Security

How To Build A (Nearly) Hack-Proof Password System

It seems like every day there’s fresh news of a site or service being hacked. The intruders make off with usernames and passwords, and even if they’re encrypted the service forces users to change them. Here’s how you can fight back and avoid hassles when the next hack happens.

We’re big fans of LastPass, a cross-platform password manager that helps you create and manage secure, unique passwords for every site, but the point of failure is obvious: What happens if someone gets your master password? Here’s how you can beef up LastPass by turning a USB flash drive into a key you have to plug in to your computer before you can access your passwords. This way, the next time a service you use has been hacked — even if it’s LastPass — you won’t worry.

If you’re not already using LastPass to generate, maintain and manage different and unique strong passwords for every site and service you use on the web, it’s time to get started. The beauty of LastPass is that it’s available for Windows, Mac, Linux and even mobile devices, and you can choose and remember one strong password and then use that password to manage and access all of your other logins and services on the web.

Still, LastPass keeps all of your passwords in the cloud, and while they’re as secure as they possibly could be, if someone gets hold of your LastPass password, you’re pretty much screwed, right? Not if you have a spare USB drive with Sesame, a utility that turns your USB key into an actual key needed to unlock your LastPass vault.

Once installed and set up, you’ll need both your LastPass master password and your key plugged into your Windows, Mac or Linux PC in order to unlock your vault and access your saved passwords.

Step One: Get LastPass And Set It Up

The first thing you’ll need is LastPass, and a Premium Account. It’s $US12/year, but that’s a small price to pay for password security. LastPass is our favourite any-browser, any-OS password solution, and if you haven’t tried it yet, The How-To Geek has a great guide to getting started with it, and we have a more advanced guide to mastering your passwords and increasing your personal security with it.

Step Two: Grab a USB Flash Drive and Install Sesame

The next thing you’ll need is a USB flash drive. Building on the principle that most secure password is the one you can’t remember, your second authentication factor will be a device, not a passkey or code. LastPass offers a tool called Sesame that can turn any USB drive into a second authentication method to use when you need access to your LastPass vault. This way, even if someone obtains your LastPass password, it’s useless without the USB drive, and vice versa.

You already know how to secure your personal belongings, like your wallet or keys, so a USB flash drive like the LaCie key-shaped USB drives that fit right on your keychain shouldn’t be a problem to keep safe and secure.

Once you have Sesame downloaded and extracted to your USB drive, here’s how to set it up:

  1. Run the Sesame utility on your USB drive, and log in with your LastPass credentials.
  2. Sesame will email you an activation code, required to enable two-factor authentication on your account.
  3. Click the link in your activation email to activate Sesame. (Note: The activation code is only good for 10 minutes.)
  4. After you’ve activated Sesame, you’ll have to log in with both a Sesame passkey and your LastPass credentials whenever you want to access your password vault (more on this in the next section.)

Step Three: Use Your Key To Access Your Password Vault

Going forward, you’ll need your USB drive any time you want to access your Lastpass vault, like when a service or site you have an account with gets hacked and you need to change the password, or you reset a password for one of those services.

To access your LastPass vault once you have Sesame enabled, you have two options.

  • Option One:
    1. Visit LastPass in your browser, and log in with your LastPass credentials.
    2. When you’re prompted for a Sesame one-time token, pop in your USB key and run Sesame to generate your token and copy it to the clipboard.
    3. Paste the token into the authentication screen, and click OK to access your password vault.
  • Option Two:
    1. Insert your USB key and run Sesame.
    2. Check the box for “Launch Browser,” and click the “Generate One Time Password” button.
    3. Sesame will generate your token, open your browser and go to LastPass, and pass the token for you. Type in your master password, and click OK to access your vault.

Don’t worry if you lose your Sesame USB key; the key is useless without your LastPass email address and master password. You can always visit your LastPass vault, click the link in the authentication screen to tell LastPass that you no longer have your Sesame device, and confirm via email that you want to deactivate Sesame. Then, you can grab another USB key, reinstall Sesame, re-activate it, and be on your way.

Step Four: Audit Your Passwords And Strengthen Security

Now that your LastPass vault is well protected with two-factor authentication, it’s time to tune up the passwords that LastPass is protecting. After all, LastPass won’t do you much good if your Amazon password is “password” or if your Google account password is “123456.” We’ve discussed how you can use LastPass to audit and update your passwords, and even how you can make those passwords more secure and easy to use. If you’re taking steps to make your LastPass account as hack-proof as possible, you may as well go the extra mile and make your individual passwords as strong as possible as well.

As we mentioned, Sesame is a great tool to make sure that even if LastPass gets hacked, or someone gets a hold of your LastPass master password, they don’t have carte-blanche to log in to your LastPass account and grab your credentials to everything else on the web. It doesn’t, however, automatically add a second authentication method for all of those services you use, so it’s important to make sure those passwords are strong.

Photo by Juan J. Martinez.

Step Five: Consider Secondary Authentication For Other Web Services

In addition to beefing up your LastPass account, you might want to consider activating two-factor authentication for any other web services where it’s available. For example, we’ve discussed how you can — and should — set up two-factor authentication for your Google account, and how you can do the same for your Facebook account as well. Many banks and financial institutions are coming around to offering two-factor authentication before you can get at your financial statements or move your money around, so contact your bank or investment firm to see if that added security is available to you.

Step Six: Stay Vigilant

If you’ve been following along, you should now have LastPass set up with two-factor authentication for your vault, you’ve audited your passwords and made them stronger and more difficult to crack, and you’ve activated multi-factor authentication on the services where it’s available to you. That all doesn’t mean that you can relax and forget about security — you’ll still need to quickly change your passwords for any sites or services you use that get hacked, and you’ll still need to use different strong passwords for each site or service you use. No password mechanism, web service, or authentication scheme is completely hack-proof. That said, this should help you breathe a little easier.

Alternatives To Your Thumb Drive Key

LastPass provides more than one way to set up two-factor authentication, so if you don’t like this specific method, you have other options. For starters, you can purchase a Yubikey from Yubico for about $US25, and set up Yubikey authentication on your LastPass account for the same effect. You can also use LastPass with Google Authenticator and turn your smartphone into the “key” that — along with your master password — unlocks your LastPass vault. If you’re not interested in paying for a LastPass premium account, consider grid multifactor authentication for your LastPass account, a technique we’ve shown you that you can apply to other services.