The Heartbleed Bug: How to Keep Your Passwords Safe

Entrepreneurship

lastpass logo

As an entrepreneur, one of your most important tasks is securing your financial information.  In the wake of the Heartbleed Bug, I’ve been fine-tuning my digital security. I’ve especially been fortifying my passwords.  I already use a password manager called LastPass, which I highly recommend.

Though I’ve used LastPass for several years, until Heartbleed, I wasn’t utilizing LastPass to its full potential. The latent Luddite in me was on the fence about fully entrusting my most sensitive accounts to any password manager. But this past couple of weeks has shown me how important it is (and that it truly is safe) to use LastPass for even my bank accounts, PayPal, and other highly sensitive sites.

I’d been using LastPass for dozens of less sensitive sites, while continuing to use easy to remember, “secret” passwords for my bank accounts and Paypal. Not smart. By “easy to remember,” I mean actual words whose significance I believed to be too personal to be deduced by strangers.

How foolish.  Today’s password-cracking software can test out tens or even hundreds of millions of possible passwords per second. Against such brute-force juggernauts, my poor, easy to remember passwords would last mere minutes, if that.

Enter LastPass. LastPass is widely considered the best password manager out there.  You have one master password to log in to the LastPass browser plug-in. Whenever you visit a web service, the plug-in logs you in securely.  As long as your master password is chosen well (i.e., long and complex), LastPass offers excellent security. There’s even a multi-factor authentication feature to make remote hacking virtually impossible.  (Multi-factor authentication is like Google Two-step Authentication, which, if you aren’t using yet, I also highly recommend.)

LastPass generates a different, completely random, character-string password for each of your online logins. Randomness is the key. Randomness actually resists brute-force attacks, unlike actual words. This is how to leverage a single master password while never using the same password for more than one site.

LastPass stores only 256-bit encrypted versions of passwords on its servers. That way, if their servers are ever hacked, the thief would have a monumental task of decrypting just one password, not to mention any others after that one.

Also, LastPass doesn’t store your master password.  Only you know your master password.  That’s how they thwart the potential “inside job” by an unscrupulous Lastpass employee. (Inside jobs are actually the most common form of security breach involving passwords.)

Plus, the LastPass plug-in only decrypts your passwords on your local machine; it never sends an unencrypted password across the Internet. All individual passwords remain encrypted until the moment you use them.

And even then when LastPass decrypts a password to log you in to a site, the password fill-in remains masked (just asterisks), in case a hacker is mirroring your screen. (By the way, your master password is masked when you use it to log into the LastPass plug-in.)

 

One thought on “The Heartbleed Bug: How to Keep Your Passwords Safe

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s