Password Managers and An Introduction to 2FA

Originally posted at https://www.nicenetwork.uk/password-managers-and-an-introduction-to-2fa/


One of the biggest security problems facing the IT infrastructure of most organisations is authentication. Proving to the system that you are who you say you are and being accountable for your actions.
Humans are creatures of habit and we have a tendency to gravitate towards the path of least resistance, even if we know that doing so isn’t best practice. This means, in terms of passwords, that we are going to use passwords that we can remember easily and are likely to reuse those passwords everywhere we can get away with it. This is very bad practice, but it’s something that most people are guilty of unless they make a conscious effort to avoid doing so. In August 2018 the Verizon Data Breach Investigations report stated that over 70% of employees reuse passwords at work, and “81% of hacking-related breaches leveraged either stolen and/or weak passwords.”
The easiest solution to both poor passwords and repetition is to use a password manager which will allow you to use individual, secure passwords, but only remember the one master password. There are two types of password manager – software based, and web based, and some more premium offerings can be a mixture of the two.
Once you have gotten used to the functions and controls, a password manager can make interacting with your computer much easier, as well as being more secure. They offer features like opening web-pages for you with one click (even opening different pages in different browsers if required), auto-typing usernames and passwords, and generating secure unique passwords for new and existing accounts.
I use two different password managers – for work I use the software-based Keepass (https://keepass.info/) and for personal logins I use the web-based LastPass (https://www.lastpass.com/). Both are free (although LastPass offers a premium version), and both are very simple to learn.
Keepass is simple but effective. You can create folders for different topics, customers, systems, or whatever you need. Once you have created folder and started adding password entries you have either buttons or keyboard combinations to launch URLs, auto-type login details and allow you to keep separate notes on each entry


New entries are provided with randomly generated suggested secure passwords. All very simple to use, and a far better password solution than that insecure txt file you currently have sitting on your desktop.
LastPass is regularly voted as being one of the best browser-based password managers. The easiest way of using it is to install a plugin in your browser. Once this is installed the application will automatically provide you with a randomly generated passwords when it detects you creating an account on a website, and will create an entry for this account including site URL and login details. Existing sites that you log in to will also present you with an easy way to store credentials. The software offers a raft of other features that I’ve yet to delve in to myself, but look very useful.



Normal username+password logins are known as single factor authentication. It is defined as “Something you are (your username) and something you know (your password)”. As an example, a guard at a gatehouse might be told to look out for and admit people in uniform that know the word of the day. In this case it would be pretty easy for someone to acquire a uniform, learn the word of the day, and gain access to the fort. In the same way, once someone knows your email address, and can find out your password then they’re in to whatever system they’re looking at. If you’ve reused your password then the attacker potentially has access to everything…
Two factor authentication (2FA) is defined as “Something you are, something you know, and something you have”. To reuse the above example, in this case admission to the fort would only be granted to someone who turned up in uniform, knew the word of the day, and was carrying a signed letter from the general. When applying this to authentication you would have a username and password as normal, and in addition to that you would have some form of token. This can take the form of a piece of hardware that generates a random, time-based code, or some sort of signal sent to a separate device such as your mobile. 2FA is available for a number of different services including social media and webmail and switching it on is guaranteed to make your account more secure. There are also solutions to allow to integrate this technology into a number of commercial systems such as logins for VPN client or CRM systems.