product Archives - Bag of Tricks https://www.bagoftricks.tech/tag/product/ A mixed bag of tricks for everyone! Mon, 03 Apr 2023 16:33:41 +0000 en-US hourly 1 https://wordpress.org/?v=6.5.5 https://i0.wp.com/www.bagoftricks.tech/wp-content/uploads/2023/04/Color-logo-no-background.png?fit=32%2C18&ssl=1 product Archives - Bag of Tricks https://www.bagoftricks.tech/tag/product/ 32 32 215846627 The Skeleton Key, a.k.a. Password Re-Use https://www.bagoftricks.tech/the-skeleton-key-a-k-a-password-re-use/ https://www.bagoftricks.tech/the-skeleton-key-a-k-a-password-re-use/#respond Fri, 24 Mar 2023 14:11:00 +0000 https://www.bagoftricks.tech/?p=20 I feel it appropriate to begin this article with a story I recently encountered. A lady at my work told me that her daughter-in-law got a text message claiming to be from myself. This text then went on to ask for the user’s personal account credentials. The daughter-in-law gave the email, but didn’t give the […]

The post The Skeleton Key, a.k.a. Password Re-Use appeared first on Bag of Tricks.

]]>

I feel it appropriate to begin this article with a story I recently encountered.

A lady at my work told me that her daughter-in-law got a text message claiming to be from myself. This text then went on to ask for the user’s personal account credentials. The daughter-in-law gave the email, but didn’t give the password (which was a good thing, as you should never give your password on anyone).

The imposter then asked for the user’s six-digit verification code. She attempted to give it, but it had expired so the imposter wasn’t able to gain access to the account.

The main issue with this situation was that the imposter already knew the username and password combination, and only needed the six-digit 2FA to get in.

Why did they already know it? Well, there are a handful of reasons, but I already clarified that it was password re-use.

At the time of writing, we are on the verge of finally integrating password-less authentication; so, hopefully this notion gets to be marked entirely obsolete in 2023 – but it’s been just around the corner for quite a few years now. And, no, I’m not talking about 2023 being the year of the Linux Desktop.

What I’m talking about is password re-use. No matter how good that one password is. Once someone has it and your email combination, they’re free to attempt to log in anywhere. This is called “credential stuffing”.

I know, I know. Passwords are used practically everywhere and most websites want a certain number of characters, with upper-case, lower-case, and symbols. What else are you gonna do?

The solution is simple: use a password manager.

What is a password manager?

A password manager is a program or service which allows you to remember one complex password to a vault which stores other even more complex passwords that can be randomly generated.

Which password manager should I use?

There are several options of password managers to use and no one option. The criteria for most users, however, is simple: it should be easy to use and also more secure than a Post-It note or password notebook.

NOTE: Due to the recent data breaches at LastPass, I have had to remove them as a viable option; so, for now, I only have the one.

BitWarden

PROS:

  • Online/Offline Components
  • Industry Standard “Zero-Knowledge” Encryption
  • One-Time Password Component
  • Random Username/Password Generation

CONS:

  • Read-Only Offline Mode

BitWarden is easily my top recommendation for people whether they’re tech-savvy or not. The interface is intuitive and it integrates flawlessly with the browser; though, it also has apps for every major device on the market. If you pay for the Premium version, it can even insert time-based one-time password codes directly into the prompts with no extra work on your part.

The main draw for Bitwarden is that it is accessible anywhere you have access to the Internet with a master password (and second form of authentication, which I highly recommend setting up). From there, you can access your password vault that is otherwise fully encrypted on both your system and theirs.

I did list a con of having the read-only offline mode, and I dug into it deeper to see what that would entail. Bitwarden has to be able to sync to the remote server in order to make changes, but as long as you had an Internet connection to authenticate, you can access it without Internet access (they refer to this as locked versus logged out). You can adjust the logout time in settings, but it’s pretty generous by default.

Another component that made me happy is the random generation of usernames, as well as passwords. We are often bad about giving away too much information in a username, so having one that is random helps protect us in multiple ways, but mainly credential stuffing attacks.

Other Considerations

Conclusion

Regardless of which password manager you choose, the main goal is to make sure that you aren’t using the same username and password combination across multiple passwords. It doesn’t matter how secure your password is if it got exposed due to a database breach.

My sincerest hope is that you will consider destroying the skeleton key once and for all and protect yourself from one of the most easily avoidable attack scenarios.

The post The Skeleton Key, a.k.a. Password Re-Use appeared first on Bag of Tricks.

]]>
https://www.bagoftricks.tech/the-skeleton-key-a-k-a-password-re-use/feed/ 0 20