Managing Password
This article is going to be a little bit different, it’s not going to be about testing as usually. In 2021, I witnessed a couple of comprimised accounts, compromised company accounts, and an identity theft. Nothing of that fortunately happened to me, but I was close enough to those people to see it created a lot of trouble for them. I will, therefore, write this short piece on how to use passwords more securely.
You have probably heard that you should create strong passwords. That’s a sound piece of advice, but unfortunately many people don’t know what to imagine behind it.
However, I’d like to approach it from a different angle. Because you can’t really have strong passwords if you can’t generate them randomly. And you are unlikely to do that because you will not remember such passwords. Therefore the step number one is getting yourself a good password manager.
The way such software works is it stores all your passwords under a master password (and preferably also a second authentication method like YubiKey). In addition to that, it can often generate random passwords for you, which is going to solve the problem of strong passwords.
There are a whole bunch of password managers, some of them are offline, some of them are in the cloud. I’m skeptical about those that store your passwords (even though they are encrypted) in the cloud, because that simply means those passwords are not in your possession. And if the cloud gets hacked, there’s a potential problem of someone getting to all of your passwords. That can obviously happen with your own device as well, but I’d bet on the fact that this is much less likely unless you are someone important (like a prime minister of some country) and it therefore makes sense to dedicate all necessary resources to hacking just one person.
I don’t want to recommend many tools because one should always do their own research, however I use KeePassXC, which seems like a good option as of 2022. KeePassXC simply stores all your passwords in an ecrypted file on your hard drive. That file is encrypted with a master password and possibly other methods like YubiKey.
One thing that KeePassXC can do for you is password generation.
Both features, storing passwords and generation of passwords, are something you should start using as soon as possible.
You should also back up the KeePass database (it’s a file on your hard drive). Even though it’s encrypted, I don’t recommend using any cloud for that. Use an encrypted external disk or USB stick. I personally have the file in a few copies on a few different encrypted devices at different locations, plus one that’s always with me.
A password manager with random password generation is going to solve the most obvious problem, but it’s not all.
Another step on your way to stay more secure is start using multifactor authentication (MFA) wherever possible. That means that only a password is not enough to sign in to your account. You also need to provide another piece of information to be allowed through. An example of this scheme is an ATM. You put in your card (one authentication token) and then you have to type in a code (another authentication token). Only then you can withdraw cash.
ATMs have provided MFA for years now, yet it’s still something not widely used in the online world. However, MFA is becoming more wide-spread, so look into settings and you might find such an option.
Sometimes you can find different ways to go about the MFA. Some services allow you to use something like a hardware token (YubiKey is one example), some will work with an authentication app, some will work with SMS. The preferred order is just like mentioned in the previous sentence. I personally use an authentication app and sometimes a hardware token.
I also recommend reading some references before starting to use some authentication app. You should prferably go for something with good reputation, an app that’s actively maintained, preferably audited, and open-source. Do your own research and find one that meets as many of these conditions as possible.
Also, MFA can be set up for your operating system as well (at least I use it like so on Linux). Setting up something like a YubiKey along with your regular password is not that difficult and it can improve your security.
You are now using a password manager and multifactor authentication. That’s good.
Another step towards security is start using keys instead of passwords. Let me explain, I’ll take GitHub as an example.
When you want to push something to your remote GitHub repository, you can log in using a password, or you can use keys. Authenticating with keys is more secure and possibly more convenient as well. The way it works is the keys come in pairs, so called public and private keys. You always keep the private key on your device, and you upload the public key to GitHub (or any other service). When authenticating, GitHub encrypts a message using the public key and sends it over to you, this message could be decrypted only with the help of the private key (which will always remain only on your device). Therefore no passwords (although encrypted) are ever going to leave your device. Lastly, such keys can also be set up with something called a passphrase, which is basically a password you need to fill in to be able to use the key. Again, when you copy such a password from your password manager, it will never leave your device. That makes for improved security.
GitHub has a nice tutorial on how to set up such an authentication scheme. Go see it and start using it.
The point is this method is not limited to only GitHub. If you use Azure services in your company, the same could be set up in Azure Repos. You’d be surprised how few developers (in my experience) actually use it. In some companies I worked for, I was the only one to set this up.
Obviously all this goes for mobile devices as well. Imagine if you lose your mobile phone. Would it make you nervous? If so, than probably you need to improve the security of your device. I’d first and foremost consider a strong unlock passwords (yes, plural) and setting your device in a way that if not successfuly unlocked in three attempts, it will wipe itself. I won’t talk about concrete options here, but I think there are devices, operating systems, etc. that you can use to set this up. Many mobile devices also offer the option to encrypt the hard drive, that should be on at all times as well.
That’s about all for now. There’re much more to talk about when it comes to security, this has been simply one little piece of the whole. Considering what I said at the beginning about some hacked accounts I witnessed in 2021, following this advice would have prevented that. It would not have prevented that identity theft, but I might talk about this in future articles.
