Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll
Preview
Start a free Courses trial
to watch this video
This video introduces tools and strategies to address some of the shortcomings of password-based logins.
New Terms:
- Password Fatigue -- A tiredness associated with the inconveniences of passwords in a daily routine. Can lead to poor security choices for relief.
- Credential Stuffing -- An automated attack attempting the login information from a leaked account with a different service in hopes that the targeted user reused the info.
- 2-Factor Authentication -- An additional layer of security requiring two forms of proof, like an ATM card and a PIN.
- Security Questions -- Asked by sites as a limited form of 2-factor auth to provide a level of “proof” of identity. Many of the answers to these questions are available through public record or provided by social media profiles.
Further Reading:
Password Managers:
Article: The Best Password Managers of 2017
People have strong feelings about their password managers. Choose the one which works for you. This is an incomplete list of password managers available.
In the last video, we explored
the importance of password strength.
0:00
They should be unique, sufficiently
complex, and the longer the better,
0:04
but doing this for every site and
service can lead to password fatigue.
0:08
Many people just don't think it's worth
the inconvenience of coming up with long,
0:13
unique passwords for everything they do.
0:17
And it inevitably leads to the breaches
we discussed in our very first video.
0:19
And one of the biggest risks you
can take is to reuse a password for
0:23
more than one site.
0:28
Imagine that you've created
a really strong password.
0:30
You think it's nearly unbreakable,
so you use it for social media,
0:33
for your email, and for your bank.
0:36
If, for example,
0:39
the social media account is breached, that
password is effectively out in the open.
0:40
Many attackers can then try what's called
credential stuffing, using an automated
0:45
tool to attempt the username and password
breached from one site, on another.
0:50
Now those attackers can access
your bank and email, so
0:55
password uniqueness is just as
important as password strength.
0:58
Now that we've sufficiently explored
the importance of password strength and
1:02
security, I'll introduce one of the best
tools available to help you stay on top
1:05
of your passwords.
1:10
Password managers.
1:11
There are several options available, and
I'll demonstrate one of the most popular,
1:11
but do make sure to find the solution
that works best for you and your needs.
1:16
Let's take a look at
what LastPass can offer.
1:20
The whole premise of password managers is
that you no longer have to generate and
1:22
remember all the passwords in your life.
1:26
As the name suggests,
LastPass just needs that final
1:29
master password to access
the other passwords you've stored.
1:33
So let's log in with that one
password you'll have to remember.
1:36
Now that we're logged into
our password manager service,
1:49
we can go to any site that
would require a password, and
1:51
the manager will recognize that
it has credentials available.
1:54
I just fill in the fields like this,
and I'm in.
2:03
Another super helpful feature that most
password managers offer is strong password
2:10
generation.
2:14
I can choose the password length,
up to 100 characters long,
2:19
as well as set some character restrictions
to match the site's requirements.
2:22
I can then store this super strong
password with the manager and
2:34
never have to think about it again.
2:37
Password managers are great tools because
they address the convenience security
2:42
tradeoff directly.
2:46
They reduce the inconvenience and
frustration that can
2:48
come from password fatigue and
they up your security in the process.
2:51
They're likely better at generating
strong passwords than any human would be.
2:55
Now, with a strong unique password for
each site,
3:01
we're safe from credential stuffing
attacks if a service ever has a breach,
3:04
but that doesn't help for
the hacked site itself.
3:08
Another type of tool exists
to protect your data
3:11
even if your password is out in the open,
it's called two factor authentication.
3:14
It's more of a feature that you can
enable for sites that support it
3:19
than it is a service you can purchase,
but it is highly recommended.
3:22
Two factor auth is an additional layer
of security on top of your passwords.
3:27
It is often a code that is sent
to you as a text message or
3:32
generated on a device you
own like your smartphone.
3:35
In fact you likely already use it
in your life without realizing it.
3:38
It's the reason you carry an ATM card and
use a PIN.
3:42
This is how two factor auth often
is used for your online accounts.
3:46
You log into a site with your username and
password.
3:51
The site then prompts you
again to enter a code.
3:54
That code is either texted to you or
better yet you have set up a special app
3:57
on your phone that generates these
codes for you every ten or so seconds.
4:02
You enter that code and
now you're logged in.
4:07
It's a little extra effort up front, but
4:10
two factor authentication is an incredibly
effective security mechanism.
4:12
Your data is safe even if
your password was leaked or
4:17
even if you were tricked
by a phishing scam.
4:20
I'd like to offer a few additional
notes about password managers,
4:23
email, and security questions.
4:27
Password managers store your secrets,
which make them prime targets for hackers.
4:30
Make sure that you are comfortable with
that level of trust, and you still need to
4:35
be extra cautious with that final password
used to log into the password manager.
4:39
Another security concern to think about is
4:45
that your email is often used
as your personal identity.
4:47
If you lose access to your email or
it's compromised in some way,
4:51
many sites offer password recovery or
reset through your email.
4:55
Your email account would be an ideal place
4:59
to start enabling two factor
authentication for this exact reason.
5:02
As another mode of password reset and
recovery, and even sometimes as a limited
5:07
form of two factor authentication,
sites will ask you security questions.
5:11
They're meant to be questions
that only you would know and
5:16
would have the answers readily available,
but
5:19
would prevent strangers from
attempting to take over your account.
5:21
This may have been effective in the past,
but choosing the right questions and
5:24
answers can often be harder then
generating a strong password.
5:29
And with questions like what is the name
of the high school you went to,
5:32
the answers can often be easily found
on a person's social media profile.
5:35
So be mindful of these questions.
5:40
And when available, we should all be
moving to more secure two factor options,
5:42
like the cogenerating
apps on our smart phones.
5:47
You need to sign up for Treehouse in order to download course files.
Sign up