Like most people, I am guilty of using the same generic password for various low-risk, web services (e.g. web forums). For ‘important’ high value services (e.g. financial sites, online retail), I would use unique passwords, but based on a formula I made up. But as time went on and new services pop up which I sign up for and use, all of these passwords have become tedious to remember and maintain. It was time to switch to using a password management tool, so I chose LastPass.
A password management system is simply a way for a person to manage all the username and passwords used for accessing various services. Technically, my aforementioned personal ‘formula’ for passwords is a password management system. The problem with my old system is that many sites/services wouldn’t accept the password my formula would generate (e.g. won’t accept special characters or certain types of special characters).
Therefore, I would have to alter my formula generated password and remember that my password for that respective site deviated from my expected password scheme. Naturally, this highlights the flaws in a mentally managed password system because I would often forget a password for a specific site/service because it’s slightly different from what my formula expects it to be.
Not to mention the fact that many sites/services have different usernames with varying username requirements (some require minimum of 6 characters, some don’t allow special characters, some require a number). This in itself becomes problematic because I’ll forget what my username is for a given site that has some unique username requirement.
Many people use a low-tech tool for password management: Writing passwords down (e.g. sticky notes, notepad, etc).This in itself is problematic in that anyone that gets their hands on that piece of paper can use your accounts.
This brings about the concept of a computerized password management tool. These tools simply store your username and credentials for various services in an encrypted store either locally, online (cloud), or both. In theory, this can be just as insecure as the low-tech writing out of passwords on a piece of paper.
But this requires that the user makes due diligence in protecting his/her password store and puts trust in the tool.
So how did I end up deciding on LastPass? Well, I simply chose it because the people in my department at work are using it. This is a bit stupid, but the fact that my colleagues are already using it caused me to look into LastPass a little deeper and I ended up finding that it works in my personal computing environment / ecosystem (Mac OS X + Apple iOS).
Note that I did look into 1password as well, since it is a popular option amongst Mac users. While it seems to be very nice if you’re a Mac user in the way it integrates with the rest of the OS, LastPass was a cheaper alternative in terms of testing and the upgrade path for 1password looked suspect (looks like they’ll squeeze more money out of you in new releases).
LastPass is free, which is a huge incentive to try it out. Then if you want to go ‘Premium’ which means you can use the mobile apps, it’s $12 a year. $1 a month is nothing. The computer application is a browser plugin, so it integrates directly into the major browsers and will intelligently chose the correct user/pass combo for a site you visit.
Now that I’m using LastPass, I actually don’t know any of my passwords anymore. How is that?
Well, what I do for each site/service is use a tool in LastPass to generate a long random string (I’m currently using 16 characters) with multiple character classes (upper case, lower case, numbers, special characters).
I then store that password with the respective username in the LastPass ‘vault’ for that specific site/service. When I need to (re)authenticate to that site/service, I let LastPass pull up the credentials for me and log in.
In terms of site/service credential security, this is about as secure as it gets for single factor authentication. The odds of anyone cracking a hashed 16 character long, four character class password is extremely low.
Of course, this puts a lot of faith in the security of the LastPass service. If someone is able to log into my LastPass ‘vault’, they have free reign on most of accounts on the Internet.
Thankfully, LastPass supports two-factor authentication, such that in order to log into LastPass, it will require a second factor (e.g. Time-Based One Time Password). Most people will be able to use Google Authenticator which is free. I’m actually using Duo Mobile with push notifications thanks to the Duo service we operate at work.
Of course, the sites that I use that require their own two-factor/multi-factor authentication are even more secure in that not only do I have an obscenely long random password, I still need to supply the second factor for that site (e.g. BofA, Google Mail).
Considering my professional field of Information Technology and IT Security, you would think I was already using something like LastPass already. But sadly no, I’m a recent convert.
Anyway, I’m now using LastPass and if you’re not already using a password management tool, you should definitely give LastPass a try (since it’s free), or at least another password management option out there. There are plenty to choose from.
m to the q
I generate random passwords on my iPhone, rewrite it on a piece of paper, hash the site/reason a bit then store then take a pic of it. My phone and iTunes are the only place these are stored; I don’t sync them to a cloud. It looks like I’m taking shots of random paper on my desk.