Passwords are one of those things we like to talk about while refusing to change our personal habits. We know best practices. Strong passwords are important. It is just as important to use unique passwords across different sites, i.e., never use the same password twice. Never write passwords down, store them in email, or type them into list documents. A secure password is only secure if it is not shared or recorded. Complying with this, though, is next to impossible without some type of external aid.
A strong password will have at least three of the four groups of characters: uppercase, lowercase, numbers, and special characters. It will not be a dictionary word. However, variations of dictionary words are generally fairly secure, such as B@s3bal! or !LuvMy6u!t@r!. Or, come up with a mnemonic such as !H5ooxSP! (I have 500 extremely strong passwords).
Never use the same password twice. I’ve been bitten by this once when Facebook popped up a window asking for a password to “authorize an app.” I entered it without thinking, then, when no app appeared, realized I’d probably typed my password into some rogue database somewhere. I changed all the other passwords that were the same as that one, and learned a lesson. The cold reality is that web pages can easily be designed (or copied directly from the authentic) that will trick users into divulging passwords. Having a different password for each site is a good way to minimize damage when this occurs.
Never record passwords. Often the weakest link in a system’s security is the social aspect. Browsers left open, sticky notes on a desk, or a text file full of passwords all defeat the strongest password policy.
Is it a good practice to let a web browser save passwords? It depends.. The biggest risk here is that someone gets physical (or remote) control of the computer. Once inside the computer, all the passwords will be accessible by simply navigating to the websites. If your browser saves passwords, at the minimum, have a secure password on your computer so it will be harder to gain access if lost or stolen. However, there are widely available tools to “find” passwords of locked computers which could potentially expose the user’s bank accounts, etc if saved passwords were enabled in the browser.
I should insert here that risks need to be weighed and managed appropriately. There will usually be tradeoffs. For example, using different passwords on each site and having the browser save them will usually carry less risk than using a single password across all sites and disabling saved passwords. However, if your computer has a high risk of being stolen/compromised, then fewer passwords kept in memory might be better. Be mindful of tradeoffs.
In the past I’ve been relying on the obscurity of others not knowing what my tradeoffs were…because, let’s face it, nobody can keep the above three rules of passwords. It’s not humanly possible. That was before I researched and began using LastPass.
Ever the skeptic, I have long been wary of password storage software and other one-stop password management tools for a few simple reasons: 1) one person/entity has access to all of my passwords, 2) If I lose access to the password vault, I lose all of my passwords and, 3) the switching cost, or the inconvenience of entering all of my existing passwords into the vault. I’ve been eyeing different solutions over the past year, while also learning about security and encryption standards.
The most secure concept of encryption is something the experts call “Trust No One” or TNO. This means that you and you alone have the key (password) to encrypt and decrypt your data—data that is encrypted with a reliable algorithm such as the Advanced Encryption Standard or AES. Data should be encrypted on the user’s machine before being sent out on a communication channel such as the Internet so that any eavesdroppers would not be able to decrypt the data. Are your eyes glazed over yet? If not, visit this site for a stick figure story line of how AES encryption works. You’ve been warned.
A password vault must be easy to use, and must not “take over” my password operations; I need to have the ability to know what my passwords are, in case I don’t have my password vault, i.e., when entering them into a guest computer or a cell phone browser.
I think I’ve found a good solution. LastPass (LP) is a password vault as described above. First of all, passwords are stored in a vault on your local computer and encrypted with 256-bit AES* encryption. This is full TNO, meaning you and you alone have the password to this vault. LP cannot under any circumstances read your data. Were LP to get hacked, the hackers would only get a blob of meaningless encrypted data. This also means that if you forget your password there is nobody in the world who can help you access your vault—not even LP. They give an explicit warning during setup to this effect; if you forget your master password you are SOL (sorry out of luck). Obviously, your LP master password should be very strong and easy for you to remember at the same time. Give this password some thought..
LP is setup to store one password for each online account, and it displays them all in list form in the vault. This makes it possible and convenient to have a different password for each online account. The entire vault is encrypted so it’s only viewable with the LP master password.
But that’s not all: LP syncs the vault between computers and the LP site similar to the way Dropbox** quietly syncs files across multiple computers and the Dropbox website. Only your encrypted vault is being transported and synced between your computers and the cloud (LastPass.com). For good measure, this encrypted data is also sent over an SSL encrypted connection.
This is cool on a number of levels. 1) Your vault is stored online at LastPass.com, albeit encrypted so not even LP can read the contents. This means you can access passwords in plain text, if this is what you want to do, from any computer or browser after entering your master password into LP’s site. 2) Passwords saved on one computer will sync with the cloud and all other computers on which you have installed LP. 3) You don’t have to install LastPass to get the benefits of a fully encrypted password vault.
There’s more: LP installs as a browser extension that will show a non-obtrusive bar when it detects password fields, very similar to how most browsers prompt to save passwords. To activate LP you’ll need to sign into the extension every time you open a browser. This ensures that should your computer get lost or stolen, the perp will not automatically have access to all your online accounts.
It is very easy to sign into LP. First, it will NOT pop up a nag screen if you don’t sign in. To sign in, click the LP icon, type your password, and press enter—that’s it. Also, should you want to review your passwords, they are viewable in plain text by drilling down into the LP menus.
LP also has a password generator which will generate a random password if you tell it to when initially making a password. This is good if you can’t come up with 500 unique passwords on your own. Again, they are viewable in plain text from the menu if you want to copy and paste (god forbid) or just look at them to type them into a different browser. I like the idea of being able to see my passwords as opposed to everything taking place inside a black box.
Another feature is a one-time password (OTP) feature offered by LP. This is a password that you can write down and put in your safe deposit box, will, etc. that will give your heirs access to your LP vault, and by extension, all your online accounts. The password will only work once which stems from another security best practice, the explanation of which will bore you, even if you’re still here.
LP is free and simple and easy to install. You won’t have to change your passwords or switch over to a proprietary LP system. It works simultaneously with browser-saved passwords, so you won’t have to go cold-turkey and clear all your saved passwords to try it. Use LP as little or much as you like. I’m liking it more the longer I use it.
*How secure is 256-bit AES encryption? If you assume:
Then the earth's population can crack one 256-bit encryption key in 77,000,000,000,000,000,000,000,000 years!
**Get an additional 256MB free storage space when you sign up for Dropbox using this link http://db.tt/oroUenhB