Is it Time to Move from LastPass to Bitwarden?

Is it Time to Move from LastPass to Bitwarden?

For years I have recommended the use of a password manager to help generate and store strong passwords. My go-to product has been LastPass. But now that LastPass has moved many of their features away from their free to their for-fee product, you may want to take a look at a competitor–Bitwarden.

I’ve been using Bitwarden for the past month on my Chromebook, iPhone, macOS 11 (Silicon), and Windows machines, and I’ve never been happier with a password manager.

If you aren’t familiar with a password manager, you are probably using one without even realizing it! Most browsers now have built-in password managers. So after you have been to a site once, your browser remembers your login credentials. On your subsequent visits, the browser will autofill these credentials so that you don’t have to remember them.

This browser-based password manager works well, but it can be much better. What Bitwarden brings to the table above and beyond the browser-based password managers includes:

  • Free and for-fee accounts, family accounts, and business accounts
  • Synchronize passwords across all devices
  • Synchronize passwords across Android, Chrome OS, iOS, iPadOS, macOS, and Windows devices
  • Strong password generator
  • Secure store of notes (such as Challenge Questions), and credit card information
  • Share passwords (for-fee accounts)
  • 2-Factor Authenticator (One-Time-Password Generator) (for-fee accounts)

It’s this 2-Factor Authenticator that really won me over. 2FA is currently the only method to effectively keep hackers out of your accounts. Every password can be cracked. But if you have 2FA enabled on an account, even if the bad agents know your username and password, they have no access to your account.

The problem with 2FA is that should your 2FA device (typically a smartphone) become damaged or lost, YOU will have a rough time gaining access to your own accounts.

Bitwarden solves this issue by sharing 2FA with your various devices that also have Bitwarden installed. It even automatically backs up your 2FA coding to the cloud (strongly encrypted, of course), so that it is easily accessible in case of loss.

Be forewarned, Bitwarden 2FA is not available on the free version. It will cost you $10/year to upgrade to their premium service.

Enough rambling. Time to upgrade your security and get Bitwarden running on your systems.

Install and Configure Bitwarden

To conserve space, my instructions will be based on macOS, but the process is almost identical on all platforms.

Although it looks like a lot of steps, I promise this is quick and easy. And once done, will save you a ton of time, and significantly hardens your security.

Download and Install

  1. Open a browser to https://bitwarden.com.
  2. Select Download.
  3. Select Create A Free Account. Follow the onscreen instructions to create your account. I recommend upgrading to Premium now so that you have immediate access to 2FA, but you can just go with the free account to test the waters.
  4. Return to the Download page, and then select your OS–Linux, macOS, or Windows.
  5. Download and install the app.
  6. Launch the app, and register with the account you created.

Configure

  1. Open Bitwarden Preferences. Configure to your taste. My recommendation is shown below. When complete, click Close.

Enable Two-Step Login

As the keys to your treasure are stored in this database, not only is a strong Bitwarden password important, but so is having Two-Step Login enabled.

  1. Open a browser to https://bitwarden.com.
  2. Log in.
  3. Select Settings > Two-Step Login.
  4. Select your preferred method to get a verification code. In this example, I’m using Email.
  5. At the prompt, enter your email address, and then click Sent Email.
  6. Open your email to find the verification email.
  7. Copy the verification code from the email, paste it into the Bitwarden verification field, and then select Enable.

  8. At the confirmation dialog, select Close.
  9. In the Bitwarden Two-Step Login page, select View Recovery Code.
  10. Copy and then securely store your recovery code. This code will be vital if you lose access to your Bitwarden 2FA Authenticator. When done, select Close.

Install Browser Extensions

You are not set up with Bitwarden. The last step is to install a Bitwarden browser extension so that your database is accessible from your browser.

  1. Open a browser to https://bitwarden.com > Download.
  2. Select your desired browser. The extension will download to your system.
  3. Open the downloaded extension to install it in your browser.
  4. In your browser, select the extension icon in the toolbar > select Enable.
  5. At the prompt, enter your Bitwarden credentials to enable the extension.

Configure Browser Extension

  1. Select the browser extension to open it.
  2. Select Sync > Sync Vault Now to synchronize any stored data.
  3. Configure Vault Timeout to On Browser Restart, and Vault Timeout Action to Lock.
  4. Scroll down to select Options. Configure to your taste. When done, click outside of the Bitwarden window to close. My recommendation is shown below:

Adding Credentials to Bitwarden

You are now set and ready to go. You can manually enter credentials from the browser extension or the app. You can also visit a site, enter your credentials, and then reply Yes when Bitwarden prompts if you want to store the password (you could almost miss the prompt – it will be at the top of the window).

Configure Bitwarden Two-Step Authentication

2FA is absolutely vital to help ensure the security of your accounts. If a site offers 2FA (sometimes called Multi-Factor Authentication and 2-Step Verification), go for it.

Once 2FA is active on a site, you will need to provide a code provided by the 2FA source (in this case, Bitwarden) the first time you login to a new device or new browser. Some sites are configured to prompt for 2FA on every visit, once a week, or once a year. Let’s walk through getting your first 2FA configured in Bitwarden.

  1. Open a browser to your target site. In my example that will be Google. Their security page is https://security.google.com.
  2. In the main body area, scroll down to select 2-Step Verification. 
  3. At the prompt, enter your Google credentials, and then select Next.
  4. Scroll down to the Authenticator app section, and then select SET UP.
  5. At the Get codes from the Authenticator app, select the type of smartphone you use (Android or iPhone), and then select Next.
  6. In the Set up Authenticator window, it is designed to be captured with a smartphone camera. As we are using a computer, select CAN’T SCAN IT?

  7. In the Can’t scan the barcode? dialog, select and then copy the 32-character code.
  8. Open Bitwarden, select your Google account, and then select the Edit (pencil) icon.
  9. Paste the code copied in step 7 into the Authenticator Key (TOTP) field, and then click the Save (disk) icon.
  10. In the ITEM INFORMATION area of your Bitwarden Google record, you will now see a Verification Code (TOTP) field. This is the one-time only authenticator code that can be used when prompted by Google. If you have other devices with Bitwarden, they will now also have this new field.
Disable Human Voice Recording Review in Alexa

Disable Human Voice Recording Review in Alexa

As reported in Venture Beat on August 3, 2019, Amazon has almost silently announced that Alexa users are now able to choose to block human reviewers from listening to their recordings. Although this human listening is intended to provide quality assurance that the AI is performing as instructed, it does introduce creepy Big Brother Is Always Listening into our lives.

In a statement provided to VentureBeat about the change, Amazon spokesperson said:

We take customer privacy seriously and continuously review our practices and procedures. For Alexa, we already offer customers the ability to opt-out of having their voice recordings used to help develop new Alexa features. The voice recordings from customers who use this opt-out are also excluded from our supervised learning workflows that involve manual review of an extremely small sample of Alexa requests. We’ll also be updating information we provide to customers to make our practices more clear.

To disable the ability for humans to hear your recordings taken by Alexa:

  1. Open the Amazon Alexa app.
  2. Tap Settings.
  3. Tap Alexa Privacy .
  4. Tap Manage How Your Data Improves Alexa.
  5. Disable all options
Q: Is it safe to use thumb drives with my work computer?

Q: Is it safe to use thumb drives with my work computer?

A: Let’s start with this: Federal cybersecurity guidelines are that any portable external storage (USB drive, thumb drive, flash drive, SD card, etc.) are not to be permitted. This is a mandate for government systems, government contractors, health care providers, and financial organizations. It should be a mandate within your organization.

There is a reason for this madness.

One of the common methods of infecting computers with malware or allowing a hacker to access a computer is through portable external storage devices. This can be done in dozens of ways. But just to name a few:

  • The storage device is compromised at the factory (this has happened numerous times).
  • The storage device is left on the ground by the criminal, knowing that around 1/3 of people will pick it up and try to see what is on it.
  • The storage device may have been attached to another computer, and that computer is compromised, and therefore infected the external storage device.
  • The storage device may hold an electrical charge or be wired to short out your system.

HOW TO WORK WITHOUT PORTABLE EXTERNAL STORAGE

  • Use cloud storage to share data – Google Drive, Dropbox, Box, etc. are excellent options.
  • Your IT department should have an air-gaped computer specifically just for dealing with portable external storage devices. They can take the device, plug it into this sacrificial computer and scan it for problems. If it passes, you may now use the device.

Not meaning to be a hard-ass about it, but really, truly, DO NOT HAVE A PORTABLE EXTERNAL STORAGE TOUCH YOUR COMPUTER (unless it has passed a security audit by your IT staff). Doing so places your computer and the integrity of your company data at high risk. And depending on your organization, may subject the organization to very hefty compliance violation fines.

Q: What is an encrypted chat client?

Q: What is an encrypted chat client?

A: Probably best to take this one bite at a time:

Encrypted: The process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot.

Chat: A specific form of electronic communication. Originally containing only text, but in recent years has been upgraded to allow inclusion of images, video, and sound.

Client: The application used by the end-user of the computer or mobile device.

So, and encrypted chat client is an application that allows two or more people to share text and possibly images, sound, and video among themselves, and prevents others from access by way of encoding the communication.

Examples include Apple Messages, Wire, and Signal.

Stop Amazon From Listening

Stop Amazon From Listening

As reported yesterday, Amazon has thousands of staff listening to you through your Echo devices.

But there is a way to stop this listening:

  1. Open the Alexa app on your mobile device.
  2. Select the menu icon.
  3. Select Settings, found at the bottom of the submenu list.
  4. Select Alexa Account, found at the top.
  5. Select Alexa Privacy.
  6. Select Manage How Your Data Improves Alexa.
  7. Turn off Help Develop New Features.
  8. Turn off Use Messages to Improve Transcriptions.
  9. Exit out of Settings.

Alexa will no longer learn and improve from your responses, but your records will be safe from evesdropping.

Stop Amazon From Listening

Yes, They ARE Listening

As reported in Bloomberg <https://www.bloomberg.com/news/articles/2019-04-10/is-anyone-listening-to-you-on-alexa-a-global-team-reviews-audio>, Amazon has thousands of staff listening to what their devices hear. Based on the information provided by Amazon, it is clear that their devices are listening at times when the user hasn’t directed it to with an “Alexa” preface.

This has been the assumption within the IT security community ever since voice-response devices hit the market. I have long found the behavior of Apple’s Siri to be suspect. For example, I may provide Siri with a full paragraph of spoken content, and then watch as Siri enters text, removes some text, enters some more text, edits text, and then completes the paragraph. This is not the action of AI, but of a human translator.

In the case of Siri, it can be disabled on both iOS and macOS devices. It is different with Amazon Echo devices. Without voice response, they serve little purpose or value.

For me, personally, I’m leaving my Echo devices (8?!) unplugged until needed.

Q: Is it possible to eliminate the possibility that opening an email will result in a virus on my computer?

Q: Is it possible to eliminate the possibility that opening an email will result in a virus on my computer?

A: If you are talking about absolutes, no. However, you can dramatically reduce the chances of compromise when opening email:

  • Use an email provider that pre-scans your mail for malicious content. This is one reason I favor Google. All incoming email is scanned by over a dozen of the leading anti-malware software before it gets to you.
  • Install a quality anti-malware software, and keep it updated daily. I’m fond of Bitdefender GravityZone. It will automatically update hourly, and is consistently among the top 3 products in its category.
  • Enable application whitelisting. With this active, only applications you have approved can launch/execute/open. Since malware isn’t on your list, it simply cannot launch and cause problems.
Facebook pays teens to spy on them

Facebook pays teens to spy on them

As reported on TechCrunch January 29, 2019, it appears that as bad as we thought Facebook to be, it has the resources to be far worse.

Facebook has been secretly paying people to install a “Facebook Research” VPN that lets the company suck in all of a user’s phone and web activity, similar to Facebook’s Onavo Protect app that Apple banned in June and that was removed in August. Facebook sidesteps the App Store and rewards teenagers and adults to download the Research app and give it root access to network traffic in what may be a violation of Apple policy so the social network can decrypt and analyze their phone activity, a TechCrunch investigation confirms.

Facebook admitted to TechCrunch it was running the Research program to gather data on usage habits, and it has no plans to stop.

When Guardian Mobile Firewall’s security expert Will Strafach was asked to dig into the Facebook Research app, and he told us that “If Facebook makes full use of the level of access they are given by asking users to install the Certificate, they will have the ability to continuously collect the following types of data: private messages in social media apps, chats from in instant messaging apps – including photos/videos sent to others, emails, web searches, web browsing activity, and even ongoing location information by tapping into the feeds of any location tracking apps you may have installed.” It’s unclear exactly what data Facebook is concerned with, but it gets nearly limitless access to a user’s device once they install the app.

Read the original report for more information on all of the apps Facebook is using, and how it is in direct conflict with Apple’s developer rules.

More Junk Apps on Android

More Junk Apps on Android

As reported January 17, 2019 on ZDNET<https://www.zdnet.com/article/some-android-gps-apps-are-just-showing-ads-on-top-of-google-maps/>, 19 new Android apps have been found to be nothing more than junk getting in your way.

All of these apps do the same thing–add an advertising layer on top of Google Maps. At least one even has the gall to request payment to remove the ads in Google Maps–ads that wouldn’t exist except for that app itself!

If you have any of these apps installed on your Android device, remove them ASAP. The problem apps include:

Garage Sale! Ubiquiti UniFi Cloud Key

Garage Sale! Ubiquiti UniFi Cloud Key

Ubiquiti UniFi Cloud Key

New, in box (2 units), 1 floor display unit

UniFi® Controller Hybrid Cloud

  • Secure UniFi Hybrid Cloud Technology
  • Fully Integrated, Stand-Alone UniFi Controller Hardware
  • Remote, Private Cloud Access to the UniFi Controller
  • Manage Your Networks from a Single Control Plane
  • Intuitive and Robust Configuration, Control and Monitoring
  • Remote Firmware Upgrade
  • Users and Guests
  • Guest Portal/Hotspot Support

Full product description: https://store.ubnt.com/collections/wireless/products/unifi-cloud-key

List price: $99. Amazon price: $105. MintzIT price: $75 each (includes shipping).

Contact:

Marc Mintz

505.453.0479

Garage Sale! Ubiquiti UniFi AP AC Pro Wireless Access Point

Garage Sale! Ubiquiti UniFi AP AC Pro Wireless Access Point

Ubiquiti UniFi AP AC Pro Wireless Access Point

New, in box (2 units available)

The UniFi AC Pro AP features the latest Wi-Fi 802.11ac, 3×3 MIMO technology in a refined industrial design and is ideal for deployment of maximum‑performance wireless networks.

  • Manage Your Networks from a Single Control Plane
  • Intuitive and Robust Configuration, Control and Monitoring
  • Remote Firmware Upgrade
  • Users and Guests
  • Guest Portal/Hotspot Support

Full product description: https://store.ubnt.com/collections/wireless/products/unifi-ac-pro

List price: $149. Amazon price: $138. MintzIT price: $119 each.

Contact:
Marc Mintz
505.453.0479

Garage Sale! Ubiquiti UniFi Security Gateway Pro

Garage Sale! Ubiquiti UniFi Security Gateway Pro

Ubiquiti Unifi Security Gateway Pro

SN: 1801kfcecda036c89-4nqi9w

New, in box.

Enterprise Gateway Router with Gigabit Ethernet

  • Advanced Security, Monitoring, and Management
  • Sophisticated Routing Features
  • Integrates with UniFi® Controller Software
  • Manage Your Networks from a Single Control Plane
  • Intuitive and Robust Configuration, Control and Monitoring
  • Remote Firmware Upgrade
  • Users and Guests
  • Guest Portal/Hotspot Support

Full product description: https://store.ubnt.com/collections/routing-switching/products/unifi-security-gateway-pro

List Price: $344. Amazon Price: $321. MintIT Price: $289 (Includes shipping)

Garage Sale! Ubiquiti Unifi Switch 24 250W

Garage Sale! Ubiquiti Unifi Switch 24 250W

Ubiquiti Unifi Switch 24 250W

SN: 1752g788a20fa31ba-2n5und

Floor model, unboxed.

Managed PoE+ Gigabit Switches with SFP

Build and expand your network with Ubiquiti Networks® UniFi® Switch, part of the UniFi line of products. The UniFi Switch is a fully managed, PoE+ Gigabit switch, delivering robust performance and intelligent switching for growing networks.

List price: $399, Amazon price: $372. MintzIT Price; $350 (includes shipping).

Garage Sale! Ubiquiti Unifi Switch 16 150w

Lucky you, Santa left some IT goodies under our tree!

Ubiquiti UniFi Switch 16 150W
SN: 788A20FD84B9
New, in box.
The UniFi® Switch delivers robust performance over its 18 independent switching ports. Two SFP ports offer optical connectivity, and 16 Gigabit Ethernet ports offer 802.3af/at PoE+ or 24V passive PoE sharing a total of 150W PoE.

Full product description: https://store.ubnt.com/collections/routing-switching/products/unifi-switch-16-150w

List price: $299, Amazon price: $285. MintzIT price: $250 (includes shipping).

Contact:
Marc Mintz
505.453.0479
[email protected]

Q: Is getting on the unsecured WIFI connection at a library a really unsafe idea?

Q: Is getting on the unsecured WIFI connection at a library a really unsafe idea?

A: An insecure network is an insecure network – regardless of the physical or geographical location.

As to how unsafe it may be, depends on your definition.

The biggest issue is the good possibility that your network traffic is watched. This means that any username, password, or other sensitive information you enter may be viewable by some creep in or near the library.

If you are using your own computer, the workaround is to use a vpn service. This will securely encrypt all of your internet traffic while on a network – unsecured or secured. I’m fond of NordVPN.

If you are using the library’s computer, you won’t be able to install software, so VPN and tor are not available to you. The only alternative is to ensure that whenever you may need to enter sensitive information, the webpage is encrypted. This displays differently in different browsers, but you may either have a lock icon in the address field, or the URL will start with https, instead of http.

Q: How to make a strong password I can remember?

Q: How to make a strong password I can remember?

A: Sorry, that is simply not possible. The current US Government recommendation for strong passwords is a minimum of 15 characters. Our brains would have a tough time remembering just five such passwords, much less a different password for every website.

The easy solution is to use a password manager to automatically create, store, retrieve, and enter these monsters. I’m fond of LastPass. Super easy, automated, integrates with Android, iOS, macOS, Windows, all major browsers, encrypts passwords at the device, shares the password database among all of your devices, and with the for-fee version, you can share designated passwords with family or staff.

Q: What precautions can be taken to avoid being traced online?

Q: What precautions can be taken to avoid being traced online?

A: This is a topic that books are written about (several by yours truly). Much depends on how high a value target you are (if the NSA is interested in you, good luck), and what you need to use the internet for.

But here is a list to get started:

  • Use a quality VPN service that also includes tor within their system. I’m fond of NordVPN. As you can see from this screenshot, from the hundreds of available NordVPN servers, they have some that provide Onion services over VPN. This is the industry-standard “belt-and-suspenders” strategy to anonymize your web activities.
  • Use a secure email system. I’m fond of ProtonMail. ProtonMail uses PGP/GPG to military-grade encrypt all of your email. Even ProtonMail administrators cannot access your email.
  • Run an unmodified version of the Tails operating system. This can be installed on and run from a thumb drive from any Linux, macOS, or Windows computer. When using Tails, you effectively hide your digital fingerprint, so that your computer cannot be identified. It includes secure versions of web browser, instant messenger, and email software.
best selling IT security books
Get Your Bitdefender Upgrade

Get Your Bitdefender Upgrade

MintzIT has upgraded Bitdefender

With over 40 million malware waiting to harvest, corrupt, or encrypt your data, anti-malware software is an essential addition to the operating system of any and every operating system. The only anti-malware product we currently recommend is Bitdefender GravityZone for Business.

Starting January 1, 2019, computer users who have the MintzIT version of Bitdefender GravityZone installed will see some much anticipated changes. These can be seen when opening the application:

On-Access. This has always been active. This indicates your anti-malware (anti-virus, anti-trojan, anti-ransomware) is active and scanning every file that is opened.

Traffic Scan. This has been newly added this year. Traffic Scan examines all incoming and outgoing traffic for any malicious code. If it is found, it is blocked from taking any action.

Antiphishing. This has been newly added this year. This feature examines every website visited. It prevents users from inadvertently disclosing private or confidential information to online fraudsters. Instead of the phishing web page, a special warning page is displayed in the browser to inform the user that the requested web page is dangerous.

We have extended protection to other types of scams besides phishing. For example, websites representing fake companies, which do not directly request private information, but instead try to pose as legitimate businesses and make a profit by tricking people into doing business with them.

If you find that a legitimate website is being blocked by Bitdefender, please call our office 505.814.1413, and we can whitelist the site.

Get Bitdefender

If you don’t currently have Bitdefender protecting your computers, this is a great time to do so. MintzIT will install Bitdefender GravityZone for a yearly subscription of $36 per computer, plus $37.50 installation labor fee. Call 505.814.1413 x 1 and we will perform the installation while you call!

Q: How to make a strong password I can remember?

Q: How secure is personal information that we provide to hotels?

A: Not secure at all.

It is privy to the front desk staff, management, leadership – almost all in unencrypted format.

Unless you are staying at some shady facility, the law requires a drivers license or other ID in order to reserve a room. With your state-issued ID in hand, your information is monetized when sent to the hotel ownership (some other multinational Corp) for sales and marketing.

It is likely sold to other advertisers.

Not to mention that local, state, and federal law enforcement have free access to this information.

All. That. Said…

If one thinks they have to concern themself with security and privacy at the level of hotels, it’s time to wake up! They are several blocks back in the line of people and organizations sniffing through your data.

Q: What precautions can be taken to avoid being traced online?

Q: What are the reasons my school and work track everything I do on the Internet?

A: If someone came to you asking for $1000, the keys to your car, and your credit card, you would probably want to know what they were using them for. Not so different for your school and work.

When you are at school or work, you may be using their computers, software, hardware, network, or broadband. These are valuable resources that must be shared among all users.

Imagine if a few people decided to watch streaming 4K movies using these resources. These movies can take up to 15Mb/s bandwidth for each movie. If the school or work has a 50Mb/s Internet connection, 3 people streaming will choke out all other use.

There is a darker side to this issue as well. Schools and workplaces have a legal responsibility to ensure their resources are being used – for lack of better phrasing – for good, and not evil. If a student or employee is conducting illegal activities using the school or work resources, everyone gets caught up in the legal process.