Bummer! This is just a preview. You need to be signed in with a Basic account to view the entire video.

Preview

Start a free Basic trial
to watch this video

Sign up for Treehouse

The Dangers of Passwords (part 2)

5:50 with Greg Stromire

This video introduces tools and strategies to address some of the shortcomings of password-based logins.

New Terms:

  • Password Fatigue -- A tiredness associated with the inconveniences of passwords in a daily routine. Can lead to poor security choices for relief.
  • Credential Stuffing -- An automated attack attempting the login information from a leaked account with a different service in hopes that the targeted user reused the info.
  • 2-Factor Authentication -- An additional layer of security requiring two forms of proof, like an ATM card and a PIN.
  • Security Questions -- Asked by sites as a limited form of 2-factor auth to provide a level of “proof” of identity. Many of the answers to these questions are available through public record or provided by social media profiles.

Further Reading:

Two-Factor Authentication

Password Managers:

Article: The Best Password Managers of 2017
People have strong feelings about their password managers. Choose the one which works for you. This is an incomplete list of password managers available.

  • 0:00

    In the last video, we explored the importance of password strength.

  • 0:04

    They should be unique, sufficiently complex, and the longer the better,

  • 0:08

    but doing this for every site and service can lead to password fatigue.

  • 0:13

    Many people just don't think it's worth the inconvenience of coming up with long,

  • 0:17

    unique passwords for everything they do.

  • 0:19

    And it inevitably leads to the breaches we discussed in our very first video.

  • 0:23

    And one of the biggest risks you can take is to reuse a password for

  • 0:28

    more than one site.

  • 0:30

    Imagine that you've created a really strong password.

  • 0:33

    You think it's nearly unbreakable, so you use it for social media,

  • 0:36

    for your email, and for your bank.

  • 0:39

    If, for example,

  • 0:40

    the social media account is breached, that password is effectively out in the open.

  • 0:45

    Many attackers can then try what's called credential stuffing, using an automated

  • 0:50

    tool to attempt the username and password breached from one site, on another.

  • 0:55

    Now those attackers can access your bank and email, so

  • 0:58

    password uniqueness is just as important as password strength.

  • 1:02

    Now that we've sufficiently explored the importance of password strength and

  • 1:05

    security, I'll introduce one of the best tools available to help you stay on top

  • 1:10

    of your passwords.

  • 1:11

    Password managers.

  • 1:11

    There are several options available, and I'll demonstrate one of the most popular,

  • 1:16

    but do make sure to find the solution that works best for you and your needs.

  • 1:20

    Let's take a look at what LastPass can offer.

  • 1:22

    The whole premise of password managers is that you no longer have to generate and

  • 1:26

    remember all the passwords in your life.

  • 1:29

    As the name suggests, LastPass just needs that final

  • 1:33

    master password to access the other passwords you've stored.

  • 1:36

    So let's log in with that one password you'll have to remember.

  • 1:49

    Now that we're logged into our password manager service,

  • 1:51

    we can go to any site that would require a password, and

  • 1:54

    the manager will recognize that it has credentials available.

  • 2:03

    I just fill in the fields like this, and I'm in.

  • 2:10

    Another super helpful feature that most password managers offer is strong password

  • 2:14

    generation.

  • 2:19

    I can choose the password length, up to 100 characters long,

  • 2:22

    as well as set some character restrictions to match the site's requirements.

  • 2:34

    I can then store this super strong password with the manager and

  • 2:37

    never have to think about it again.

  • 2:42

    Password managers are great tools because they address the convenience security

  • 2:46

    tradeoff directly.

  • 2:48

    They reduce the inconvenience and frustration that can

  • 2:51

    come from password fatigue and they up your security in the process.

  • 2:55

    They're likely better at generating strong passwords than any human would be.

  • 3:01

    Now, with a strong unique password for each site,

  • 3:04

    we're safe from credential stuffing attacks if a service ever has a breach,

  • 3:08

    but that doesn't help for the hacked site itself.

  • 3:11

    Another type of tool exists to protect your data

  • 3:14

    even if your password is out in the open, it's called two factor authentication.

  • 3:19

    It's more of a feature that you can enable for sites that support it

  • 3:22

    than it is a service you can purchase, but it is highly recommended.

  • 3:27

    Two factor auth is an additional layer of security on top of your passwords.

  • 3:32

    It is often a code that is sent to you as a text message or

  • 3:35

    generated on a device you own like your smartphone.

  • 3:38

    In fact you likely already use it in your life without realizing it.

  • 3:42

    It's the reason you carry an ATM card and use a PIN.

  • 3:46

    This is how two factor auth often is used for your online accounts.

  • 3:51

    You log into a site with your username and password.

  • 3:54

    The site then prompts you again to enter a code.

  • 3:57

    That code is either texted to you or better yet you have set up a special app

  • 4:02

    on your phone that generates these codes for you every ten or so seconds.

  • 4:07

    You enter that code and now you're logged in.

  • 4:10

    It's a little extra effort up front, but

  • 4:12

    two factor authentication is an incredibly effective security mechanism.

  • 4:17

    Your data is safe even if your password was leaked or

  • 4:20

    even if you were tricked by a phishing scam.

  • 4:23

    I'd like to offer a few additional notes about password managers,

  • 4:27

    email, and security questions.

  • 4:30

    Password managers store your secrets, which make them prime targets for hackers.

  • 4:35

    Make sure that you are comfortable with that level of trust, and you still need to

  • 4:39

    be extra cautious with that final password used to log into the password manager.

  • 4:45

    Another security concern to think about is

  • 4:47

    that your email is often used as your personal identity.

  • 4:51

    If you lose access to your email or it's compromised in some way,

  • 4:55

    many sites offer password recovery or reset through your email.

  • 4:59

    Your email account would be an ideal place

  • 5:02

    to start enabling two factor authentication for this exact reason.

  • 5:07

    As another mode of password reset and recovery, and even sometimes as a limited

  • 5:11

    form of two factor authentication, sites will ask you security questions.

  • 5:16

    They're meant to be questions that only you would know and

  • 5:19

    would have the answers readily available, but

  • 5:21

    would prevent strangers from attempting to take over your account.

  • 5:24

    This may have been effective in the past, but choosing the right questions and

  • 5:29

    answers can often be harder then generating a strong password.

  • 5:32

    And with questions like what is the name of the high school you went to,

  • 5:35

    the answers can often be easily found on a person's social media profile.

  • 5:40

    So be mindful of these questions.

  • 5:42

    And when available, we should all be moving to more secure two factor options,

  • 5:47

    like the cogenerating apps on our smart phones.

You need to sign up for Treehouse in order to download course files.

Sign up