Two weeks with password managers (LastPass and 1Password)

As a rather “casual” paranoid person security is always something I obsess about to the point I have to take a break from obsessing about it because it just eats me alive. I feel like once you start focusing about security there are so many rabbit holes left open that you never stop closing them.

Whether that’s good or bad, it’s not really a healthy obsession.

I spent two (maybe three) weeks with LastPass and 1Password. Troy Hunt, a security-minded individual I follow and the owner and creator of HaveIBeenPwned has said it best: A secure password is the best you can’t remember. At first I had some real issues with that thinking, I’m used to memorizing long, unique passwords, and I also realized that there were issues with what I was doing. Password entropy being an important subject on all of this, and sadly still a subject that it’s hard to explain to people outside the field. I think xkdc explains it best

 

Another issue is password reuse, something I ended up doing because when you have accounts on over 40+ sites it’s impossible to remember all the unique passwords. I’m guilty, but at the same time I never reused a password on important sites (banks, paypal, etc).

 

Whether the comics comes off as arrogant or presumptuous it doesn’t eliminate the fact that having a good bits of entropy and avoiding password reuse are one of the most important issues. Password managers like 1Password gives you the ability to just “set it and forget it”. You’ll have a secret key and a master password, when combined it will derive a key to unlock your vault.

I started my journey with LastPass and it was an incredibly rough one to the point I was blatantly ignored when asking for a refund.

LastPass is great if your only focus is to just generate passwords and save them in your vault. Where LastPass falls, besides being plagued with security issues (you can make time for yourself to read their wikipedia entry), is that it immensely sucks in the storage area. I couldn’t for the life of me store a simple document of 2MB. It was nigh impossible, you just kept getting “Sorry, request taking longer than normal” to the point of needing to upload again.

I got fed up. I wanted to store my important documents in case I needed them “on demand”. I contacted support, requesting a refund and they proceeded to ignore my request to troubleshoot the issue. I actually played along because I didn’t have anything to lose but time… turns out uninstalling and installing the client doesn’t fix the issue. So I placed the request of refund AGAIN to be asked to record a video on how I’m doing the things. I refused to do so because I’m not comfortable of doing so.

In the end, I told them they can keep the money and shared that I had a very bad experience with them.

1Password by AgileBits, Inc

In waves of frustrations I discovered 1Password. I learned that 1Password had a very strong commitment to security and they were sponsoring Troy Hunt (which is how I discovered it).

The first things I noticed of using 1Password were the following:

  • The user interface is fast unlike LastPass
  • I could upload any big file with no timeouts or problems
  • The integration with OSX is lovely
  • iPad and Android support is superb
  • Had an additional secret key it generated per vault + your master password

Using 1Password has been a delight. I redid all my reused passwords from different sites that weren’t of importance, maintaining a healthy level of entropy in each generation.

1Password also features Watchtower which is an additional service that you aren’t forced to use. It checks how many times you have reused a password, match your password against Troy Hunt’s HaveIBeenPwned, match your email against Troy Hunt’s service. I think my favorite is matching your password against HaveIBeenPwned because THEN you know if your password has been truly been leaked and brute forced/cracked. 

Between HaveIBeenPwned and 1Password? Honestly, I feel secure and confident that my accounts aren’t going to be compromised. But, the thing with security is that you never have that certainty that you are secure. It’s a process of continuous improvement and continuous monitoring.

Beyond 1Password? I have been using multi-factor authentication as an additional layer and I’m currently researching Yubikeys to leverage an additional security layer on top of the services I use.

If you have any questions let me know, the comment section is below and if you want to contact me directly check my Contact page.

 

 

Final Notes on Microsoft Azure

These are my final notes on Microsoft Azure. It’s not meant to be taken as a review, but just yet another experience.

I’ve spent a total of two months with Microsoft Azure(referred as Azure from here on). Most of the time I spent with Azure was using their B-series virtual machines which for small/medium sites it’s perfect. My complaints about Azure does not start with the service quality but the prices they offer. I left Azure with a satisfied experience, yet somewhat bitter I couldn’t keep using them.

Azure is yet another cloud services like Amazon Web Services, Google Cloud, etc. You can spin up as many virtual machines, put them in the same virtual networks, or put them behind a load balancer, or simply keep it private as the choice is ultimately yours. There’s also a vast amount of services Azure offers for a very steep price as well. Managed database servers, DNS hosting, storage services, cognitive services, container services (application server plans), and the list goes on.

There’s something I have to point out. Like Amazon Web Services and Google Cloud, Azure is not for beginners. Yes, there are beginner tutorials but put it in the context of “I have experience configuring linux servers, but I’ve never used Azure or AWS”. That’s the beginner context I’d like to highlight because there will be a lot of terms that will make people scratch their heads wondering what they mean. I think it’s a necessity to point out what defines a beginner when it comes to cloud services.

Now jumping back to the subject. I loved working with Azure network security group (firewalls, etc). It gave you most of the controls you needed to open/close inbound/outbound ports. Their storage services was a incredible delight to use, especially and specifically the file share storage. Being able to mount the file share on Windows and Linux was just pure bliss for me as I could backup visually anything from a server outside Azure, or even my personal computer back into the file share. File (storage) is something I’m really excited about and something that I’d like to see grow consumer wise because there’s nothing more satisfying than mounting a file share, do your tasks, unmount and be on your way to the next server.

I couldn’t find any services that aligned with what Azure did with its File storage. And this is outside cloud services. I’ve been looking at a service where I could do this without paying an exorbitant amount of money. If you know any, let me know in the comment section.

There are two glaring issues I have with Azure. Let me start by saying that I know Scott Hanselman wrote (two?) articles titled Penny pinching in the cloud where he goes on showing you how to save money with Azure. I think having an estimate of $33 monthly without accounting for bandwidth is not saving money. This isn’t me criticizing him in any way, I just feel like the intentions may be misinterpreted as just telling people Azure is cheap and you should totally get on our services. And to be fairly honest he mentioned multiple times that you should just stick with “that $5 dollar service”, which by the way if you haven’t visited Linode and used their service it’s to be honest up there in terms of quality. It’s probably the best $5 spent if you are just starting out there.

I have to disagree with Mr. Hanselman on his “penny pinching” articles. Azure isn’t cheap and I don’t believe you can save any money outside of reserved instances. However, I do think that you get what you pay for. Linode may have the best $5 expenditure and get an amazing service, but Azure wins in the sense that it does not limit your CPU usage in any way. Let me do the best to explain: Linode, being awesome as they are have a somewhat strict and disturbing terms of services. What makes it disturbing? If you use your CPU a lot Linode may be notifying you about it, or even stop the services if they find it’s impacting other users. And I have a lot to say about this because to me while Linode tries to sell it as a “way to maintain quality; and this is a shared environment” in my eyes is just “we want to maintain a low level effort on limiting everyone VPS resources while maximizing profits”. This is my interpretation on how Linode operates, and ultimately it’s the vibe their terms of services give off. I’m open to be proven wrong on Linode.

Meanwhile in Azure, if you have a  CPU skyrocketing at 80% because it’s doing something CPU intensive Microsoft won’t bat an eye at it. So in a sense Azure, AWS, Google Cloud probably has your back on doing CPU intensive tasks. I personally would be at a fear using Linode, Vultr, Digital Ocean trying to use what I’m paying for. They could come and shut you down anytime they want.

The other issue is bandwidth. Azure needs to offer reserved capacity for bandwidth. It’s direly needed for that wide adaption on small business/medium business sector. No one wants to pay $88 bucks for 1TB bandwidth. I’m not saying that everyone is out there hoping to use that amount because if that was the case a lot of service providers would be either out of service or plainly struggling. The pay-as-you go for bandwidth has to be improved for a massive Azure adoption rate, in my opinion. I can deal with virtual machine prices because reserved instance has my back on this.

In conclusion: Microsoft Azure is amazing, and ultimately if you have the money and don’t mind paying premium I ask you to give it a try.  For small time people like me, Azure comes off as an overpriced service. I hope to come back to Azure someday, but it’s highly unlikely with those bandwidth prices.

 

Site updates: Done, and done.

I finally finished moving everything off Microsoft Azure. Using Azure made me realize that as much as I wanted to use it it was just a huge money sink for what I was going to use it for. Over the days that passed I was just pondering whether or not I should stay with Azure. It didn’t sit well for me paying additional fees for Bandwidth, disk performances (reads, writes, premium, standard), and other types of details.

I hope that in a near future Microsoft Azure offers a B-series virtual machine with the capability of reserving bandwidth capacity. It’s a much needed feature for customers that have small or medium sites. I know that most of Azure is managed, as in, if I open a ticket the standard support is supposed to do the work and investigate what’s going on. I know it’s not profitable assigning so many resources to support small/medium customers when you want to keep that response time low for enterprises.

I hope that in the following days I have the time to write a long winded post about the cloud and the current prices. In fact I’m hoping to talk about Linode, Digital Ocean, Scaleway, and other services where I spent my time doing setups.

Now, having said all that. I ended up in ArubaCloud. I thought long and hard about it. I gathered that many people didn’t have problems with them. I’m actually excited because not only I got a low cost out of it but I can now create actual affordable virtual machines based on current needs: Do I need an e-mail server? Let me spin up a VM. Do I need an additional SQL Server? Let me spin up a VM and see if I can even out the current load.

I ended up creating a setup I really liked. For a long time I wanted to have SQL Server separated from NGINX/Apache, and with ArubaCloud that was made possible so now I have a dedicated SQL server serving this site and a HTTP server (nginx) serving all dynamic/static data. I loved working with UFW, setting up the firewall, fail2ban, etc. I think if I have to put an order out there it would be like this:

  • Spin up a VM in ArubaCloud with Ubuntu.
  • Notice that it doesn’t have the latest Ubuntu, but that’s okay with Ubuntu Xenial I can jump to 18.04.
  • Jump to do-release-upgrade -dand that will guide you through the process.
  • Once upgraded, which shouldn’t take you more than 30 minutes, apply security settings to sshd_config and add the rules I need to protect my VMs with UFW which is a tool to simply firewall management.
  • Install fail2ban, change SSH port and so on.
  • Configure server roles (DB, HTTP Server in my case)
  • Install LetsEncrypt’s amazing certbot.
  • Generate certificates for your site and be sure to enable SSL on your virtual host.

And the steps goes on and on and on. It looks tedious, and sometimes it is. I enjoy setting up my environments. After all the configurations were done?

I had a few hiccups from the MySQL Server. I wasn’t getting a decent response time, I think it was a network issue because as I’m writing it the response times have improved greatly.

There’s still a few security enhancements I have left to do, but they aren’t exactly priorities. I feel incredibly accomplished with my little journey on configuring my first remote MySql server and making it work with the HTTP server. At first sight it isn’t hard, but as you start considering security things become a bit harder.