I was wondering what to write about this week for “The Wednesday Bit” – I knew it was not going to be passwords. I have had enough of that!
I got started on a spin-off topic from an IT and Cyber Security Audit I am running at the moment about personal and work mobile phones, but then I saw a story on Bleeping Computer about stolen credentials. (Abrams. 2023)
Researchers believe that cryptocurrency thefts of $4.4 million was a result of threat actors using information retrieved from Stolen LastPass databases.
Do You Use LastPass?
I do think online password banks – such as LastPass – are a good idea, better than Post-It notes or notebooks marked “secret”, but I always recommend that clients take responsibility for their own password security. There are various ways to do that securely – I wrote about some in an article on CyberAwake last month.
Here is my article from CyberAwake discussing how to store your passwords securely.
Clive
BACK TO BASICS – ONE MORE THING ABOUT YOUR PASSWORDS
Did I say my mini-series on passwords was finished? You may have thought that from the title of the previous part – Back to Basics Your Password the Finale – but then I was asked a question during a meeting by a reader of the series.
“How do I remember all the complicated passwords you want me to use?”
It is a good question and I have three answers to the problem.
Passwords on Paper
This is an option, and I have at least two clients who admit to keeping their passwords in a pocket sized notebook. Now there may be ways to obfuscate the sensitive information and make this secure but I am not convinced. The big advantage of this approach is that the valuable passwords are inaccessible to an online attack. However, if the notebook is lost or stolen I am not sure what the incident response plan should be, except sit down and start changing passwords, beginning with those not protected by multi-factor authentication.
If you do use a notebook don’t get one that says “Passwords” on the cover!
Password Bank Service
A quick google will present you with a list of websites that all promise to keep your valuable credentials secure from hackers but available to you. You will be trusting them to do this. However, another Google search will list all the news articles where services such as the popular LastPass have suffered data leaks and breaches. Now many of these service providers will tell you that no user passwords were compromised – but they also offered a secure service!
Passwords in an Encrypted File
Or you can take responsibility for your own passwords and keep them in a Microsoft Office encrypted document – then you only need to remember one complicated password. Both Microsoft Word and Excel can be encrypted and we have clients who have devised systems using them to store passwords. My particular favourite though is OneNote. As individual sections within a notebook can be encrypted with different passwords, it offers the option of enforcing some granular control on the passwords within an organisation.
Now you choose
There are my three answers, you need to choose the one that best suits you – but please don’t choose paper!
Clive Catton MSc (Cyber Security) –by-line and other articles 3 October 2023 (CyberAwake)
References
Abrams, L. (2023, October 30). Lastpass breach linked to theft of $4.4 million in Crypto. BleepingComputer. https://www.bleepingcomputer.com/news/security/lastpass-breach-linked-to-theft-of-44-million-in-crypto/
Back to Basics – One more thing about your passwords – CyberAwake
Further Reading
Back to Basics – The Password
Back to Basics – The Password Part 2
Back to Basics – The Password Keyboard Walk Part 3
Back to Basics – Password Sharing Part 4
Back to Basics Your Password the Finale Part 5
Back to Basics – One more thing about your passwords Part 6
Passwords – Security Theatre Part 7
Back to Basics – Password Fatigue Part 8
Back to Basics – Passwords and Ordinary People Part 9
From the National Cyber Security Centre:
Three random words – NCSC.GOV.UK
Using passwords to protect your devices and data (ncsc.gov.uk)