You Should be using a Password Manager

You Should be using a Password Manager

A quick search on the internet shows a ton of websites that have been hacked, with passwords compromised. Big names such as; Yahoo, Adobe, Kickstarter, Snapchat, and even more with key logging software. If you use one main password then your weakest link could be a website's security.

I have been using the same main password since 7th grade. Yes I have been an idiot. It was even a common word. I have not been wise with my data and honestly, my client’s privacy. That all has changed in the past month when I started using Lastpass.com to store and create my passwords for free.

Lastpass integrates with your browser, and for the most part runs seamlessly. It has a master password to secure all your data. On my iphone the app allows me to copy my password and paste in password fields. The iPhone app is $12 a year, so unfortunately they do stick you with that one.

lastpass-chrome-fstoppers

lastpass-mobile

Lastpass also has a built in password generator which I have been using to change my passwords on multiple different sites. It automatically generates a password and then stores it for use next time. My goal is to have a different password for every website in the next couple of months, and only that long because it takes a while to go in and change them.

generate-password

Lastpass also has a feature that helps you fill out forms quickly. You can store several forms, notes and even credit card information, though this could be something to avoid.

fstoppers-lastpass-mainscreen

Of course everything ultimately hinges on the strength of your Lastpass password itself. If it is something simple or common and is cracked by a hacker, then they would have access to everything. If this is a huge concern to you, you can buy an usb key that has to be in the computer to use Lastpass. Think of it as another layer of protection.

Overall I have been very good at remembering my passwords; however, sometimes there are websites that do not allow me to use my typical password. They often force me to add a special character that I normally do not use, and so I forget these all the time. With Lastpass I will always have that obscure password I use 4 times a year that has to have two capitol letters and a plus sign: problem solved.

Before I really dug into password mangers I thought they were for old people, but after spending a month with Lastpass my view has changed. Certainly don't feel like you should be tied down to Lastpass, there are several others out there. Keepass stores all your passwords in a database located on your computer, which to some could be the most secure.

1Password
Keepass

Log in or register to post comments

20 Comments

Tam Nguyen's picture

Nice write-up man. That USB thing is a very nice touch.

There are 3 factors to a good authentication process: something you have, something you know, and something you are. Some companies nowadays offer 2-factor authentication: your password and your phone. Kudos to those guys.

There are also some bogus "2-factor" authentication like asking for your password and then shooting back with an image and a phrase you set up, that's merely one-factor repeated twice - something you know. So stupid.

That's more of an anti-phishing device. There's some value to it, but it's not as good as 2FA.

Matthieu Olivier's picture

Personnally I prefer to keep my passwords for myself, than giving all my numeric life to a third untrustable.
Who says lastpass online databases can't be hacked one day, with all your paypal / amazon / bank account / etc in it?
And we never know if theses websites feed somehow brutforce dictionnary neither with your new passwords.

Use 1Password. It stores an encrypted file on your local machine, and—optionally—Dropbox.

Just use a very hard password with a "_" and numerical counter AND/OR a related name.

password_001_ebay for example... exemple "password" would have to be a series of letters, numbers, etc...

Easy to remember and safe-ish

Dirk Diggler? Wishful much? Ha..

Jerrit Pruyn's picture

Nah just a name I put in there.

Noam Galai's picture

Im too afraid to use something like this + I want to be able to log in to all my services no matter where I am or what I carry on me.
I also try to have different password for each service I use... And I also never save passwords - so i login to all of them (fb. gmail, etc etc) every day. It's good - this way it's easier to remember each password ;)

I once had this conversation with a guy who ran security for a fortune 500 company. He suggested that you never store passwords anywhere, but that the best idea is to have a password system or "pass phrase" for each site, something easy to remember but unique.

For example: the phrase "I graduated from Notre Dame in 1999" becomes "IgfNDi1999" then change the I to a ! for the symbol (!gfNDi1999). Then mix in the website somewhere (a password for fstoppers would be !gfNDi1999fs).

Supposedly, this is the most effective password system you can use. You can always remember it, it doesn't have to be saved anywhere, and phishing bots don't decipher patterns so they aren't likely to figure out your system.

well, If one of your password is found, I could easily discover the one you "created" from the master one and so all the children of it. fs for f-stopper, gm for gmail.. You are not that protected!
either the second part should way more complicated to generate, either you should change method.

Passwords are not being deciphered by people... it's bots. You could decipher it, but the programs used for capturing and cracking your passwords do not read those kinds of abstract patterns.

Adam T's picture

Note to self, create browser malware to add on to lastpass in reg to send me all your passwords. Brilliant no more have to hide keyloggers or zombies, no more having to hack big and hard data bases. I can have the user just give me the passwords. Ok phase one make a redirection site..........

Come on people, write your passwords down in a black book, never use this Sh@t.

Jerrit Pruyn's picture

Google chrome is pretty secure. But yes stuff happens.

That could happen anyway with or without Lastpass unless the Malware was not able to crack the hash. Being malware free would be the fist step. But if it's good enough for Steve Gibson then...

Why not just use a special code for your passwords.. Every one of my passwords is different, and it's based off a few factors such as username, website title, length of website name... and so on.

I can decode any of my logins and figure out the password for the site.. but if you saw my password you'd have no idea how I created it. Even if you saw a few passwords it would still be difficult to decode it.. The only obvious was someone would catch me out is if I told them the way to decipher it.

"I can decode any of my logins and figure out the password for the site.."

And that's the problem, any force decoding program will game your system in a few MILLISECONDS, because it's a system. Never have a system, our brain can't compete. And if you use a system, don't come on the web and disclose what it's made of.

What your brain is entirely capable is memorizing a dozen of secure passwords, and even more pass-phrases. Learn about entropy http://xkcd.com/936/ and make your password creation a poetic exercise :)

Gibson Research has a great free online password checker, that gives you some idea of the actual strength of your passwords. Note that long groups of random common words are a much stronger password than using obscure symbols in a shorter password. ( also easier to remember )

https://www.grc.com/haystack.htm

Steve is the man when it comes to security. His weekly webcast on TWiT.tv's "Security Now" show has ALL kinds of information regarding exploits when it comes to all things concerning internet practices. For the uninitiated, they should really check out the show. TWiT.tv does it live on Tuesdays but you can get the edited streams by looking for "Security Now".

http://twit.tv/sn

Use KeePass! it is OpenSource and you can store your encrypted password database anywhere you like. Plus there are plugins for every major browser.

Another highly recommended program to check out is Sticky Password (http://www.stickypassword.com/about-us/overview). I'm no security expert but they do explain their process in detail on their Web site. I've used this system for a few years and am so glad I found it as I need something to track my hundreds of logins and passwords. My advice to everyone is to use any password manager available which fits their needs and to use different and super strong passwords for every site they have an account on. Or maybe if their memories are that great that they can remember passwords like brKir7j&^@RC7&IK, they can use their brains :)