Jan 8, 2014

Start 2014 Right With These Security To-Do's


With another year begun, it’s a perfect time to revisit the state of your security, and to set some new goals to continue protecting your data and your identity throughout the year.

Here are some to-dos for the top of your list to get you started:
  1. Enable locks and PIN codes. Take 5 minutes to set up a PIN for your smartphones and tablets. On your computer, change your settings so that your screen auto-locks after a particular time limit, requiring you to log back in again.
  2. Do an antivirus check. Are you running antivirus, on all of your desktops and laptops? Are you running the latest updates to that software, and have you performed scans recently? Although it can’t stop all attacks, antivirus is a solid defense against many security threats, so it’s important to run it and update it when prompted. PCMag’s list of reviews and comparisons is a great place to start.
  3. Back it up. If you’ve been procrastinating on digging out that external hard drive, put it at the top of your list this week. Back up all documents, photos, and other files that you wouldn’t want to lose should your hard drive crash or your device be stolen. For tips on getting started, check out this article on PCWorld.
  4. Use multifactor authentication where you can. A growing number of services now support multifactor authentication - Twitter, Facebook, Dropbox, Gmail, Apple, Evernote, PayPal, Microsoft, Amazon Web Services, LastPass, and more. Multifactor authentication adds an extra login step, so that a user must supply what they know (a username and password, for example) with something they have (like a one-time code), reducing the risk of someone gaining unauthorized access to your accounts. LastPass supports a number of multifactor authentication options so you can choose the one that best suits your setup and needs.
  5. Flush out your browser. If you haven’t in a while, it’s a great time to clear your cache and cookies - and clear out your browser password managers. In most browsers this can be located in the “settings” or “internet options” menus, where you can remove insecure passwords and profiles
  6. Audit your passwords. Use the LastPass Security Check, located in the Tools menu in the LastPass Icon, to help you identify weak and duplicate passwords. You can then prioritize going to those sites, logging in, and following our steps to replace the passwords with new, strong, unique passwords generated by LastPass.
What are your security resolutions for 2014? Share your tips and suggestions with our community in the comments below.

16 comments:

  1. Hey, for #6 it would be great if you guys added password age to the LastPass Security Check!

    ReplyDelete
    Replies
    1. Good thought, John, hopefully this is something we can add in the future.

      Delete
  2. Some great tips here and LastPass is central!
    The only thing I would say is that not all multifactor authentication services are made equal. LastPass, Google, Evernote and Buffer use Google Authenticator which works offline but unfortunately LinkedIn, SpiderOak and Facebook use SMS which requires that you are connected to a cell tower. That's not great if you are abroad or in a deadspot.

    ReplyDelete
    Replies
    1. That's a great point - multifactor options should definitely be well-researched so you understand which will be best based on the devices you use and your setup.

      Delete
    2. Note:
      Facebook supports both sms and google-authenticator.

      Delete
    3. Thanks for letting me know that FB supports Google Authenticator. It didn't seem to be an option a year ago when I last looked at it. Was this a new addition or did I just miss it?

      Delete
  3. Is it possible to use Lastpass with Google Authentication from multiple phones? I sometimes have my work phone, sometimes my personal, and I'd like to be able to access Lastpass from either depending on the situation.

    ReplyDelete
    Replies
    1. That's a great question to which the answer is- yes you can! Unfortunately there's not a lot of help on the web about it, but I found out how.
      When you first get the QR code that you scan into your Google Authenticator, take a screenshot and save it as an attachment in LastPass. Then scan it on your phone. When you want to add it to another device, just open up the screenshot and scan it with your GA app on that device.

      Delete
    2. No need to scan saved screeshots for that. On the Multifactor panel of LP, you can show the QR code again after adding your first device ( there's an option for that).

      Delete
  4. I only wish that i had discovered LastPass sooner. Not just for security issues. It is also essential for keeping track of my growing online life and activities. If i have any negative comments at all it's just that i think the passwords it comes up with could be even better. I use another (free) dedicated app just for that task alone. But i still tell friends to try LastPass anytime the subject of security comes up!

    ReplyDelete
    Replies
    1. Have you tried our "advanced options" for generating passwords? Would welcome any additional feedback - thanks!

      Delete
    2. The "advanced options" is not quite advanced enough when it comes to special characters. For instance, LastPass password generator only utilizes eight ASCII special characters, not the full 33 ASCII special character set (see link below). The reason I have issue with it is that several of the websites I encountered require that I use at least one of the characters that are excluded from the generator and some of the websites that do accept the excluded characters even reject the included characters. Since Chrome doesn't allow manual editing of the generated password, I had to use a dedicated password generator in place of LastPass password generator to get the desired result just to comply with the websites' password requirements. Quite frankly, doing this every time is very inconvenient. However, you can eliminate this inconvenience by simply adding support for the remaining 25 excluded characters and giving us an option to specify which special characters to include or exclude. In fact, you can take a page straight from Roboform password generator. The generator has a text box where you can edit the special character set (see link below).

      Note that the 33 ASCII special characters are generally found on keyboards. The rest of the characters not found on the keyboard falls under the extended ASCII characters. You do not need to add support for the extended ASCII characters since many websites do not accept them at all.

      33 ASCII special characters

      Roboform password generator

      Delete
    3. Thanks for the suggestions and feedback, I've shared this with the developers for their consideration.

      Delete
  5. when lastpass has came into existence, I have a doubt on security they offer for the passwords.But now Iam a satisfied user of them with a lot of satisfaction.The way they improved step by step really attracted me. :)

    ReplyDelete
  6. My recommendation is: try to figure out LastPass, how it is installed, what it is is (plug-in, extension, app, software, program) and what the messages mean that are sent about LP.

    Here's what I mean: Initially I installed it on my older WinXP desktop and laptop running Chrome (Firefox as backup browser) about a year ago. Awesome little tool to keep the pws tidy and more secure. I was happy as a clam.

    Finally upgraded to a new Win8 laptop (hate Win8!) recently and, after installing Chrome as my default browser, I think I went to the Chrome store and got LastPass there. I thought LP WAS an extension/plug-in since it's listed under Chrome. It's been installed and was working pretty good but not too long ago I began getting a message at the top of my vault: "It is highly recommended that you install the LastPass plug-in for the best possible experience. You may encounter reduced functionality otherwise."

    I clicked that linked message but it downloaded an .exe and I got worried about it, wondering if somehow someone had tricked me in my own vault, so I deleted the .exe. I looked for details on this downloaded file and on the message about "needing the plug-in" on the LP site and blog but could not find anything.

    So my New Years security solution is to try to figure out what this all means and what I should do next. I already have LastPass so why is this message appearing? Isn't the stuff in the Chrome store the "plug-in"? When I look at Chrome Settings/Extensions, LastPass is listed, enabled and is the most current version, so what does this message mean? I do seem to be having issues with LP logging in automatically now - it gives me an error and I end up having to manually log in, sometimes takes a few tries. Maybe you can help me on my New Year's quest for knowledge?

    ReplyDelete
  7. URL:https://lastpass.com/upgrade.php?ver=3.1.0&lastver=3.0.22&type=cr&upgrade=3.0.22&lang=en-US

    Recent changes to LastPass:

    v3.1.0 - Feb 14th 2015 -- Chrome/Firefox/IE/Safari/Android

    2015 !?!?

    ReplyDelete