Passwords suck. When was the last time you said: “Yeah! Another password!”? Yet, what else can we use? At the moment, there are many viable approaches to eliminating passwords from single sign-on solutions, biometrics, mobile device-based alternatives to more out-of-the-box style approaches (see SQRL for an interesting idea). While these are interesting and a few are undoubtedly cool, we will most likely be stuck with passwords for the foreseeable future. There is a major problem as most people are very lazy with their passwords. As the Yahoo breaches from a few years ago have illustrated, hacking remains a continual issue. Breaches like these invite malicious actors to try your stolen credentials against multiple sites to see if your email passwords are the same as your banking passwords. If you want to know if you have ever been hacked, ‘have i been pwned?‘ is a good, safe site that collects info from widely distributed hacks and makes it readily searchable. Even a few of my email addresses have shown up in this database. Unfortunately, even if your address haven’t show up on the site, you aren’t safe. There is another type of attack called a brute force attack: an attacker enters your email address into a site and tries every combination until they get it right. They even make cracking servers for this kind of thing (I love the name: Brutalis). The only way viable way to effectively thwart this is to use an ultra-random (aka high-entropy) password, something, we as humans have trouble making since our minds want to think in easily recognizable patterns. So, what to do? Give up? Go off the grid? No need, now I’ll stop scaring you and help out instead.
I work in information security so I know the value of a good password. Yet I hate dealing with them. I have to admit, for many years I stored my passwords in a password-protected Excel file. Though I later moved to a third-party DRM-style encrypted Excel file. I know, I know, I shouldn’t be doing this. I should be held to a higher standard because I am a tech guy and I should know better. For many years, I ignored password managers and other secure solutions. Instead, I stored passwords on this very insecure excel file because, frankly I was lazy. So, as one of my NYE resolutions for 2017, I decided to abandon the Excel file and move to a password manager. A password manager is a secure encrypted vault for all your passwords that can be accessed across all your devices and uses a master password (which is required to be ultra-secure) to give you access to all your logins. It actually auto-populates these passwords on your other authorized devices, such as iPhones, laptops, etc, making it extremely convenient on a phone. Everytime you need a new password, just add it to the vault and you’ll be good to go. It can even create new high-entropy, complex passwords for you to replace the existing ones. However, don’t forget your master password. Due to the high level of security involved with holding all of your passwords, it is rather difficult to reset. If you forget it, you’re basically screwed, but that’s a good thing, right?
The first step was choosing a password manager. As an avid listener to SecurityNow on the TWIT network, I already had a suggestion made to me, namely LastPass. Steve Gibson has been raving about LastPass for years. For those who don’t know, Steve has been doing computer security since before the internet really existed. He is the guru who coined the term spyware. If you want to keep up to date on the latest and greatest in security news, and learn a LOT, Steve and SecurityNow are great places to start.
Next, I had to start moving my passwords into the vault and change them. I think it goes without saying that I had a lot of passwords that needed to be changed, checked, inputted, etc… It took me a few stints to get them all in there. Once all the information was entered, I then added the LastPass app to my mobile devices and laptop and confirm its functioning correctly.
Now with my passwords secure and a lot of time invested into it, I have to ask the question, was it worth it? Absolutely! My life is a million tons simpler. I was able to start up a new laptop and phone and get all my apps and sites loaded quickly. Just like how cell phones removed my ability to remember people’s phone numbers, LastPass has begun to degrade my ability to remember my passwords, but also secured my life. One more question you may ask is, should I pay for it? LastPass has a very feature rich free version. However, their full version is only $13/year. I paid because it’s cheap and secondly, I want LastPass to continue to exist and make great software that makes my life easier. $13 is a very, very small price to pay for this benefit. So yes, you should use LastPass’s full version to make your life easier. And no, I am not getting any commission from this other than we will all benefit if they stay around to keep us secure. So go, stop reading, go!