Secure online passwords

Most people think they wouldn’t mind if all their online accounts were taken, but if you ever were targeted you would quickly realise how much you are affected.

Examples:
Any personal data you have, they now have.
(Photocopies of your passport you sent to your employer, national insurance numbers etc)
Access to your email account will likely give them access to your Facebook.
Click forgotten password in Facebook and they email you a password to get in again.
They can email and post on Facebook to all your family and friends that you are stuck in France and need money to get back.
“Please put your card details to this website to lend me the money and you will pay the back.”
Sounds silly, but the older generation fall for this as it came from you, and before you know it your grandparent’s bank accounts are now missing a hundred pounds.
Or they could delete your account completely losing everything.

Poor Mat Honan who was targeted by hackers
http://www.wired.com/gadgetlab/2012/08/apple-amazon-mat-honan-hacking/

In Mat Honans case it was due in part to some flaws from Apple and Amazon, but the fact that all his accounts were linked means that the destruction was worse.

So this is a walk through on what I do to secure my online accounts – Email, social media or any other websites I use.

Passwords

If you use the same password in more than one place, you are vulnerable.
Many websites seem to not encrypt or hash (means making them secure) their users passwords so if a hacker gets into their database, they will have your email address and the password you used.
Then go onto facebook, twitter, gmail and try them and there is a good chance they will get access.
So you need to use a different password for each website you use and should be a large length with random characters (and not using common words).
I can’t remember all of them as I am sure you can’t either, so we need something to help us manage this.
Lastpass does just that, so this is what I use for this walkthrough.
There are other providers so it your call if you want to use something else.

What you need

TrueCrypt (Free)
http://www.truecrypt.org/downloads

Lastpass Premium ($1/month)
https://lastpass.com/features_joinpremium.php
Free option available but not for mobile phones (so worth paying for that option)
Also Multifactor authentication via USB Thumb Drives (optional)

What I cover

Home PC
iPhone
Android tablet

Just to be clear:

None of the email address’s or passwords here are actual ones I use, these are examples of what they look like.
Also you do this at your own risk. If you get hacked or forget your own passwords, it your fault.

How to start:

Open a new Notepad document and save as:
Structure_list.txt
(We will be encrypting this later)

Now these tasks are to be all done on your Home computer – not work computer as they might be tracking your activities or have poor security themselves.
Also if would be good if you have a secure computer free from virus’s
http://glynrob.com/security/secure-my-computer/

Secret Email Account

Firstly you need a brand new email address
This email address will be a random one that you do not give out to anyone except your other email providers and Lastpass.
If they don’t know your email address, they can’t hack it.
I recommend Gmail but feel free to use any provider that you like (but try to use a big name as their security is better)

https://accounts.google.com/SignUp
Don’t use any real details when creating this account and note down everything you type in into Structure_list.txt

So my username is something like gb38sjh2g32ai2m
So this email address will be gb38sjh2g32ai2m@gmail.com

Generate a password from this website:
https://www.grc.com/passwords.htm
Select the 63 random printable ASCII characters password.

Don’t enter a Mobile Phone number or current email address
Remember that this is a backup email if the worst happens.
Don’t allow Google+ on your account and click through the steps till your account is created.

Done, you now have a backup email address that no-one knows.

Download Lastpass

Now that is created, it’s time to download Lastpass https://lastpass.com/misc_download.php
Run through the setup process requested
I only have Lastpass installed on Firefox as this is the only browser I use for anything logged in.
If you use other browsers you should select them instead.

Then create your account with the new email address you have created
This password you need to remember so try and use something long but also memorable
(Note this password down in Structure_list.txt)
Tick all the checkboxes
Keep me logged into Lastpass – use this if you have a good habit of locking your computer with a strong password, if not, let them log you out.

For Firefox you need to manually add the browser add-on.
Go to add-ons and search for ‘Lastpass’ (you’ll find it)
Once installed you can login (the add-on was on the top right of the browser bar for me)

Go to: https://lastpass.com/features_joinpremium.php
And purchase Lastpass Premium for $12/year with the new email address you have setup
I pay with PayPal
If you have a PayPal account hooked to your card already then you need to login.

So you now have a base for your passwords. If someone gets hold of this information, you’re screwed so don’t give it to anyone, not even a girlfriend/wife.

Secure your current email accounts:

Gmail account:
Login (without allowing Lastpass to remember this password)
Go to https://www.google.com/settings/security
Change your password to something secure:
The Lastpass Firefox add-on will now give you a chance to generate a strong password (right click on the password field if the add-on doesn’t popup with this option)
Choose a high password length and special characters, then click generate.
Once this new password is saved we want to check (as we are new) that it all works.
So logout and log back in again. Right click on the password field and you have LastPass options to copy the generated password.
Select that and paste into the password box.
Now allow Lastpass to save the login and you will not need to go through this process again on this machine. (Group Email)

To add some extra security to your Gmail account
back to https://www.google.com/settings/security
Update recovery options
Add your mobile number and the new email address as your recovery address
Also add a security question but with a silly answer that no-one can guess and has nothing to do with the question (even a generated password)
Save this answer as a security note in your Lastpass vault if you ever need it again.

Connected applications and sites
manage access
remove access to any applications that you don’t use regularly

2 step authentication is an option should you wish it for extra security, but it becomes a bit of a pain sometimes.
This is your call as you have a pretty good secure email account now.

Now write in your Structure_list.txt this email address (but no other information)

Now do the same for any other Gmail accounts you have

Don’t forget to log into Google talk client if you use that service on your computer
To get the password for any login you have, go to your Lastpass vault, Click the edit icon next to the account you need the password for
Show option next to the password for you to copy and paste anywhere you need.

Hotmail account:
Login to your hotmail account
Go to https://account.live.com/summarypage.aspx
Click ‘Change Password’
Let Lastpass auto generate a new password for you
Save
Click ‘Edit security info’
Add the new email address to Alternative email addresses
You have to confirm from old email address (if you have any set)
Delete any old ones you had setup (You have to jump through a few hoops to do this)
Change security question to anything with some random answer – save this question and answer in Lastpass secure notes
Logout and login with Lastpass (save the login so it is remembered in your account) (Group Email)

Now write in your Structure_list.txt this email address (but no other information)

If you use MSN messenger on your computer you will want to login now with the new password

Any other email accounts that you use, do the same as above changing the password and the fallback email to the secure one you created.

Now you will not use this new secure email address anywhere else.
You will only use your existing email accounts to keep this secure email account secret.

Social Media

Facebook
Log into Facebook
Go to https://www.facebook.com/settings
Edit password
Generate secure password with Lastpass (right click option)
Log out of other devices (just to ensure that no-one else currently is logged in as you)
Log out and login in again saving Lastpass login to your account (Group social)

While here you should check over your other settings in https://www.facebook.com/settings
As this account is connected to an email address, edit Structure_list.txt and add Facebook below the email account that this is related to.

Twitter
Log into twitter
Go to https://twitter.com/settings/profile
Click password
Generate secure password with Lastpass (right click option)
Save
Log out and login in again saving Lastpass login to your account (Group social)

As this account is connected to an email address, edit Structure_list.txt and add Facebook below the email account that this is related to.

Anything else
The same as above, change the password, logout and back in again with Lastpass saving the site.
Also check over your security settings if they give you any further options.
Remember to make a note of which accounts are connected to which email addresses and save them in Structure_list.txt

Other computers and devices

Any computers that you own and have a password to access it on you can install the browser add-on like before
It is a bit of a pain to have to type in the secure email address, but it is only once and you are good to go from then on.

Android
I use the nexus 7 but this will be the same for all android devices
Make sure you have a secure password to access your device
Go to the Google play store and it will ask you for a password (because we changed the password for our Gmail account earlier)
You will have to manually type in the password once for this account, but once done you will not have to do it again.

Download Lastpass password manager
Login (yes, typing that secure email is a pain but worth it)
Once done you now can login to any of your accounts with one click
If you want to use the native application (the app on the phone) you can hold down the account you want to login on and it will give you an option to copy the password
Go through all apps that you changed the password for and login again with the new passwords.

iOS
I use and iPhone 5 but all other iPhones and iPads work the same way too.
Make sure you have a secure password to access your device
Download the Lastpass for Premium app from the store
Login (yes, typing that secure email is a pain but worth it)
Go through all apps that you changed the password for and login again with the new passwords.

Other options

If you are using an untrusted public computer and need to access your LastPass data but are hesitant to do so because of potential keyloggers, LastPass provides One Time Passwords (OTPs) as one option for securely accessing your account.
While using a trusted computer, go to https://lastpass.com/otp.php to create a list of random passwords that can be used only once to log into LastPass. You must be logged into the plugin to manage your OTPs. From this page, you will be given the option to Add a New One Time password, Clear All OTPs, or Print your OTPs

LastPass can be configured to work with YubiKeys made by Yubico. YubiKeys are a secure, easy to use, two-factor authentication device that are immune from replay-attacks, man-in-the-middle attacks, and a host of other threat vectors.
Go to Lastpass settings to find out more.

Also in Lastpass settings you can increase your security by only allowing access in certain countries etc.
Have a look through the options and see if there are any there that you wish to add.

Final step
Encrypt your Secure email address and connected account list

Now your Structure_list.txt should look something like this:

Encrypt this text file in TrueCrypt with a pass phrase (only needs to be a small drive say 1Mb)
Now you have saved this as an encrypted file, you can delete the original unencrypted version
(you might want to try to get this encrypted file a few times if you have never used TrueCrypt before)

Finally this encrypted file needs to not be lost. You could email it to your mum, or burn it to CD.
It is heavily encrypted so right now even governments can’t seem to decrypt these files if a long passphrase was used.

And that’s it, your online life is now tightly locked down.
If anyone ever does manage to get into one of your accounts (which is very unlikely now), you can check through the Structure_list.txt file to see what else they have connection to and reset the password on all of them.

If anyone has any further points to add to this list, feel free to add them to the comments below.

Leave a Reply

Your email address will not be published. Required fields are marked *