password manager

Password Managers, or Doing Passwords Right

Entrepreneurship, Media

Part II in a three-part series on personal online security. Parts I and III can be found here and here.

please don't steal this

Still Using Scraps of Paper?

Back when I was “storing” passwords via pen and paper, I had, what, twelve pages worth? Fifteen? Of course it’s impossible to memorize more than just a few passwords, which is why people duplicate, or reuse, passwords on multiple sites. Reusing passwords is the primary no-no of personal Internet security. Yet we all do it, we who keep passwords on paper.

The trouble is, when a reused password gets stolen, the thief has access to any site associated with it. This is the principal danger for most when caught up when a big company gets hacked.

Then there’s the problem of using easily remembered passwords for our most frequented sites. Your dog’s name, your child’s birthday. Now that’s secure! Use it for online banking or your most-used email account!

Our third most common failing is not changing passwords regularly. Really? All fifteen pages worth?

If your password-tracking system is stack of dog-eared, greasy pages in disintegrating manila folder, you’re essentially dangling your business checking account in front of cyber criminals and taunting them to take its contents.

The Best of the Best:  LastPass vs. 1Password

Enter: the password manager.

Here are the two password managers I have direct experience with: 1Password and LastPass. These two, along with KeePass, represent the best of the best.

Ten years ago I started out with 1Password. 1Password is one of the few top password managers that does not store your data in the cloud. 1Password is essentially an encryption program, but one dedicated to password management. It generates and organizes strong, unique passwords, all encrypted and stored locally on your hard drive.

What soured me on 1Password is its lack of cloud-sync. It’s greatest strength was also it’s biggest weakness.

Like a lot of entrepreneurs, I have a raft of devices float through my life every few years. Without cloud syncing, 1Password  limited my password “vault” to my main laptop, only. After a few months I bit the bullet and manually re-created a second password vault on my second laptop. That chore took hours.

1Password did offer syncing via Dropbox. Convenient, yes. But then you have to rely on Dropbox’s security, as well.

At that point I switched to LastPass. Yes, this switch was guided, admittedly, by convenience. How great it was to have all my passwords on all my devices! But LastPass also offers topflight security.

I was queasy at first about LastPass storing my data in the cloud. It took some time to get comfortable with their basic concept: LastPass servers don’t actually store passwords. They only store encryptions of passwords. That’s how they thwart any potential inside job (a.k.a., a LastPass employee stealing customer data).

How Long Is a Billion Billion Years?

The encryption also discourages cyber attacks from outsiders. With AES 256 bit technology, a hacker who cracks the LastPass servers would need at least a billion billion years to decrypt even a single password. That’s not a typo. A billion billion. (Here’s a discussion of these numbers.) Hear that? That’s the sound of hackers crossing LastPass off their hit list. (1Password also uses AES 256.)

Finally, decryption of the LastPass ciphers happens locally, on your device. In other words, your naked passwords never travel outside of your device. Plus, you are the only one who holds the key to the decryption. That key is what LastPass calls your Master Password. Hence, the name–your Master Password is the last password you ever have to memorize.

So, I remember one, and LastPass handles the other 179.

No matter which program you choose, you should make your Master Password long and strong. And change it three to five times each year. Rather than a pass-word, I use a pass-phrase.

Two Factor Authentication

We should also all be using 2 Factor Authentication (2FA) with our password manager. Even if my Master Password were stolen, say, by keylogger malware, the thief still couldn’t access my LastPass vault without my 2FA security key. I love having my USB security key on my keychain, which I can use to access LastPass on any laptop or desktop. For my Android needs, I use the Google Authenticator app (always on a separate device).

It’s heartening to learn that LastPass is popular at MIT.

Next Post: Data Breaches in the News

The Heartbleed Bug: How to Keep Your Passwords Safe

Entrepreneurship

lastpass logo

As an entrepreneur, one of your most important tasks is securing your financial information.  In the wake of the Heartbleed Bug, I’ve been fine-tuning my digital security. I’ve especially been fortifying my passwords.  I already use a password manager called LastPass, which I highly recommend.

Though I’ve used LastPass for several years, until Heartbleed, I wasn’t utilizing LastPass to its full potential. The latent Luddite in me was on the fence about fully entrusting my most sensitive accounts to any password manager. But this past couple of weeks has shown me how important it is (and that it truly is safe) to use LastPass for even my bank accounts, PayPal, and other highly sensitive sites.

I’d been using LastPass for dozens of less sensitive sites, while continuing to use easy to remember, “secret” passwords for my bank accounts and Paypal. Not smart. By “easy to remember,” I mean actual words whose significance I believed to be too personal to be deduced by strangers.

How foolish.  Today’s password-cracking software can test out tens or even hundreds of millions of possible passwords per second. Against such brute-force juggernauts, my poor, easy to remember passwords would last mere minutes, if that.

Enter LastPass. LastPass is widely considered the best password manager out there.  You have one master password to log in to the LastPass browser plug-in. Whenever you visit a web service, the plug-in logs you in securely.  As long as your master password is chosen well (i.e., long and complex), LastPass offers excellent security. There’s even a multi-factor authentication feature to make remote hacking virtually impossible.  (Multi-factor authentication is like Google Two-step Authentication, which, if you aren’t using yet, I also highly recommend.)

LastPass generates a different, completely random, character-string password for each of your online logins. Randomness is the key. Randomness actually resists brute-force attacks, unlike actual words. This is how to leverage a single master password while never using the same password for more than one site.

LastPass stores only 256-bit encrypted versions of passwords on its servers. That way, if their servers are ever hacked, the thief would have a monumental task of decrypting just one password, not to mention any others after that one.

Also, LastPass doesn’t store your master password.  Only you know your master password.  That’s how they thwart the potential “inside job” by an unscrupulous Lastpass employee. (Inside jobs are actually the most common form of security breach involving passwords.)

Plus, the LastPass plug-in only decrypts your passwords on your local machine; it never sends an unencrypted password across the Internet. All individual passwords remain encrypted until the moment you use them.

And even then when LastPass decrypts a password to log you in to a site, the password fill-in remains masked (just asterisks), in case a hacker is mirroring your screen. (By the way, your master password is masked when you use it to log into the LastPass plug-in.)