stays encrypted as it’s transferred to the remote server. When you sign in to the app on your local device, the program sends a one-way hash of the password that identifies you but can’t be used to unlock the file itself.

Also: Why nearly 50% of organizations are failing at password security TechRepublic 

The companies that manage and sync those saved files don’t have access to the decryption keys. In fact, your master password isn’t stored anywhere, and if you forget it, you’re out of luck. There’s no known way to crack an AES-256 encrypted file that’s protected with a strong personal key.

That architecture offers five distinct advantages over a DIY solution.

One: Browser Integration

Most password managers include browser extensions that automatically save credentials when you create a new account or sign in using those credentials for the first time. That browser integration also allows you to automatically enter credentials when you visit a matching website.

Contrast that approach with the inevitable friction of a manual list. You don’t need to find a file and add a password to it to save a new or changed set of credentials, and you don’t need to find and open that same file to copy and paste your password.

Two: Password Generation

Every password manager worth its salted hash includes a password generator capable of instantly producing a truly random, never-before-used-by-you password. If you don’t like that password, you can click to generate another. You can then use that random password when creating a new account or changing credentials for an existing one.

Most password managers also allow you to customize the length and complexity of a generated password so you can deal with sites that have peculiar password rules.

With the possible exceptions of John Forbes Nash, Jr., and Raymond Babbitt, mere mortals are not capable of such feats of randomization.

Three: Phishing Protection

Integrating a password manager with a browser is superb protection against phishing sites. If you visit a site that has managed to perfectly duplicate your bank’s login page and even mess with the URL display to make it look legit, you might be fooled. Your password manager, on the other hand, won’t enter your saved credentials, because the URL of the fake site doesn’t match the legitimate domain associated with them.

Also: Google releases Chrome extension to check for leaked usernames and passwords 

That phishing protection is probably the most underrated feature of all. If you manage passwords manually, by copying and pasting from an encrypted personal file, you will paste your username and password into the respective fields on that well-designed fake page, because you don’t realize it’s fake.

Four: Cross Platform Access

Password managers work across devices, including PCs, Macs, and mobile devices, with the option to sync your encrypted password database to the cloud. Access to that file and its contents can be secured with biometric authentication and 2FA.

By contrast, if you manage passwords in an encrypted file that’s saved locally, you have to manually copy that file to other devices (or keep it in the cloud in a location under your personal control), and then make sure the contents of each copy stay in sync. More friction.

Five: Surveillance Safeguard

Password managers generally offer good protection against “shoulder surfing.” An attacker who’s able to watch you type, either live or with the help of a surveillance camera, can steal your login credentials with ease. Password managers never expose those details.

Even armed with those arguments, when I make that recommendation to other people, I typically hear the same excuses.

“I already have a perfectly good system for managing passwords.”

Usually, this system involves reusing an easy-to-remember base password of some sort, tacking on a special suffix or prefix attached to that base on a per-site basis. The trouble with that scheme is that those passwords aren’t random, and if someone figures out your pattern, they pretty much have a skeleton key to unlock everything. And a 2013 research paper from computer scientists at the University of Illinois, Princeton, and Indiana University, The Tangled Web of Password Reuse, demonstrated that attackers can figure out those patterns very, very quickly.

More importantly, this sort of scheme doesn’t scale. Eventually it collides with the password rules at a site that, say, doesn’t allow special characters or restricts password length. (I know, that’s nuts, but those sites exist.) Or a service forces you to change your password and won’t accept your new password because it’s too close to the previous one and now you have another exception to your system that you have to keep track of.

Also: How to manage your passwords effectively with KeePass TechRepublic 

And so you wind up keeping an encrypted list of passwords that are not exactly unique and not exactly random, and not at all secure. Why not just use software built for this purpose?

“If someone steals my password file, they have all my passwords.”

No, they don’t. They have an encrypted file that is, for all intents and purposes, useless gibberish. The only way to extract its secrets is with the decryption key, which you and you alone know.

Of course, this assumes you’ve followed some reasonable precautions with that decryption key. Specifically, that you’ve made it long enough, that it can’t be guessed even by someone who knows you well, and that you’ve never used it for anything else.

If you need a strong and unique password, you can generate one at correcthorsebatterystaple.net, which uses the surprisingly secure methodology from this classic XKCD cartoon.

You definitely shouldn’t write that key down on a sticky note or a piece of paper in your desk drawer, either. But you might want to write down that password and store it in a very safe place or with a very trusted person, along with instructions for how to use it to unlock your password file in the event something happens to you.

“I don’t trust someone else to store my passwords on their server.”

I understand the instinctive reaction that allowing a cloud service to keep your full database of passwords must be a horrifying security risk. Like anything cloud-related, there’s a trade-off between convenience and security, but that risk is relatively low if the service follows best practices for encryption and you’ve set a strong master password.

But if you just don’t trust the cloud, you have alternatives.

Also: 57% of IT workers who get phished don’t change their password behaviors TechRepublic 

Several of the password managers I’ve looked at offer the option to store a local-only copy of your AES-256 encrypted file, with no sync features whatsoever. If you choose that option, you’ll have to either forgo the option to use your password manager on multiple sites or devise a way to manually sync those files between different devices.

As a middle ground, you can use a personal cloud service to sync your password files. 1Password, for example, supports automatic syncing to both Dropbox and iCloud, ensuring that you’re protected even if one of those services is compromised.

“I’m not a target.”

Yes, you are.

If you’re a journalist working on security issues, or an activist in a country whose leaders don’t approve of activism, or a staffer on a high-profile political campaign, or a contractor that communicates with people in sensitive industries, you’re a high-value target. Anyone who fits in one of those categories should take opsec seriously, and a password manager is an essential part of a well-layered security program.

But even if you’re not an obvious candidate for targeted attacks, you can be swept up in a website breach. That’s why Have I Been Pwned? exists. It’s easy enough for a compromised website to force you to reset your password, minimizing the risk of that breach, but if you’ve used that same combination of credentials elsewhere, you’re at serious risk.

Five password managers worth considering

I have personally used all the programs in this list. For each one, I’ve included pricing details as well as a link to security information. Every paid program offers a free trial; I recommend taking advantage of those trials to see if a program is right for you.

1Password

Although this product earned its reputation on Apple devices, it has embraced Windows, Android, and Chrome OS as well. Personal subscriptions are $3 per month; a family option is $5 a month (both prices require annual billing). Password files can be stored locally, synced from 1Password’s servers, or connected to a Dropbox or iCloud account. Team, Business, and Enterprise accounts add 2-factor authentication and start at $4 per user per month. Security details here.

Dashlane

The youngest member of the group has been around for more than six years and has earned a reputation for ease of use. Apps are available for Windows PCs, Macs, Android, and iOS. If your password database includes fewer than 50 entries, you can get by with the free version. The $5-per-month Premium version includes a VPN option, and the $10-a-month bundle adds credit monitoring and identity theft features. Business plans include the same features as Premium, at $4 per user per month. Security details here.

KeePass

If you’re cloud-phobic or if you insist on open source software, this is your option. KeePass runs on every desktop and mobile platform, including most Linux distros, and it’s free (as in beer). Files are stored locally, and you’ll want to master its arcane keyboard shortcuts to fill in passwords automatically. Browser integration is available via third-party plugins; for multi-device use, the program’s built-in sync engine automatically updates the password database in whatever cloud-based storage location you specify. Security details here.

LastPass

Arguably the best known of the bunch, LastPass is free and works on all major desktop and mobile platforms. The service is cloud-based only, with files stored on the company’s servers and synced to local devices. A Premium version ($3 a month) supports advanced 2-factor authentication options; $4 a month covers a family of up to five. Business plans start at $4 per user per month. LastPass suffered an embarrassing data breach in 2015, shortly before the company was acquired by LogMeIn. Security details here.

RoboForm

Launched in 2000, RoboForm is by far the most senior member of the category. The free version supports unlimited logins and stores its database file locally. RoboForm Everywhere is a $24-a-year subscription service that adds cloud backup, sync, and 2-factor authentication features. The Family option ($48 a year) covers up to five users, and business plans cost $35 per user. Discounts are available for multi-year purchases. Security details here.


Affiliate disclosure: ZDNet earns commissions from the products and services featured on this page.

Related stories:

Source link

Continue Reading
Click to comment

Leave a Reply

Your email address will not be published.

Security

Defeating Distributed Denial of Service Attacks

Published

on

It seems like every day the news brings new stories of cyberattacks. Whether ransomware, malware, crippling viruses, or more frequently of late—distributed denial of service (DDoS) attacks. According to Infosec magazine, in the first half of 2020, there was a 151% increase in the number of DDoS attacks compared to the same period the previous year. That same report states experts predict as many as 15.4 million DDoS attacks within the next two years.

These attacks can be difficult to detect until it’s too late, and then they can be challenging to defend against. There are solutions available, but there is no one magic bullet. As Alastair Cooke points out in his recent “GigaOm Radar for DDoS Protection” report, there are different categories of DDoS attacks.

And different types of attacks require different types of defenses. You’ll want to adopt each of these three defense strategies against DDoS attacks to a certain degree, as attackers are never going to limit themselves to a single attack vector:

Network Defense: Attacks targeting the OS and network operate at either Layer 3 or Layer 4 of the OSI stack. These attacks don’t flood the servers with application requests but attempt to exhaust TCP/IP resources on the supporting infrastructure. DDoS protection solutions defending against network attacks identify the attack behavior and absorb it into the platform.

Application Defense: Other DDoS attacks target the actual website itself or the web server application by overwhelming the site with random data and wasting resources. DDoS protection against these attacks might handle SSL decryption with hardware-based cryptography and prevent invalid data from reaching web servers.

Defense by Scale: There have been massive DDoS attacks, and they show no signs of stopping. The key to successfully defending against a DDoS attack is to have a scalable platform capable of deflecting an attack led by a million bots with hundreds of gigabits per second of network throughput.

Table 1. Impact of Features on Metrics
[chart id=”1001387″ show=”table”]

DDoS attacks are growing more frequent and more powerful and sophisticated. Amazon reports mitigating a massive DDoS attack a couple of years ago in which peak traffic volume reached 2.3 Tbps. Deploying DDoS protection across the spectrum of attack vectors is no longer a “nice to have,” but a necessity.

In his report, Cooke concludes that “Any DDoS protection product is only part of an overall strategy, not a silver bullet for denial-of-service hazards.” Evaluate your organization and your needs, read more about each solution evaluated in the Radar report, and carefully match the right DDoS solutions to best suit your needs.

Learn More About the Reports: Gigaom Key Criteria for DDoS, and Gigaom Radar for DDoS

The post Defeating Distributed Denial of Service Attacks appeared first on GigaOm.

Continue Reading

Security

Assessing Providers of Low-Power Wide Area Networks

Published

on

/*! elementor – v3.6.4 – 13-04-2022 */
.elementor-widget-text-editor.elementor-drop-cap-view-stacked .elementor-drop-cap{background-color:#818a91;color:#fff}.elementor-widget-text-editor.elementor-drop-cap-view-framed .elementor-drop-cap{color:#818a91;border:3px solid;background-color:transparent}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap{margin-top:8px}.elementor-widget-text-editor:not(.elementor-drop-cap-view-default) .elementor-drop-cap-letter{width:1em;height:1em}.elementor-widget-text-editor .elementor-drop-cap{float:left;text-align:center;line-height:1;font-size:50px}.elementor-widget-text-editor .elementor-drop-cap-letter{display:inline-block}

Blog Title: Assessing Providers of Low-Power Wide Area Network Technology

Companies are taking note of how Low-Power Wide Area Networks (LPWAN) can provide long-distance communications for certain use cases. While its slow data transfer rates and high latency aren’t going to be driving any high intensity video streaming or other bandwidth-hungry situations, it can provide inexpensive, low power, long-distance communication.

According to Chris Grundemann and Logan Andrew Green’s recent report “GigaOm Radar for LPWAN Technology Providers (Unlicensed Spectrum) v1.0,” this growing communications technology is suitable for use cases with the following characteristics:

  • Requirement for long-distance transmission—10 km/6 miles or more wireless connectivity from sensor to gateway
  • Low power consumption, with battery life lasting up to 10 years
  • Terrain and building penetration to circumvent line-of-sight issues
  • Low operational costs (device management or connection subscription cost)
  • Low data transfer rate of roughly 20kbps

These use cases could include large-scale IoT deployments within heavy industry, manufacturing, government, and retail. The LPWAN technology providers evaluated in this Radar report are currently filling a gap in the IoT market. They are certainly poised to benefit from the anticipated rapid adoption of LPWAN solutions.

Depending on the use case you’re looking to fulfill, you can select from four basic deployment models from these LPWAN providers:

  • Physical Appliance: This option would require a network server on-premises to receive sensor data from gateways.
  • Virtual Appliance: Network servers could also be deployed as virtual appliances, running either on-premises or in the cloud.
  • Network Stack as a Service: With this option, the LPWAN provider fully manages your network stack and provides you with the service. You only need devices and gateways to satisfy your requirements.
  • Network as a Service: This option is provided by mobile network operators, with the provider operating the network stack and gateways. You would only need to connect to the LPWAN provider.

Figure 1. LPWAN Connectivity

The LPWAN providers evaluated in this report are well-positioned from both a business and technical perspective, as they can function as a single point of contact for building IoT solutions. Instead of cobbling together other solutions to satisfy connectivity protocols, these providers can set up your organization with a packaged IoT solution, reducing time to market and virtually eliminating any compatibility issues.

The unlicensed spectrum aspect is also significant. The LPWAN technology providers evaluated in this Radar report use at least one protocol in the unlicensed electromagnetic spectrum bands. There’s no need to buy FCC licenses for specific frequency bands, which also lowers costs.

Learn More: Gigaom Enterprise Radar for LPWAN

The post Assessing Providers of Low-Power Wide Area Networks appeared first on GigaOm.

Continue Reading

Security

The Benefits of a Price Benchmark for Data Storage

Published

on

Why Price Benchmark Data Storage?

Customers, understandably, are highly driven by budget when it comes to data storage solutions. The cost of switching, upkeep and upgrades are high risk factors for businesses, and therefore, decision makers need to look for longevity in their chosen solution. Many factors influence how data needs to be handled within storage, including data that is frequently accessed, or storing rarely-accessed legacy data. 

Storage performance may also be shaped by geographic location, from remote work or global enterprises that need to access and share data instantly, or by the necessity of automation. Each element presents a new price-point that needs to be considered, by customers and by vendors.

A benchmark gives a comparison of system performance based on a key performance indicator, such as latency, capacity, or throughput. Competitor systems are analyzed in like-for-like situations that optimize the solution, allowing a clear representation of the performance. Price benchmarks for data storage are ideal for marketing, showing customers exactly how much value for money a solution has against competitor vendors.

Benchmark tests reinforce marketing collateral and tenders with verifiable evidence of performance capabilities and how the transactional costs relate to them. Customers are more likely to invest in long-term solutions with demonstrable evidence that can be corroborated. Fully disclosed testing environments, processes, and results, give customers the proof they need and help vendors stand out from the crowd.

The Difficulty in Choosing

Storage solutions vary greatly, from cloud options to those that utilize on-premises software. Data warehouses have different focuses which impact the overall performance, and they can vary in their pricing and licensing models. Customers find it difficult to compare vendors when the basic data storage configurations differ and price plans vary. With so many storage structures available, it’s hard to explain to customers how output relates to price, appeal to their budget, and maintain integrity, all at the same time.

Switching storage solutions is also a costly, high-risk decision that requires careful consideration. Vendors need to create compelling and honest arguments that provide reassurance of ROI and high quality performance.

Vendors should begin by pitching their costs at the right level; they need to be profitable but also appealing to the customer. Benchmarking can give an indication of how competitor cost models are calculated, allowing vendors to make judgements on their own price plans to keep ahead of the competition. 

Outshining the Competition

Benchmark testing gives an authentic overview of storage transaction-based price-performance, carrying out the test in environments that imitate real-life. Customers can gain a higher understanding of how the product works in terms of transactions per second, and how competitors process storage data in comparison.

The industry-standard for benchmarking is the TPC Benchmark E (TPC-E), a recognized standard for storage vendors. Tests need to be performed in credible environments; by giving full transparency on their construction, vendors and customers can understand how the results are derived. This can also prove systems have been configured to offer the best performance of each platform.

A step-by-step account allows tests to be recreated by external parties given the information provided. This transparency in reporting provides more trustworthy and reliable outcomes that offer a higher level of insight to vendors. Readers can also examine the testing and results themselves, to draw independent conclusions.

Next Steps

Price is the driving factor for business decisions and the selection for data storage is no different. Businesses often look towards low-cost solutions that offer high capacity, and current trends have pushed customers towards cloud solutions which are often cheaper and flexible. The marketplace is full in regard to options: new start-ups are continually emerging, and long serving vendors are needing to reinvent and upgrade their systems to keep pace. 

Vendors need evidence of price-performance, so customers can be reassured that their choice will offer longevity and functionality at an affordable price point. Industry-standard benchmarking identifies how performance is impacted by price and which vendors are best in the market – the confirmation customers need to invest.

 

The post The Benefits of a Price Benchmark for Data Storage appeared first on GigaOm.

Continue Reading

Trending