The Password Conundrum – Part 3

This is the last part in a series on password management. Read on to learn about the strategy I employed to improve my personal password security.

Security is best employed in layers. That is to say, that using one method of security such as a single password on it’s own is not as secure as using multiple methods together. If one method fails such as your password gets guessed or cracked then requiring a second factor to log in, like a Yubikey or a finger print can help prevent unauthorized people from breaking into your accounts even if they’ve figured out what your password is.

Yubikey – A second factor of authentication

YubiKey
Yes, this is my actual YubiKey. Still working after a year of continual abuse.

I’ve used a YubiKey  for over a year now and it’s survived remarkably well. The Yubikey  is a small USB device that attaches to my key chain and acts as a second factor of authentication. Whenever I need to log in to a service (like LastPass) that supports two factor authentication, I plug my Yubikey into the USB port of the computer I’m using and when I touch the green dot in the midle of the YubiKey, a code is automatically entered into the computer that allows me to then enter my user name and password, to log into the service or web page. Without the YubiKey, no one can log into my accounts. It’s not foolproof, but it is an added layer of security which makes it a lot harder for my accounts to be broken into.

LastPass – A password manager for everyone

The LastPass service and it’s software works very well for my purposes. LastPass is not the only game in town when it comes to password managers but I found it to be the one that fits my needs and has the features I require. In particular, the ability to work with my YubiKey as a second factor of authentication was one of the deciding factors in my choice. The service also has plug-ins for most major browsers which makes logging in to sites that I have saved credentials (user names and passwords) for simple and fast.

It seems that websites and services are getting hacked on a monthly if not weekly basis and the need to change my password on those sites is a regular occurrence. LastPass makes it easy to generate a new random password that is ridiculously long and then save it in an encrypted database that requires both my super secret credentials and my personal YubiKey to access it.

Passphrases – Extra long passwords for the win

Its really important to pick passwords that are not only complex, but long. I like to use strings of esoteric words together or words that I don’t know how to spell very well, together with unusual spacing (yes spaces can be considered special characters). The passphrase becomes memorable because I have to think extra hard about what I am entering when I have to type in a password.  An example of this might be “ReprehensibleHirsuteHair Suit9” or “LachrymoseMoos3 Pouts”. You can probably think of something better but I’ve found that this works pretty well for me.

A great benefit of having a password manager like LastPass, is that you can generate really long, random passwords that you don’t have to remember. The password manager takes care of generating passwords and also allows you to create new, random passwords easily if you have to set a new one on the spot.

 

Conclusion

I’ve found that the strategy I outlined above works really well for my purposes and needs but of course, your mileage may vary. I hope that what you get from this series of articles is a better understanding of what options and tools are available to you to help you enhance and maintain your own personal security.

 

Further reading:

http://arstechnica.com/information-technology/2013/06/the-secret-to-online-safety-lies-random-characters-and-a-password-manager/3/
http://passwordsafe.sourceforge.net/
https://xkcd.com/936/
http://www.howtogeek.com/141500/why-you-should-use-a-password-manager-and-how-to-get-started/
http://lifehacker.com/5966214/how-often-should-i-change-my-passwords
http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two+factor-authentication-right-now
http://lifehacker.com/5937303/your-clever-password-tricks-arent-protecting-you-from-todays-hackers
http://lifehacker.com/5962026/use-a-unique-secure-email-address-solely-for-password-recovery
http://lifehacker.com/5949165/the-four-tiers-of-password-security-what-works-what-doesnt-and-whats-best-for-you
https://www.eff.org/deeplinks/2013/05/howto-two-factor-authentication-twitter-and-around-web
https://lastpass.com/
https://agilebits.com/onepassword
http://keepass.info/features.html
Advertisements

So you want to learn to pick locks

Pin_and_tumbler_lock_pickingLockpicking is awesome. No lie. Picking open your first lock is exciting, unsettling, and possibly addicting. It’s exciting in the sense that you become aware that locks can be viewed as mechanical puzzles and that once you know how to solve them, you have the keys to the kingdom.  It’s unsettling because once you get the hang of it, you start to realize just how easy it could be to pick the locks that you depend on to keep you and your possessions safe. Picking locks is addicting because of the exhilaration, the sense of empowerment, the thrill of exerting your will toward something designed to prevent you from opening it without a key and prevailing.

Lockpicking isn’t just for spies and thieves. In most states in the US, picking locks that you own is entirely legal. Yes, this skill can be used for nefarious purposes but in most cases, if you want to break into a building, using a hammer, or even a rock is a much quicker and more effective way to gain entry – it works every time. Lockpicking is growing as a legitimate hobby and there are competitions in the US and internationally where enthusiasts get together and compete in lockpicking races and other challenges.

So now that you’re interested in lockpicking, the question is how do you get started? Well, I’ve been interested in this subject for quite some time and I have found several links and resources that have proven to be extremely useful. Lucky for you, I have gathered and listed those resources below.

 

Buying lock picks

To get started, you’ll need some picks. Toool (that’s with three o’s) is The Open Organization of Lockpickers. Toool’s purpose is to “advance the general public knowledge about locks and lockpicking. By examining locks, safes, and other such hardware and by publicly discussing our findings we hope to strip away the mystery with which so many of these products are imbued.” Their “Beginner’s Blend Pick Kit” can be purchased from their website at a reasonable price here: http://toool.us/equipment.html

Lock picks can also be purchased from these sites: 
http://www.sparrowslockpicks.com/
http://www.lockpicks.com/
 

Locks for learning how to pick

If you want to stay out of trouble, you should only ever pick locks that you own, or locks that you have been given permission to pick by the owner. So what locks are good for learning how to pick? I think that there’s an informal consensus among lock pickers that the Master Lock number 3 model is one of the best locks for beginners to learn on. It has only four pins in it which means that it is usually somewhat easier to pick than a lock with five or six pins. Locks can become harder to pick over time as the parts become fatigued from use. As someone who is learning lockpicking, you will probably want to go out and buy a new lock instead of using that rusted old padlock that’s keeping the shed door closed. The Master Lock number 3 is  easy to find at most hardware stores as it is a very popular and inexpensive model of lock.

There are also sets of locks for learning how to pick called progressively-pinned locks. Usually a set of progressively-pinned locks starts with a lock that only has one pin in it. Once you get the hang of picking a lock with one pin in it, you can move on to the next lock in the set that has two pins, and so on. Many sites that sell lock picks, also sell progressive-pinned locks. You can buy a set of progressively-pinned locks from the US Toool website as well: http://toool.us/equipment.html

 

Educational resources

Next you’ll also want some instructions, guidance, some information on how to go about this lockpicking business. There are some really cool people who invested a lot of time and effort into creating some fantastic resources that will help you learn how to pick locks.

This guy who goes by the name Deviant Ollam, wrote THE BOOK on lockpicking. The title of this book is “Practical Lock Picking, Second Edition: A Physical Penetration Tester’s Training Guide”, ISBN-13: 978-1597499897. You can pick it up from Amazon by clicking on the link here: http://amzn.com/1597499897

Schuyler Towne is obsessed with locks and lockpicking. So much so, in fact, that he put together a terrific series of instructional videos that cover the very basics all the way up to intermediate and advanced topics in lockpicking. Mr. Towne released these videos for free on You Tube and can be viewed here: http://www.youtube.com/playlist?list=PL66CD42F86F3A1F85

 

Meetings and  groups

Are you interested in lockpicking but not sure you’re ready to jump in with both feet? There are lockpicking groups all over the US that meet up usually every month where you can get hands-on training by enthusiastic and friendly people. There are many lockpicking groups in the US but probably the one that’s most wide-spread is the US Division of Toool. If you’re interested in attending a Toool meeting in the US, chapter meeting locations and times can be found here: http://toool.us/meetings.html 

 

Other resources

There are many forums and sites dedicated to lockpicking but I have found Lockpicking101.com to be one of the best.

http://www.lockpicking101.com/