Thursday January 5, 2023
Sprinkle a Little Pepper on that Password
You’ve probably heard by now about the security breach at LastPass. Not only were their systems breached, but apparently even the secure vaults where people trusted them with their passwords were also up for grabs by the hackers. I can’t imagine being a LastPass customer. My nerves would be shot.
I’m a stickler for security. My clients probably get tired of me constantly hounding them about good security practices. A solid password manager is a wonderful (and necessary) tool to make sure you’re using unique, strong passwords for all your accounts.
I personally use 1Password. I have no stock in their company, and I get no referral payments for saying so. I simply think their security model is second to none. Namely, they use a secondary encryption key (called an emergency key) to doubly make your vault’s encryption layer even stronger.
However, I still have trouble sleeping at night when I start thinking about what would happen if 1Password announced a security breach. I use 1Password for my own accounts and also securely store my client’s account info in their secure enclave. The latest version of 1Password, like many other password managers, require you to use their cloud storage to save your data. So, if it’s on the internet, it’s a target. Unless you are air-gapping your computer, you’re never going to be impenetrable. So what can you do to add some additional protection? Add some pepper!
Peppering protects your most critical passwords.
Peppering (or sometimes called salting) is a strategy where you include a string of numbers or letters to the end of your passwords. However, you don’t include that information in your password manager. What this does is create a defense mechanism in the event someone were to get their hands on your data and somehow (maybe using future quantum technologies) decoding the encrypted data. (Yes, I know… highly unlikely.) But for this article, let’s say everything was decrypted by a hacker. If you pepper passwords, the hacker would still have to have your pepper to use your password.
Peppering is best for your most sensitive accounts such as email, financial, and critical systems. Trivial accounts likely don’t need that added security.
Here is how it works. You would first setup your pepper. This could be a 4-6 digit code or even a word or phrase. In this example, we’re going to select ‘89251’ as our pepper. What you’d do is change your passwords for your critical systems by adding that pepper to the end of your password. The trick here is to not add that pepper to your password manager. Simply store the password without the pepper in your password manager. This adds a secondary level of security so that even if your entire password is decrypted by a bad actor, they would still have to have the pepper. In fact, even if you’re old school and write passwords down, peppering can protect those as well from prying eyes. (And no, I do not recommend writing your passwords on a piece of paper, but to each his own.)
As an added trick, use the pepper emoji 🌶️ after the account name in the list of accounts in your password manager as a reminder of the accounts that are peppered.
Logging in to an account that is using a peppered password.
To login to a site that you’re using a peppered password, you simply allow the password manager to autofill, and then just type in the pepper. In our example, we just type in ‘89251’ at the end of the password. Voila! You’re logged in.
Password managers are a great tool. I highly recommend individuals and businesses use them. I have another article that discusses why having unique, strong passwords is vital these days. If you’ve been affected by the LastPass breach, peppering can give you some piece of mind as you decide how to move forward with either staying with LastPass (yikes!), or moving to another password manager. And even if you choose a non-cloud based password manager or self-host with something like Bitwarden, peppering is also very helpful to secure your most critical logins.
Sadly, we live in a day and age where almost daily there is another news article about another breach. In fact, just today my newsfeed is lit up with the Twitter hack that exposed over 200 million accounts. Using a password manager coupled with good password hygiene can help to protect your data that you store in the cloud.
And just as a reminder, if you are using the same password for more than one account, stop what you’re doing and change those passwords. Using the same password for everything is a crisis just waiting to happen.
The information provided here is for informational purposes only and is provided as-is. The content here carries no guarantee or promise to the validity or content or any performance claims. Links to third parties and references to third parties do not indicate endorsement or agreement to those parties by 18 Street Design, its owners or affiliates.