Secure password management strategies

Strong passwords should be very important for any person that has information that the world shouldn’t access.

Typical password approach

For most people, their single method to secure what they have digital access to is a password.  A single password, or a few if they’re “advanced” users, or if the application they use has unusual ‘strength’ requirements.  That’s the crux of the security failure.  A single password is a single point-of-failure, where a database ‘leak’ will lead to all of your accounts being compromised, since typically you use the same email (and generally same password) for access to ALL your online accounts.  So once someone figures out that email/password combo, they can go to major websites and try to login on your behalf…it’s a race to see if you can change your password quicker than they can find sites you use it on – IF you know your password leaked.

If you’re creating your own passwords, you’re “doing it wrong”.

Also, because you have this one password, and you use it frequently, you want it to be simple, easy to remember and easy to type.  This is the second failure of common password usage.  If it’s simple/easy to type, the chances are there isn’t much entropy, meaning it’s easy for someone to use a system to “brute force” the guessing of all passwords, and if yours isn’t complex enough, your password will probably be found.  The shorter, simpler the password is, the more susceptible it is to this kind of ‘hacking’.   Even the government thinks complex passwords are good…we want to use good passwords, but we aren’t good at memorizing strong, secure passwords, there HAS to be a MUCH better way…

For a more extensive explanation of why a password you know is bad, and why password managers are good, read anything by Troy Hunt.

Password Managers

Using any password manager is generally better than using nothing.  However, I encourage the use of KeePass, an open-source, FREE, password manager.  I’ve used it for years and never had any problems.  It uses a ‘master password’ – which should be a LONG and complex pass-phrase like (“Cubic bootleg $12 garden swagger” – created here).

phrase-generator

My settings used to create the base phrase, which I then MODIFY to increase complexity

This pass-phrase will allow you (or anyone) to access ALL your passwords.  You can have common “password profiles” which will specify length and types of characters to use.  You can easily organize all your entries, it will auto-type the passwords for you once you’re on the form, you can have ‘expiration’ dates for passwords, which then flag the entry to encourage you update/change your password for a certain service.

The biggest “feature” and differentiation of KeePass is that it’s an offline, local password storage.  Many consider this the compelling reason to use it, while others view it as a drawback.  If you have multiple computers, the key is to use a file-sync tool to keep the KeePass database file on multiple computers.
I typically use SpiderOak because I love their encrypted service and the flexibility/power they offer in syncing files from various locations around my computer.  Others prefer to use DropBox for a less complex setup, but everything that ‘syncs’, including your KeePass file, has to be contained inside the “dropbox” folder, not just located somewhere on your machine.
GRC Haystack is my tool of choice when I have to manually pick passwords, or for when I just want to see how secure the passwords being generated are.  It teaches you a lot about character sets and length, as they are the primary components of complexity.  However, it fails to take into account dictionary-based password attacks, and other actual ‘content’ within your password.  However, since I no longer use passwords involving those components, I don’t consider that a drawback.  Use this tool when picking your master password or any password you simply must create on your own.  Make sure it’s all green across the top, and no red on the bottom!

Extra security?! Use two-factor authentication

Adding another layer of security to a login never hurts, and two-factor authentication is the best way to secure yourself against a password getting stolen.  Two factor authentication requires something you know (your password – which of course YOU don’t know, but the password manager does…) and something you have – which typically is the time-sensitive code your phone generates.  It may also take the form of a phone-call, a text message, or an email link.  Either way, applying this concept where possible significantly negates the consequences of a lost/stolen/hacked password, since the ‘thief’ will almost never have access to the 2nd factor method.  I always enable two-factor authentication on any service that allows it.  I use Google Authenticator whenever possible.
*This article obviously isn’t meant to be  a review of any of the services mentioned within, it’s just how NIS recommends doing password management.  There are many, many articles all over the internet that will compare password managers, syncing services, etc.*
Posted in Security

Sharing session between apps with SqlServer in Asp.NET

I spent about 3 hours figuring out how to get two separate applications to be able to share their session variables.  The answer, once all said and done, was much simpler than expected.

First, an ASSUMPTION I make is that one app is the child of another app in IIS

The two keys:

  • [code language=”xml”]<sessionState mode="SQLServer" sqlConnectionString="Integrated Security=SSPI;data source=YOUR_DB_INSTANCE;Application Name=YOUR_APP_NAME_IDENTICAL_IN_APPS_SHARING_SESSION" cookieless="AutoDetect"/>[/code]
  • Then, run this Stored Procedure.  It looks at the Application Name in your connection string, and when your apps have identical names here, it will assign them the same id – therefore giving them access to the same session on SQL.

That’s it.  Done.  All that effort for two changes – although I wasn’t going to figure out the SP trick just by staring at it – I modified the web.configs multiple times before realizing it all hinges on the SP vs the web.config settings.

*I’d imagine this will work even if your apps don’t meet this criteria, since all the action is happening on the DB side, but I’m just clarifying the setup I’m using

Posted in ASP.NET, Technical

Our new website!

We just wanted to say a quick thank you for stopping by our new website.  Hopefully through this site and this blog, you will see the passion that drives New Image Solutions and how we can help turn our passion  into a long-term money saving opportunities for your company.

Increasing efficiency – Saving your company time over the long-term is what we are all about.

Working with Excellence – We don’t cut corners.  We do our research.  We know industry trends.

Find the right resources – Through our research and connections, we can find your company the right people and services to meet your goals and needs!

Those are just some brief thoughts about New Image Solutions.  Check back for more perspective and potential assistance for your company later!

Posted in General