Stonehenge, the naturist symbol, and the Druid Awen sign

A clever bit on passwords and phishing.

Paul

I listen to the podcast "Naked Security" from Sophos.com.

Today they had a(nother) great reason to start using a password manager.

Password managers

These are programs to manage your passwords. Yes, duh. But they do that in a clever way. They generate big, complex passwords that you can't remember, like 3jGrkVvaVNJ$Kv*JRCZsg (note, you will be quizzed on this one later on haha).

You just remember 1 main password to unlock the password manager (and optionally use a Multi Factor code to open it) and the manager does the rest of the heavy lifting.

1Password unlock screen

This is one password manager, 1Password. Because that 1 password is all you remember.

1Password will set you back about $3 / month.

Bitwarden unlock screen

This is Bitwarden. Bitwarden is free and open source, and delivers a lot of good stuff. There is a paid option which will help you keep MFA tokens alive, that costs around €10 / year.

MFA

MFA

You probably know about MFA. Otherwise you should learn it, fast. It is a second login security. If someone has your password (which is something you know) and you enabled the second login safety, there is no way a hacker can break into your account without that second option, which usually is something you own. There are apps for that, like Google Authenticator, Okta Verify or Microsoft Authenticator. A good password manager can handle that as well. You go to a website, the password manager sees you have a login for that, and it will fill in the name and password, and also the MFA code for that site. No need to open another app on your phone and copy the numbers by hand.

Link recognition

Following up on that, as I said, a password manager sees that you have a login for a site.

Suppose you get a mail that sends you to https://your.very.trusted.bank.com. You've seen that link a gazillion times, so yep, you know it, you click it. The password manager will handle the login. But then there is no login filled out! What the fork?

The clever bit here is (check the bank link) that the link on the screen looks legit, but the actual link isn't. The password manager doesn't recognise the link and so it won't help you log in. After all, this is a strange place and there might be dragons.

So....

Not yet convinced that a password manager is a good idea? In that case you wasted time in reading this.

If you feel this could be something, check out Bitwarden or 1Password.

No peeking; do you remember the password from up above?

Mastodon - Diaspora