Part II in a three-part series on personal online security. Parts I and III can be found here and here.
Still Using Scraps of Paper?
Back when I was “storing” passwords via pen and paper, I had, what, twelve pages worth? Fifteen? Of course it’s impossible to memorize more than just a few passwords, which is why people duplicate, or reuse, passwords on multiple sites. Reusing passwords is the primary no-no of personal Internet security. Yet we all do it, we who keep passwords on paper.
The trouble is, when a reused password gets stolen, the thief has access to any site associated with it. This is the principal danger for most when caught up when a big company gets hacked.
Then there’s the problem of using easily remembered passwords for our most frequented sites. Your dog’s name, your child’s birthday. Now that’s secure! Use it for online banking or your most-used email account!
Our third most common failing is not changing passwords regularly. Really? All fifteen pages worth?
If your password-tracking system is stack of dog-eared, greasy pages in disintegrating manila folder, you’re essentially dangling your business checking account in front of cyber criminals and taunting them to take its contents.
The Best of the Best: LastPass vs. 1Password
Enter: the password manager.
Here are the two password managers I have direct experience with: 1Password and LastPass. These two, along with KeePass, represent the best of the best.
Ten years ago I started out with 1Password. 1Password is one of the few top password managers that does not store your data in the cloud. 1Password is essentially an encryption program, but one dedicated to password management. It generates and organizes strong, unique passwords, all encrypted and stored locally on your hard drive.
What soured me on 1Password is its lack of cloud-sync. It’s greatest strength was also it’s biggest weakness.
Like a lot of entrepreneurs, I have a raft of devices float through my life every few years. Without cloud syncing, 1Password limited my password “vault” to my main laptop, only. After a few months I bit the bullet and manually re-created a second password vault on my second laptop. That chore took hours.
1Password did offer syncing via Dropbox. Convenient, yes. But then you have to rely on Dropbox’s security, as well.
At that point I switched to LastPass. Yes, this switch was guided, admittedly, by convenience. How great it was to have all my passwords on all my devices! But LastPass also offers topflight security.
I was queasy at first about LastPass storing my data in the cloud. It took some time to get comfortable with their basic concept: LastPass servers don’t actually store passwords. They only store encryptions of passwords. That’s how they thwart any potential inside job (a.k.a., a LastPass employee stealing customer data).
How Long Is a Billion Billion Years?
The encryption also discourages cyber attacks from outsiders. With AES 256 bit technology, a hacker who cracks the LastPass servers would need at least a billion billion years to decrypt even a single password. That’s not a typo. A billion billion. (Here’s a discussion of these numbers.) Hear that? That’s the sound of hackers crossing LastPass off their hit list. (1Password also uses AES 256.)
Finally, decryption of the LastPass ciphers happens locally, on your device. In other words, your naked passwords never travel outside of your device. Plus, you are the only one who holds the key to the decryption. That key is what LastPass calls your Master Password. Hence, the name–your Master Password is the last password you ever have to memorize.
So, I remember one, and LastPass handles the other 179.
No matter which program you choose, you should make your Master Password long and strong. And change it three to five times each year. Rather than a pass-word, I use a pass-phrase.
Two Factor Authentication
We should also all be using 2 Factor Authentication (2FA) with our password manager. Even if my Master Password were stolen, say, by keylogger malware, the thief still couldn’t access my LastPass vault without my 2FA security key. I love having my USB security key on my keychain, which I can use to access LastPass on any laptop or desktop. For my Android needs, I use the Google Authenticator app (always on a separate device).
It’s heartening to learn that LastPass is popular at MIT.
Next Post: Data Breaches in the News
2 thoughts on “Password Managers, or Doing Passwords Right”
“Even if my Master Password were stolen, say, by keylogger malware, the thief still couldn’t access my LastPass vault without my 2FA security key”
It wouldn’t be able to use your credentials to log in to Lastpass server; but if hacker could get your encrypted file by other means (hacking site, or your computer) 2FA would be useless a protection.