A Torian Group Solution – Technology with Integrity
Summary: Consider using the Keeper password manager. Easily create and manage unique, complex, and secure passwords, and use the built-in 2-factor authentication (2FA) tool to log in to your websites and cloud services quickly and easily.
If you are a business owner, deploy Keeper to retain control of employee website accounts and avoid losing productivity if an employee is unavailable.
If you have been using LastPass, we recommend you switch to Keeper.
You likely have many websites you log in to, each requiring a username and password, often along with a second form of authentication – TXT, Email, or a code. You probably log in daily to your bank website, web-based email, social networking sites, etc. If you are a professional, you have research or online services you use. It is not unusual to have dozens or hundreds of websites, each requiring a secure login.
Common risky strategies for managing this are using one or two memorized logons that you use everywhere, keeping a written list on your desk or computer, or using the password saver in your browser.
Using password management software is the preferred choice.
If you use the same password on multiple website logins, your password is as secure as the weakest site you log in to. To compromise all your websites, a hacker only has to break one. Many forums and social sites will manage your password with little concern for security – meaning it can be hacked.
Many reputable websites have been hacked. High-profile incidents include LinkedIn, Yahoo, Zappos.com, Gmail account logins, and Sony PlayStation – all had large numbers of user accounts and passwords stolen. New compromises are a monthly occurrence.
Even if your password is not exposed, automated tools can try every username/password combination until they get in – called a password spray attack. These tools can often crack passwords on improperly secured sites within hours or days.
The hacker’s goal is to get control of your logins and then use them for financial gain.
The hacker can try your working password and username on a list of more valuable sites – including email. Once they have your email, hackers can use password recovery tools on other sites – banking, health insurance, online shopping, and credit card accounts.
Of course, if you write it on a Post-it by your monitor or under your keyboard, the cleaning crew can give it a try or sell it to a friend with minimal effort. A list on your computer is a little tougher but unsafe if the device is stolen or hacked. Word and Excel passwords can be broken relatively quickly. Saved passwords in browsers can also be hacked with physical access to the PC.
Two-Factor Authentication (2FA) can dramatically improve security by requiring that you confirm your identity using something in your possession – a TXT to your phone, a code to your email, or preferably a code or alert sent to an app on your phone. Biometrics (facial or fingerprint) or a security key are even better. Then, even if your password is known, the hacker cannot log in.
2FA is a significant improvement, but it creates some issues for business websites. Employees often set up 2FA using their smartphones. The employer is locked out of their associated business websites if staff are unavailable. If more than one user needs to use the same login, it again requires someone to provide the 2FA approval.
If employees manage their passwords, you may not realize until much later that they are the only ones who can log in. We have seen this problem with domain name registrations.
Password manager software
Password managers are designed to solve these problems.
By saving the password for you, they make it easy to securely save unique, long, and complex passwords for each website, secured by 2FA where possible. Password managers can automatically generate the password, ensuring it is hard to guess.
It saves time and is far more secure. You log in once to the password manager on your computer using your master password and 2FA. The login to the password manager (master password) is never sent to any website and is not stored on your computer.
It is easy to log in to websites by simply clicking on a popup window when you go to a website. The password manager automatically logs you into websites using your saved credentials. Some password managers (including Keeper) also support filling in a 2FA code. This is a huge benefit – it saves time logging in. It allows multiple users to share a secure login.
A password manager will enable an employer to retain control of business websites and online services. Most employees now need access to multiple business websites to do their work. You have to give them the password, which they can take and possibly continue using. With the right password manager, you provide them with one login to the password manager, and they use the password manager to log in to the work websites you have set up for them. You can restrict them to only certain websites and ensure each has a long and complex password. Where supported, you can use 2FA – also within the password manager. Unless they are motivated and malicious, the logins are relatively secure. It is much safer than the alternatives. If they leave, you change one password for the password manager rather than dozens for websites they have logged in to.
Keeper also allows you to create “shared” groups of passwords, which can be assigned to groups of employees. Everyone in the group can still access the website if someone changes the password because they share the same login data.
There are many more features: Extensive auditing is provided – you know who logged in, when, and from where; Alerts can be set for unexpected logins or account changes; Policies can be set for user security. See keepersecurity.com for a complete list of features.
Security of the stored password database is critical. Keeper encrypts each login entry and then encrypts the entire database using a unique key tied to the user and that particular device (PC, tablet, or phone) – the passwords are stored and encrypted locally in a password database and then saved on an internet server which you access from anywhere. The online database copy is secure since the encryption/decryption occurs locally.
A password manager can increase your risk if your computer gets infected with a trojan or key logger by putting all your passwords in one easy-to-access tool. You need to protect your master password carefully and make sure your password manager is logged out if you leave your desk. Keeper supports most types of 2FA.
Keeper also supports logging in with SSO (Single Sign On), which allows you to log in using your Office 365 credentials. Microsoft does an excellent job of securing their logins. If you have the right Office 365 licenses, this is a safe and convenient way to log in to Keeper.
If your employees log in to websites that contain sensitive data, you may be subject to legal penalties for not correctly securing access by employees. Accountants, insurance and brokerage agents, and medical professionals are all highly regulated.
We have tested several password managers and recommend Keeper password manager (www.keepersecurity.com). Keeper has a superior security implementation. It has all the needed features for business. It is reasonably priced. Because Torian Group is using and supporting it, we can (if you wish) easily share your network and IT account logins with the authorized person at your business. When a password is changed, we both have current information.
Keeper has an app for smartphones, a PC and Mac desktop program, and extensions for most browsers.
We used to recommend LastPass. They handled a recent security breach poorly. They failed to protect their data. They failed to disclose the extent of the problem. They were slow to take needed steps to protect their customers. The issues are severe enough that we have switched from LastPass. See the links at the end of this article for details on the LastPass security breach.
Securing your existing accounts
Here are some additional steps you can take once you have signed up with a password manager.
- Make sure your computer has a password. Setting even a simple password on your PC dramatically increases the security of your web browsing. If you do any work from home, keep a separate profile and log in with a password on your home PC – particularly if your computer is shared with the kids.
- Set up a separate email address and use it strictly for password recovery. At the least, keep a separate email for more sensitive non-social site logins. If you have two email accounts, don’t use your public email as the password recovery email for your “private” email account. That’s because if one of your email accounts gets compromised, the hacker can quickly take over the other account. Use SMS (cell phone) notification for password and account changes, to have a separate way to get notified if someone does get control of your email account.
- Review your email and permanently delete any saved password recovery emails.
- As you log in to existing websites, change the password to a new, complex password. Use the password-generating tool in your password manager to create random passwords with at least 12 characters. Since you never need to type it, there is no inconvenience.
- Check your internet favorites and history for websites that need password changes. Delete any saved passwords in your browser. Disable the automatic login function on some websites that allow you to “save” your login.
- Be aware of linked accounts in apps. When you allow an app to log in using Facebook, Twitter, Yahoo, etc., you share your account with that app. Facebook and other sites now offer a way to set separate passwords for linking applications – take advantage of this. Review your apps regularly, and revoke permissions for those you no longer use.
- Keep your computer patched, have current antivirus software, and use a firewall. It is not enough to keep your antivirus subscription current – you must reinstall the new version of the program annually.
- Set a passcode on your smartphone and tablet devices. If it has Apps that use a password, your accounts are vulnerable to theft if someone gets hold of your mobile device. Keeper and other password managers have iPhone/iPad and Android versions.
If this all sounds too complicated, consider the alternative – cleaning up the mess after your account is compromised and your money and/or identity is stolen.
We can help you get set up and do basic training for you and your staff in using Keeper, typically in 3-4 hours total. Give us a call or email to talk about the next step.
Keeper introductory videos and manuals: https://www.keepersecurity.com/support.html
Problems with LastPass: