My Flypaper Mind Brenden Schaaf's opinions, ideas, comments, rantings, & minutiae

10Jun/120

How safe are your passwords?

Strong Passwords courtesy Paul O'Rear on FlickrThe recent news that some LinkedIn and eHarmony passwords have been compromised represents the latest  in a string of such stories that are part of a trend we will continue to see for the foreseeable future.  Users of these services were advised to change their passwords, but how much will that really protect most people?  Most of us have accounts, and therefore passwords, with dozens or even hundreds of websites.  Furthermore, it has been reported that way too many people use the same password (including the password they use for online banking) or handful of passwords across multiples sites.  So once a hacker has someone's email address and password for LinkedIn they very likely have enough information to login to Amazon, eBay, Wells Fargo, etc.

So what's a person to do?  Standard advice includes creating strong passwords that aren't susceptible to dictionary attacks as well as making a different password for every site visited.  After doing this for just a handful of sites, however, it would become next to impossible to remember every password needed by most of us.

Storing passwords in an encrypted text file is a possible solution, though keeping  a copy available on several machines and mobile devices would require the use of insecure means (such as carrying the file on a USB flash drive or emailing the file back and forth between work and home) or the use of an encrypted synchronization solution like SugarSync or Dropbox.  I think that anyone willing to do that is better off using a dedicated solution in the form of an online Password Manager.

I first learned of these kinds of tools at the 2011 MNCPA Tax Conference, when Tommy Stephens of K2 Enterprises demonstrated a tool he uses called RoboForm.  I was impressed that it allowed him to select bookmarks directly from his browser and be automatically logged in to the destination site without any intervention.  This looked like a good tool to use primarily to save time...I didn't really give much thought to the security reasons for using such a tool.  I tried RoboForm after the conference for a couple weeks but soon found that I preferred a similar solution called LastPass instead.

I actually became aware of LastPass in 2010 when Xmarks was purchased by them, but never thought to use it until I saw the Roboform demonstration and found it to be kind ofLastPass Generate Secure Password Dialog Box kludgy in my daily use.  The lightbulb went off and I quickly recalled that the sister-program to Xmarks (another product I highly recommend, by the way) might be worth checking out and I sure am glad that I did so.  In my opinion it just works better than Roboform and I found it very intuitive to set up and use.  Having used LastPass now for 6+ months I can't recommend enough that everyone use this program.  Given that these tools are constantly being updated and related applications are available for multiple operating systems (iOS, Android, Windows, Blackberry, Linux, etc.) you should try a couple and choose the one that works best for how you use the internet and the devices you use.

Here are some of the many benefits to using LastPass:

  1. Passwords are encrypted and stored securely and are unlocked only through the use of a master password (needed only one time per browsing session at most).  Since this is the only password you really need to remember you can, and should, make it very strong.  Doing so is key to making your information secure.
  2. You can easily test your password performance and continue to tweak your passwords to make them even more secure using a tool that runs against your current collection of passwords and ranks you in comparison to other users.  See graphic showing my scores.
  3. Not having to remember passwords for multiple sites, especially those used infrequently.
  4. No longer storing passwords insecurely in multiple web browsers on several machines.
  5. Easily generate lengthy, strong, unique passwords.
  6. No password reuse at multiple sites.
  7. Browser add-ons and mobile apps are available to make LastPass easy to use on multiple devices and platforms.  Some of these tools are available only to subscribers to LastPass Premium, but the cost of $12/year is negligible and I felt compelled to pay for the premium product just to support the software development even before I used the Android app.

When first run, LastPass will offer to import passwords stored in your default browser making it easy to populate the database initially.  Once that is done you'll want to visit each site stored in LastPass to change your existing password for that site to something stronger.  LastPass will generate a password to your specifications.  Start by choosing  the desired password length and whether to include uppercase, lowercase, numeric, or special characters and let LastPass create a random password.  Depending on the website, you may be able to click "Accept" at the bottom to have the password automatically inserted into the password field(s) on the site or you may need to click "Copy" as in the graphic shown to manually paste the password into the form.  Once you do that, LastPass will offer to store the password for future use.

One of the most frustrating issues I ran across when going through this process is how varied the password requirements are for different websites.  See the adjacent table for some of the requirements I noted for some randomly chosen sites.

Password requirements for selected sites

I was surprised at how many sites had upper limits on password length since presumably the sites are storing a hashed version of user passwords (which may be a fixed length no matter how long the user's password is).  I was also shocked that several sites emailed me the new password in plain text immediately upon changing it, a very problematic issue.

Perhaps the most troublesome are those that only allow short passwords or that disallow special characters since they are limiting the strength of their customers' passwords by default and making their own sites more vulnerable than necessary. Although many sites allowed very long, complicated passwords (I set several of my passwords to 75+ characters) there were some, unfortunately, that limited passwords to 4 digit PINs.

I was also surprised by a few websites that didn't seem to allow password changes at all but I found a work-around for nearly all of them by using the "forgot password" link to generate a new, temporary password and then I was able to create a new password.

At present you can see by the images above that LastPass is managing 214 passwords for me and the average length of the stored passwords is 23.7 characters.  I couldn't imagine memorizing more than one password that long much less several dozen that are longer.  Not only am I more comfortable now that I'm using LastPass but I find being online and the myriad of passwords to be even easier to use now.  That's a definite win-win.

Anyone that cares about security should use LastPass or a product like it.

Comments (0) Trackbacks (0)

No comments yet.


Leave a comment

No trackbacks yet.