A Torian Group Solution – Technology with Integrity

Executive summary: Website passwords are the single biggest security issue for most small businesses. Use a password management program such as lastpass.com to manage your logon names and passwords for websites. It is secure, accessible from any internet connected computer, and free. Use unique complex passwords for every site you log in to, to protect your security. Revisit websites for which you have common (not unique) or simple passwords, and change them. Keep a separate email account for password recovery. Be aware of linked accounts used by “Apps” such as Facebook and Google.

For businesses, upgrade to Lastpass Enterprise, and share the passwords securely with team members who need access to your business websites, allowing them to log in while giving you centralized control over business websites.

Best Practice: Install and use lastpass.com to manage your website login accounts, and those of your team members. See detailed instructions below, or give us a call, and we can help you get set up.

If you use a computer, you have a lot of websites you log in to, each of which requires a username and password. You log in to your bank website, your web based email, your social networking sites, your custom home page at Google, Yahoo, or AOL, etc. If you are a professional you probably have research or online services you log on to. It is not unusual to have dozens of websites, each requiring a username and password.

Common strategies for managing this are to use one or two memorized logons that you use everywhere; or keep a written list on your desk or on your computer, or use password management software – the preferred choice.

If you use the same or a few logons, your password is as secure as the weakest site you log in to. In order to compromise all your websites, a hacker only has to break one. Many forums and social sites not too concerned with security will send the password in clear text (meaning it can be intercepted), or will have very basic security set up on their website. In many cases it is possible to hack the password database on poorly secured websites. The hacker then can try your password and username on a list of more interesting sites such as email, and social media sites. Once they have your email, they can use password recovery tools on other sites. They then use this information to access PayPal, bank and credit card logins. They don’t have to know who you are, they can just try the login. Of course if you write it on a list by your monitor, the cleaning crew can give it a try or sell it to a friend with very little effort. A list on your computer is a little tougher, but not safe. Word and Excel passwords can be broken relatively quickly. Saved passwords in Internet Explorer or Firefox can also be hacked.

Even reputable websites have been hacked. High profile incidents include LinkedIn, Zappos.com, Gmail account logins, and Sony PlayStation – all had large numbers of user accounts and passwords stolen.

Password managers allow you to securely save unique passwords for each website in an encrypted database. It saves time, and is more secure. You log in once to the password manager on your computer, using your master password. The master password is not ever sent to any website, and is not stored on your computer. It then automatically logs you in to websites using your saved username and password. You can use a unique and complex password for each website, without having to memorize it.

Web based password managers allow you to log on to your websites from any computer – the passwords are encrypted locally in a password database, and then saved on an internet server which you access from anywhere. It is secure, since the encryption/decryption takes place locally.

Most password management programs offer “two factor authentication”. In addition to knowing the password, you have a physical device that must be in your possession to complete the login. This protects you from key loggers – a form of malicious software which records what you type and sends it to cyber-criminals. Without the additional authentication, a password manager can actually increase your risk if your computer gets infected with a Trojan or key logger by putting all your passwords in one easy to access tool.

Obviously, you need to protect your master password carefully, and make sure your master login is turned off if you leave your desk.

Most employees now need access to multiple business websites to do their work. You have to give them the password, which they can take with them every night, and can continue to use even if they stop working for you. With the right password manager, you provide them with one login, and they use it to log in to the work websites you have already set up for them. You can restrict them to only certain websites, and make each site have a long and complex password. Unless they are a hacker, the login is relatively secure. If they leave, you change one password for the password manager, rather than dozens for websites they have logged in to.

We have tested a number of password managers, and recommend lastpass.com. It give you most of the features that a personal or business user would need for free, and allows you to expand to full featured security, including a physical key if needed. It allows you to group website logins and share them from a separate master account, without sharing the underlying password/login. In other words, you can set up a group of websites and give your employee access to that group, using their own Lastpass login account, with their own Lastpass master password. It is web based, which makes it feasible to login to needed websites when working remotely or on a different computer. It is easy to use, and the price is right – free.

If you are going to use this with sensitive sites, we recommend upgrading to the paid version ($1/Month, $2/Month per person for the enterprise version), and using a hardware key. This protects you from compromise of your master password if your computer gets hacked due to malware. With LastPass, we recommend using the Yubikey – a special USB device that looks like a thumb drive which has to be inserted into the computer along with requiring the master password. They are about $25 – a very good value for the additional security provided.

How to:

To setup your account with lastpass.com, go to their website and click on (Free) Download Lastpass. Run the installation program, which steps you through setting up an account.

Create a new account:
You will be asked for your email address. Use your primary business email to manage your business websites. Pick a secure password which you can remember. It is CRITICAL that you remember this one password. Write it down and put in in a safe or safety deposit box, so your loved ones can find it if something happens to you.

If you have been storing passwords in your browser, let Lastpass find and move them to Lastpass security for you.

Follow a similar process, using your team member’s email to set up a separate Lastpass account for each person for which you need to grant access to websites.

Log in to lastpass.com, which they call your “vault”. Select the option to share login information for a site, and pick the emails of team members whom you want to be able to login. You can elect to share just the ability to login, or the website login and the ability to view and manage the password.

Watch these videos for basic instructions: https://lastpass.com/support_screencasts.php

Set Lastpass to automatically log out after a reasonable period of time. This prevents accidentally leaving it open, allowing anyone at the computer to access sensitive websites.

Once you are comfortable with using Lastpass, follow the suggestions below to secure your existing accounts.

Lastpass also serves as a foundation for your web marketing efforts, which inevitably involve creating a large number of user accounts on web sites – Google Local, Google Analytics, Yahoo, etc.

Once you are set up, make a printed copy of your passwords using the export function in the Lastpass software, and lock it away. (Do NOT save it to your computer). This protects you in the unlikely event that Lastpass goes out of business or starts charging for their free service. This is your backup – updated it regularly.

Securing your existing accounts

Here are some additional steps you can take once you have signed up with a password manager.

  • Make sure your computer has a password. Setting even a simple password on your PC greatly increases the security of your web browsing. If you do any work from home, keep a separate profile and login with a password on your home PC – particularly if your computer is shared with the kids.
  • Set up a separate email address, and use it strictly for password recovery. At the least, keep a separate email for more sensitive non-social site logins. If you have two email accounts, don’t use your public email as the password recovery email for your “private” email account. That’s because if one of your email accounts gets compromised, the hacker can easily take over the other account as well. Use SMS (cell phone) notification for password and account changes, so have a separate way to get notified if someone does get control of your email account.
  • Review your email, and permanently delete any password recovery emails you have saved.
  • As you log in to existing websites, change the password to a new, complex password. Use the password generating tool in your password manager to create random passwords with at least 12 characters. Since you never need to type it, there is no inconvenience.
  • Check your internet favorites and history for websites that need password changes. Delete any saved passwords in your browser. Disable the automatic login function on some websites that allow you to “save” your login.
  • Enable “Always use HTTPS” for Facebook, Twitter, Gmail, Google and any sites that support it. This prevents people from snooping on your connection and recovering your login data. Never log in to sensitive websites from a public Wi-Fi location. Anyone (not just skilled hackers) can capture your login details using Firesheep, a simple Firefox extension.
  • Be aware of linked accounts in apps. When you allow an app to log in using Facebook, Twitter, Yahoo, etc. you are sharing your account with that app. Facebook and other sites now offer a way to set separate passwords for linking applications – take advantage of this. Review your apps regularly, and revoke permissions for those you no longer use.
  • Keep your computer patched, have current antivirus software, and use a firewall. It is not enough to keep your antivirus subscription current – you must reinstall the new version of the program annually.
  • Set a passcode on your smart phone and tablet devices. If it has Apps that use a password, your accounts are vulnerable to theft if someone gets hold of your mobile device. LastPass and other password managers have versions for iPhone/iPad and Android devices.

If this all sounds too complicated, consider the alternative – cleaning up the mess after your identity is stolen.

We can help you get set up, and do basic training for you or your staff in using Lastpass, typically in 3-4 hours total. Give us a call or email to talk about the next step.