Heads up! To view this whole video, sign in with your Courses account or enroll in your free 7-day trial. Sign In Enroll

Preview

Start a free Courses trial
to watch this video

Sign up for Treehouse

The Dangers of Passwords (part 2)

5:50 with Greg Stromire

This video introduces tools and strategies to address some of the shortcomings of password-based logins.

New Terms:

  • Password Fatigue -- A tiredness associated with the inconveniences of passwords in a daily routine. Can lead to poor security choices for relief.
  • Credential Stuffing -- An automated attack attempting the login information from a leaked account with a different service in hopes that the targeted user reused the info.
  • 2-Factor Authentication -- An additional layer of security requiring two forms of proof, like an ATM card and a PIN.
  • Security Questions -- Asked by sites as a limited form of 2-factor auth to provide a level of “proof” of identity. Many of the answers to these questions are available through public record or provided by social media profiles.

Further Reading:

Two-Factor Authentication

Password Managers:

Article: The Best Password Managers of 2017
People have strong feelings about their password managers. Choose the one which works for you. This is an incomplete list of password managers available.

In the last video, we explored the importance of password strength. 0:00
They should be unique, sufficiently complex, and the longer the better, 0:04
but doing this for every site and service can lead to password fatigue. 0:08
Many people just don't think it's worth the inconvenience of coming up with long, 0:13
unique passwords for everything they do. 0:17
And it inevitably leads to the breaches we discussed in our very first video. 0:19
And one of the biggest risks you can take is to reuse a password for 0:23
more than one site. 0:28
Imagine that you've created a really strong password. 0:30
You think it's nearly unbreakable, so you use it for social media, 0:33
for your email, and for your bank. 0:36
If, for example, 0:39
the social media account is breached, that password is effectively out in the open. 0:40
Many attackers can then try what's called credential stuffing, using an automated 0:45
tool to attempt the username and password breached from one site, on another. 0:50
Now those attackers can access your bank and email, so 0:55
password uniqueness is just as important as password strength. 0:58
Now that we've sufficiently explored the importance of password strength and 1:02
security, I'll introduce one of the best tools available to help you stay on top 1:05
of your passwords. 1:10
Password managers. 1:11
There are several options available, and I'll demonstrate one of the most popular, 1:11
but do make sure to find the solution that works best for you and your needs. 1:16
Let's take a look at what LastPass can offer. 1:20
The whole premise of password managers is that you no longer have to generate and 1:22
remember all the passwords in your life. 1:26
As the name suggests, LastPass just needs that final 1:29
master password to access the other passwords you've stored. 1:33
So let's log in with that one password you'll have to remember. 1:36
Now that we're logged into our password manager service, 1:49
we can go to any site that would require a password, and 1:51
the manager will recognize that it has credentials available. 1:54
I just fill in the fields like this, and I'm in. 2:03
Another super helpful feature that most password managers offer is strong password 2:10
generation. 2:14
I can choose the password length, up to 100 characters long, 2:19
as well as set some character restrictions to match the site's requirements. 2:22
I can then store this super strong password with the manager and 2:34
never have to think about it again. 2:37
Password managers are great tools because they address the convenience security 2:42
tradeoff directly. 2:46
They reduce the inconvenience and frustration that can 2:48
come from password fatigue and they up your security in the process. 2:51
They're likely better at generating strong passwords than any human would be. 2:55
Now, with a strong unique password for each site, 3:01
we're safe from credential stuffing attacks if a service ever has a breach, 3:04
but that doesn't help for the hacked site itself. 3:08
Another type of tool exists to protect your data 3:11
even if your password is out in the open, it's called two factor authentication. 3:14
It's more of a feature that you can enable for sites that support it 3:19
than it is a service you can purchase, but it is highly recommended. 3:22
Two factor auth is an additional layer of security on top of your passwords. 3:27
It is often a code that is sent to you as a text message or 3:32
generated on a device you own like your smartphone. 3:35
In fact you likely already use it in your life without realizing it. 3:38
It's the reason you carry an ATM card and use a PIN. 3:42
This is how two factor auth often is used for your online accounts. 3:46
You log into a site with your username and password. 3:51
The site then prompts you again to enter a code. 3:54
That code is either texted to you or better yet you have set up a special app 3:57
on your phone that generates these codes for you every ten or so seconds. 4:02
You enter that code and now you're logged in. 4:07
It's a little extra effort up front, but 4:10
two factor authentication is an incredibly effective security mechanism. 4:12
Your data is safe even if your password was leaked or 4:17
even if you were tricked by a phishing scam. 4:20
I'd like to offer a few additional notes about password managers, 4:23
email, and security questions. 4:27
Password managers store your secrets, which make them prime targets for hackers. 4:30
Make sure that you are comfortable with that level of trust, and you still need to 4:35
be extra cautious with that final password used to log into the password manager. 4:39
Another security concern to think about is 4:45
that your email is often used as your personal identity. 4:47
If you lose access to your email or it's compromised in some way, 4:51
many sites offer password recovery or reset through your email. 4:55
Your email account would be an ideal place 4:59
to start enabling two factor authentication for this exact reason. 5:02
As another mode of password reset and recovery, and even sometimes as a limited 5:07
form of two factor authentication, sites will ask you security questions. 5:11
They're meant to be questions that only you would know and 5:16
would have the answers readily available, but 5:19
would prevent strangers from attempting to take over your account. 5:21
This may have been effective in the past, but choosing the right questions and 5:24
answers can often be harder then generating a strong password. 5:29
And with questions like what is the name of the high school you went to, 5:32
the answers can often be easily found on a person's social media profile. 5:35
So be mindful of these questions. 5:40
And when available, we should all be moving to more secure two factor options, 5:42
like the cogenerating apps on our smart phones. 5:47

You need to sign up for Treehouse in order to download course files.

Sign up