3 Steps To Better Online Password Management
Despite my technical background I’m a late adopter in just about everything. I’m not sure why that is, but perhaps it’s the inertia of change or just plain laziness? Either way I only just recently signed-up to a password management program. Now, before you all gasp in astonishment and tell me how I’ve been jeopardizing my online life for years, I can tell you that we did have passwords, mostly unique passwords for just about everything we did online. We kept these passwords in a password-protected Excel file and synced that file online (through Dropbox) for both of us to use. It worked well enough, but it was also cumbersome and (frankly) a pain in the butt to look-up passwords everytime we logged into a website. Also sometimes one of us would accidentally overwrite the password file & mess it up without meaning to. Lastly for ease of use (i.e. to help our wine-aged memories) we DID end up having several passwords which just weren’t particularly secure. It wasn’t ideal…not ideal at all.
So, I started looking at online password managers. There are many, many options out there which cost very little money at all. The main contenders are LastPass, 1Password, Dashlane & Roboform, amongst others. Then there are lots (and lots) of websites comparing them and touting one or the other as the best. In the end we decided on LastPass and having used the program for several weeks now I can attest that it is very snazzy indeed. For only $12/year** (Premium Version) we’ve got easy access across ALL our platforms (PC, iOS, Android etc.) with automatic syncing whenever one or the other of us changes a password. I really, really like this program!
** Note/ The Basic desktop version of LastPass is FREE. The Premium version adds mobile access & several additional multifactor authentication options.
As part of sharing whatever good knowledge I gain with my blog readers, I figured the process of password management and how we decided on our solution would make for a good post, even though it’s not solely RV-related. So, here we go….
1/ Always Use Unique, Long & Complicated Passwords
The worst thing you can do for your online security is use a simple password (say “mydoggie”) and use that same password across multiple platforms. If anyone were to hack or steal access to one of your accounts, they would immediately have access to ALL your accounts. Think I’m being overly careful? You can do a quick test of your current password security HERE and then read THIS article and THIS article to figure out that your password might be cracked even faster than that. For reference, a “normal” 16-character password might take less than an hour to crack with modern methods. To be as secure as possible you want to use LONG passwords (as long as your account will allow), with UPPER & LOWER case characters, NUMBERS and SYMBOLS in NO SENSIBLE ORDER. Combining all 6 items is best (say, a password like “i80*U5Xp9pIq%40n”). Also never, ever use the same password twice! Many programs offer free online password generators in case you need help. For example HERE and HERE.
2/ Keep Your Passwords In a Safe Place
If you decide to keep track of your passwords yourself, make sure to keep them in a protected, safe place. Putting all your passwords in a non-protected file on your computer totally defeats the purpose of keeping them secure, and similarly writing all your passwords down and letting them lie around the house is not smart either. If you’re going to use a file, name it something inconspicuous, and keep that file password protected or encrypted in a secure spot. If you’re going to use a notepad, lock that notepad up somewhere it’s not easily accessible. Of course the safer your passwords are (say, locked up in a Firesafe under your bed), the more difficult they are to access…and this includes for you! This is where most folks either give up (and just use the same password everywhere) or look at some kind of management program.
3/ Switch To A Password Management Program
The biggest advantage of a Password Management Program is that you can have tons (limitless) numbers of long, secure, unique passwords and you never have to remember any of them. Most password programs only have you remember ONE MASTER PASSWORD to log into the program (which is never stored online) and then everything else is there. These days programs are even snazzier and have a bunch of extra features. When I was comparing programs my top requirements were:
- Easy to use across multiple platforms (iOS, Droid, PC etc. both mobile & desktop). We have all of these in our household and I wanted a uniform experience across all of them.
- Easy access from ALL my browsers (Chrome (on my PC), Safari, (on our pads) Dolphin(on our Droid phone)).
- Automatic syncing. If Paul changes a password, I want to have immediate access to it.
- Ability to “share” an account across multiple household users, with ability to have customized views if we want (these are often known as “identities”).
- Built-In strong password generator, so that I can easily generate a great password anytime I need to.
- Auto-Fill & Wallet. I want the browser to auto-fill my login when I’m online and I want to be able to have the ability to fill-in other stuff automatically, including my credit card info (when needed).
- Multifactor Verification. This is an extra security feature that allows you to have TWO steps to verify you’re the owner of the account. It’s primarily important for cloud-based programs.
This TABLE and this TABLE provide nice comparisons across multiple programs. There are many more features you can look at including where the programs store your passwords (on your devices? online?) and what kind of support they provide, but the list above was my minimum.
After reading, asking online & comparing I narrowed it down to two options 1Password and LastPass. Both offered most of the features I needed. 1Password is VERY popular with Apple-based folks & provides a super sweet Apple interface, but it requires a separate license for Mac & Windows and is not quite as sleek-looking on non-Apple platforms. LastPass is more “rustic” in looks, but gives you the exact same experience across all platforms and it has several options for multifactor authentication. Given our mixed-home environment & requirements we went with the latter.
And The Results??
It took a few days to get into the groove of using an online management program and learning the nitty-gritty details of the tool, but since we’ve gotten used to it we’ve been very, very happy with the results. When we’re logged on and browsing on our PC’s the program automatically logs us into our sites. When we’re on our iPads we have seamless integration into Safari and when we’re on our Droid phone it’s exactly the same. We can easily generate and update/change passwords as we need them from any platform and the program immediately syncs it to all our devices. No more worrying about overwriting the wrong password file or trying to remember what our access is.
As an added bonus LastPass has a nifty security check and a few other features (such as the ability to copy/paste passwords for Apps) that I didn’t expect when we bought it. LastPass is definitely not the only option out there, and I feel just about ANY password management program would be a good alternative, but we’re very happy with our choice.
So was that helpful? Do you have any extra tips or good links of your own? Comment away below!
Note/ I have no affiliation with any of these programs.
Related Links:
- Password Programs: LastPass, 1Password, Dashlane & Roboform
- Free Password Generators: Automatically generate a strong password of any length HERE or HERE
- Free Password Checker: See how secure your password is HERE
- Comparison of Password Programs: Tables comparing multiple programs HERE and HERE
- Multifactor Authentication: Read why this is important & how to activate it on common sites HERE
I went with KeePass a few years back. Free and very secure. Super easy to use and save it to Dropbox so it is available in your portable device. Also has a stand alone program to save it to a flash-drive. Love it and it’s FREE!
Yup, I’ve heard good reviews on KeePass too. For us the way that LastPass automatically allows you to save & change passwords as you browse is a definite edge (it’s integrated into the browser & automatically captures stuff from there), but otherwise they have very, very similar features. It’s a nice bonus that KeePass is free and there are certainly folks who prefer that KeePass can be local-only or synced to Dropbox (as wanted).
Nina
I use the floating panel add on so it just hangs out at the top of the browser. Without that; I agree it is s little more cumbersome.
This is a great topic to cover that everybody needs to jump into. I only did a couple of years ago because I was tired of sorting through the different pages of User names and PW’s (as you did).
It took a great deal of time to set up (but I was stuck at home for an even longer time)but well worth it and easier to manage now. 🙂
Ok this was a totally new concept to me even though I understand the importance of a secure password given all the credit card breaches lately. I had now clue there were services like this. Guess I won’t be using ‘mydoggie’ anymore! Thanks for the enlightenment 🙂
LOL…yes, pleeeeease get rid of “mydoggie” password 🙂 Glad this was helpful to you.
Nina
I try to make it easy on myself and create a sentence using numbers for words. Example: I8abigbowlofpeas4u2day
That’s a super neat trick! The problem becomes when I have 30 or more onlines sites and I have to remember the individual password for each. Even with memory tricks like this, that starts to become difficult for me. Thus, the need for some kind of management.
I do like the trick though and think I’ll apply it to our master password…thanks!
Nina
I’ve been thinking about signing up for a password management program for at least five years! And just yesterday I decided to go with LastPass. So now I feel even better about my decision and will actually DO it! Thanks so much, Nina. Great post.
Well I like to think that great minds think alike 🙂 Don’t think you can go wrong with LastPass. We really like the program (even Paul does…and he was HIGHLY skeptical of the whole thing).
Nina
I use KeePassDroid on my only device (which is obviously Android). You forgot to mention how to choose a good Master Password. In my case I memorized four lines of an obscure poem, and use the first letter of each word to come up with a 28-character one that I imagine would take more than an hour to crack—even though it uses just lower case letters.
Love the memory trick! It’s kind of in the same vein as the trick Flyingslanted commented above. Nice tip.
Nina
I put my password in for a check and received this answer: It would take a desktop PC about 412 years to crack your password.
I’m pleased!
That sounds like a good number. With the length/complexity of passwords I’m currently using we’re at ~350 thousand years (to crack). Might play around to see if I can push it even higher 🙂
Nina
This was a great post – really like the link to the “How secure is my password” test.
The one I thought was the safest could be cracked in 3 days – bummer!
But I do have one that would take 2 thousand years!
Thanks for sharing your research – very helpful!
Happy travels!
~ gayle
Glad the tips were helpful. It was eye-opening to me when I first went to check the security of our passwords. We had mostly pretty secure passwords, but a few were not so good.
Nina
Excellent article which I hope many of your readers will heed and adopt some kind of program to manage their passwords. I have used Sticky Password for several years now and use the password generator almost every time. Sticky Password is good for generating new passwords, operates on multiple operating system platforms, stores an encrypted form of your database in the cloud which you can download to each device regularly to keep all devices up to date, and autofills. I will take a look at Last Pass as it looks like a very good program also. Thanks for posting.
LastPass has a free download version (for desktop) which you can use to play around with and see if you like it. The Premium version ($12/year) gives you access for Mobile devices, but you can always add that later.
Cheers for adding your tips.
Nina
Hi Jim, glad I am not the only one using Sticky Password! I have tried Lastpass but I like Sticky Password more because they still offer you to stay offline.
Having read alot more since I wrote the original blog post, I can definitely see the advantage of having an off-line program like Sticky Password. Looks like another good option.
Nina
Great minds do think a like. I started Last Pass in August and wrote about it here:
http://www.houndsandrvs.com/search/label/LastPass
I still add them to my Excel spreadsheet in case there is any problems in the future with Last Pass .. just my natural paranoid computer mentality. lol
Sweet. Good to know you like it too!
Nina
I have been using LastPass 6-7 years. Mac and MS. Robo forms before that. LastPass is the bomb. Very rare to have a qlitch. Random sites I let LastPass create the password– so I don’t mind joining the ether. Just wish it was free for my iPhone. I actually like separating the phone because its more likely to disappear and maybe get hacked.
For multiple devices I find the “kill sessions” feature of LastPass is a neat option, so that you can easily log off other sessions if you lose your phone or pad. And of course the new “Touch ID” feature (plus ability to swipe/delete phones remotely) on 5S and newer iPhones is an added security feature which makes lost phones even less of a worry.
Great to know you’ve been using LastPass for so long and still recommend it.
Nina
Here is a simple password scheme that I think is pretty good and it couldn’t be easier to manage. Start with what I’ll call a base password. It will form the basis of ALL your passwords and apart from how to use it will be the only thing you need to remember. It should have numbers, plus upper and lower case letters and be maybe 8 to 10 characters long. For example, I might use RusGre1951. That’s the first three characters or my first name followed by the first three of my last name capitalized as you normally would, with the year of my birth at the end. That will make up the base password and will be all I need to remember, except for how to use it. Let’s say I needed a password for WheelingIt.us. I might take the first and last characters from WheelingIt, w and t, and place them after the first and last characters of my base password to get wRusGree1951t. Or, I could reverse the order and get tRusGree1951w. Or I could place them after the 3rd character of my base password to get RuswtGree1951. What I am doing here is taking a portion of the website address and integrating it into my base password. I do this for every website, integrating it into my base password in the same way. I call this my password algorithm and it creates a unique password for each site with the only portion I need to remember being the base password.
Is this method as secure as using a password management tool? I am not qualified to make that judgment but it is certainly better than using the same password for every Here is a simple password scheme that I think is pretty good and it couldn’t be easier to manage. Start with what I’ll call a base password. It will form the basis of ALL your passwords and apart from how to use it will be the only thing you need to remember. It should have numbers, plus upper and lower case letters and be maybe 8 to 10 characters long. For example, I might use RusGre1951. That’s the first three characters or my first name followed by the first three of my last name capitalized as you normally would, with the year of my birth at the end. That will make up the base password and will be all I need to remember, except for how to use it. Let’s say I needed a password for WheelingIt.us. I might take the first and last characters from WheelingIt, w and t, and place them after the first and last characters of my base password to get wRusGree1951t. Or, I could reverse the order and get tRusGree1951w. Or I could place them after the 3rd character of my base password to get RuswtGree1951. What I am doing here is taking a portion of the website address and integrating it into my base password. I do this for every website, integrating it into my base password in the same way. I call this my password algorithm and it creates a unique password for each site with the only portion I need to remember being the base password.
Is this method as secure as using a password management tool? I am not qualified to make that judgment but it is certainly better than using the same password for every site or trying to manage a whole slew of different passwords without a password management tool. Perhaps you could call it a poor man’s password management system, Or you could name it after me and call it RussOnTheRoad’s password management system. LOL.site or trying to manage a whole slew of different passwords without a password management tool. Perhaps you could call it a poor man’s password management system, Or you could name it after me and call it RussOnTheRoad’s password management system. LOL.
Actually this is exactly what the hacker experts say you should *not* do. Having similar passwords, or passwords derived from each other is not a safe policy. Far too easy for one password to be hacked and then all the others revealed in turn. Good password management is to have unique, complicated and completely unrelated passwords for all your sites. It’s a nice idea, but I wouldn’t recommend it.
Sorry..
Nina
That’s good to know. Thanks.
Wow,I put in a password (which I don’t actually use) into the link you listed. It came back as taking 22 billion years to break.
I have little faith in that link as the password I put in was all lower case letters, no numbers or symbols, and just 15 characters in length.
I did enjoy the rest of your article, however, and am currently looking closer at your suggested programs.
Interesting. I did think the link might have quite a few limitations which is why I included the other article too (the one that showed modern hacking methods taking only an hour to crack 16-character passwords), but I guess it’s even more limited than I thought. The algorithm it uses must put length of password with far higher weighting than use of symbols, numbers and other such options.
Nina
Combinatorily a very long lowercase password is way better than a short one, even one rich in mixed case, symbols and numbers—but only when it composed of totally RANDOM letters, as you said. For example “lowercasepassword” is terrible, but “mehstgoscysbtdelw” is excellent.
Very good info. I guess it makes sense since each additional character length adds exponentially to the number of potential combinations that needs to be hacked. Thanks!
See, I’m learning from all this interaction.
Nina
In the old days (as recently as only a few years ago) sites only internally stored the first 8 or so characters of your password—so it was vitally important to use a rich set of 88 upper and lowercase letters, digits and punctuation, because 88^8 (88 to the eighth power) was a lot bigger than 26^8.
But nowadays most sites allow passwords of 16+ characters, so that lets you “get away” with all lowercase, since 26^16 is twelve million times better than 88^8.
Just what we needed in this time of identity theft and hacking!! I appreciate your research into it and comparing the different programs out there. Thanks!!
Glad it was helpful!
Nina
Wish I could get my wife to read (and apply) the hints and tricks you have posted. She is old school and always memorizes the passwords and hates to change them. I tell her if she can memorize them a hacker can too…. I hope to get her to read your post….
Thanks…
Maybe you can show her the security check link, and get her to put in a few of her passwords? She might be surprised how easy they are to crack?
For someone who likes to memorize all passwords, moving to complicated (Ie. Impossible to remember) passwords and a management program takes a fair bit of adjustment, but it can be done. Sure hope she can take a look.
Nina
Good article but you didn’t address my one concern. Can’t these management programs be hacked? If so the hacker could hit the mother load!
Well everything is stored with 256-level encryption, your master password is the only decryption key and your master password is never stored online, but I guess the possibility is still there. That’s one of the reasons I wanted a program with multi factor authentication. If you have that enabled, someone with your master password would still not be able to access your account, even in the event of a breach. I’m comfortable with the security levels, but you’ll have to decide for yourself.
Nina
My biggest security concern is some kind of key logger that secretly watches you type in the master password. Of course that is also a chief concern of Apple/Google.
Malware that tracks your keystrokes directly on your computer would certainly be pretty scary. Yet another reason to have two-factor authentication where you can. It’s still not entirely foolproof, but it helps a lot.
Nina
I would have great! reluctance to store financial or critical passwords in any system of this type. Then all it takes is a hacker cracking one password to access your accounts. Windows PC’s unless carefully protected are very vulnerable. I use Norton 360 + an outgoing blocker win patrol on my three PC laptops. Same with smartphones unless you use a hard to crack password to open your phone. It is true that with two step security that you will get an email saying a new device has logged on. But that is not the case if someone steals your smartphone and uses it. I have switched all of the systems I use online to two stage log on. Like gmail and Apple. This is just my opinion though so you should do what you are comfortable with.
I feel two-factor authentication on the password manager alleviates many of these concerns. Some of the two-factors forms are pretty snazzy & extensive (e.g. YubiKey), but i understand comfort levels are individual even there.
I do agree that two-level security is a good thing in general and encourage folks to use that whenever they can (e.g. Gmail and others) whether or not they use a manager.
As for Phones there are many options out there. My phones and pads have a code logon, with automatic lock-out after 10 failed attempts. Plus the newer phones are coming out with fingerprint recognition and the ability to remotely swipe them (delete all info). Could that be hacked too? I suppose it’s possible, but unless I go completely offline I’ve got to find a level of convenience versus online security I’m comfortable with.
Nina
Just a follow on to this…
For others reading the comments here’s a list of sites where you can enable two-factor authentication. I do consider this is a very important security feature and I advise everyone to enable it where they can whether or not they use a password manager:
http://lifehacker.com/5938565/heres-everywhere-you-should-enable-two-factor-authentication-right-now
Nina
I guess I am really missing something here. This all seems a bit overblown to me. While it might be possible for a fast computer to generate millions, or perhaps billions of attempts to crack a password, this does no good if the website simply has a slow response time. Or, even better ( as most reasonably secure sites, like banks ) simply have a “three strikes and your out” policy. I question this article about hacking that mentions “brute force” attempts that would have to try millions of combinations to “guess” the password. This implies that the response to trying a password would have to be very fast. All it would take is a purposely slow response time of, say, ten seconds to make this kind of thing impractical ( except when using a list of the most common passwords i.e. not a brute force approach ). A million trials would take about four months at that rate. Seems to me many sites I use are at least that slow to let me log in. Can someone explain what I missing here?
Also, I think trying your password on that site is possibly “giving away the farm”. At a minimum, they are storing your password in a list to determine what kinds of passwords are out there. At worst, they will use it to hack you ( or some hacker will hack their site and get them ).
Mark
I’m no expert on hacking, but I imagine that hackers that know what they’re doing are not attacking through the “regular” login channels. They use some kind of back door entry where lockouts are not a problem and trails can be done much, much faster. Total speculation, of course, but hackers are pretty sophisticated.
Regarding the site checker, it’s referenced by a bunch of other security sites and uses client-side only JavaScript calculations (with nothing sent to the server) so it should be safe. Plus it uses HTTPS and asks for no credentials. But in the spirit of “anything you do online can be compromised” I can agree that it’s probably best to use it as a tool to play around with rather than to put your final passwords into.
Nina
Mark –
It is common and smart to rate-limit login attempts to try to prevent millions of password attempts an hour, and most sites do this.
But even companies that know better sometimes get caught with a security hole that bypasses the attempt speed limit – and this is actually one of the key bugs that was behind the celebrity nudes hack. Apple had one login method that wasn’t rate-limited, and hackers found this and ran cracking tools non-stop against celebrity email addresses guessing thousands of passwords a day. The easiest ones were eventually guessed before word of the hole got out and Apple shut it down.
But even more common is when hackers get in and steal the entire password database for millions of people at once. The password database is almost always encrypted so that the individual passwords can’t be read – they need to be guessed. But you can build a cracking box using off-the-shelf PC graphics cards that can guess billions of passwords an hour against the accounts stored in the database. At that rate, only the most secure passwords will remain hidden for long.
For example – eBay recently had 145 million account compromised in this way. And Adobe had 152 million. That’s a lot of passwords out there waiting to be cracked…
– Chris
I should also add that I do see the value in these password management tools. I personally think it is much more likely that your password will be obtained by a breach ( like the recent incident at Home Depot ) rather than a direct hack of your login, and so having separate passwords for each website is important. However, I think it is unlikely that your 8 character password will be easily hacked, even if it is just letters, based on my post above.
Well I do agree on that. I’m more worried about breaches than direct hacking. One of the many reasons for having unique passwords (I.e. Passwords never used more than once). If one is stolen, the others are not at risk.
Nina
So what’s to stop someone – say a disgruntled Password Management programmer – from getting into all your passwords?
Your master password is never stored online, so your account cannot be accessed unless they get that. And if you enable two-step authentication they would need the second step too (= adds a significant amount of security). Plus everything has 256-bit encryption. So, not exactly trivial. Again, I’m comfortable with the levels, but you’ll have to decide for yourself.
Nina
So in the movie Animal House (yes I am that old) the top secret password to get into frat party was:
I Forget
With that and a toga you could get into the party!
Again another great post…. am trying to convince Mrs Irons to go with a password manager
Ha…! Yeah, Animal House is going back a ways, but I know it too. Glad you enjoyed the post.
Nina
I’ve heard of these programs but not done a thing. One of my older and seldom used can be cracked in 22 mins. while another would take 4,000 years. Guess I’ll look into this more. In another, say, 1,000 years. Just kidding. I see where it’s a good idea. Guess I got lucky when my computer was stolen in South Africa as I had no problems by changing the most important password sites.
I think having secure passwords (passwords that are strong & unique from each other) and storing them in a safe place goes a long way to keeping your stuff safe. The management programs really just make that process easier.
Nina
Good post, Nina, with lots of useful information, ie facts. I’ve used Data Vault for a number of years, but have been looking at other alternatives lately. I’ve narrowed the field to nearly the same contenders you have. More like minds I guess? Lol!
Better check your Dropbox account, tho. The tech blogs are lit up with reports of some sort of Dropbox hack or breach, affecting as many as 7 million accounts, and some cutomers losing their files. (:
I’m fine so no way for me to verify any of it. Hope your account is in good shape.
Yup, we heard about the Dropbox issue. What happened, as far as i understand, is that a bunch of account credentials were stolen from another service (somewhere else) and then used to try to hack into Dropbox. So, basically this is a classic case of folks using the same username/password in multiple spots. Once again, it’s the reason I advise using unique, strong and unrelated passwords in all your accounts.
Still, just to be safe, we’ve changed everything and we have two-step authentication enabled.
Nina
Have used LastPass for years and can totally recommend it. Don’t forget to let people know that it’s actually FREE unless you want a mobile app. I often go a few years without paying for it simply because I don’t ever sign onto things using my cell phone. If you use only your laptop for anything requiring a password, you don’t even have to pay for it.
Good point Karen. I mentioned the free version in the comments, but I’ll update the main post to make that a little clearer.
Note/ you do need the Premium version for multifactor authentication too. So, the paid version gets you mobile access and multi factor.
Nina
Good article and advice. I’m not sure I’ve bought in to what the experts suggest though. Storing all of your passwords in a password manager like this creates the same “single point of failure” that the experts tell you to avoid. If whatever password manager you’re using is hacked, or cracked, or the company’s servers are compromised, etc. etc. all your passwords are compromised too.
I’m also not convinced that I need a super long, super “strong” password that is impossible to remember either. I could be wrong, and probably am, but I don’t think many accounts are susceptible to the kind of brute force attacks that “strong” passwords are designed to prevent. Most online accounts now lock down after a small number of failed log-in attempts. So if the attacker only gets 3 or 5 chances to guess your password before the account locks, it doesn’t really matter whether you’re password has 1 million possible combinations or 1 quadrillion.
The way folks seem to be getting hacked most often is through phishing type schemes where they’re tricked into giving away information. Another way is to use social media and other sources to get a ton of personal information on individuals. They then request a password reset and use use your personal information to answer your security questions (i.e. mother’s maiden name, etc.) Again, that’s not something a “strong” password would prevent.
The main reason, in my mind, for having long, unique and completely unrelated passwords for all your accounts is so that if one password is stolen (say, hackers breach one of the big shopping institutions and steal several million names/passwords/accounts) then you are not at risk of your other accounts being hacked using the same or similar/related credentials (e.g. Exactly what happened at Dropbox today). That’s the key and why I still feel a strong password is important. The risks of you personally being hacked are probably fairly low except if you’re famous or very unlucky.
Nina
What an eye opener! The password game has always confused me so I simplify using indigenous language words, etc. Obviously not the right thing to do.
Yeah, the easier your passwords, the easier they are to steal & hack into multiple accounts with. It’s important to have unqiue passwords no matter what…and strong passwords just make it even harder for crooks to crack.
Nina
I’ve been meaning to get around to using a password manager for a couple of years, but just never took the time. Your post now has me motivated! This may be a silly question, but when you are on borrowed WiFi (at a campground or internet cafe), does this prevent your passwords from being picked up when entered by LastPass?
Thanks for all your helpful research!
Security on public WiFi networks is actually a whole separate post. Here’s a link that explains some of the precautions you can take on public WiFi:
http://www.cnet.com/how-to/tips-to-stay-safe-on-public-wi-fi/
Three of the top things you can do to protect yourself on public spots are:
1/ Don’t do ANY credit card or sensitive transactions on a public network. This just makes things safer, no matter what.
2/ Browse sites with HTTPS. You can always check your browser URL to see if you’re on a HTTPS site…sometimes it will even show with a “lock” on it.
3/ Use a VPN. One of the most secure ways to browse public sites is with a Virtual Private Network and if you regularly use public WiFi this can be a worthy investment.
Now LastPass uses a secure, encrypted connection to access your vault and doesn’t send anything public. So you can (in theory) safely log onto your LastPass account while you’re on public WiFi. Where you potentially get into trouble is when you actually start using your password accounts. Once you fill-in a password on a given site and click the “log on” button then LastPass is no longer involved and you are now sending public info about that particular logon over the internet (which can be snooped & stolen). If the site you’re logging into has HTTPS and/or you are using a VPN you are MUCH more protected, but if the site you’re logging into does NOT have HTTPS & you are NOT using VPN then you are quite vulnerable. Make sense?
Nina
Thanks, Nina. That was very helpful.
Hi Nina, LastPass is a good option I think especially for mobile phone password sync.
Windows is a poor platform for accessing financial web sites. I use Linux OS that is free and can be run in a virtual environment like VMware or Virtual Box for free. Ubuntu is the most common version and is easy for windows users to get the hang of. Another great feature it has is that you can encrypt your hard drive or virtual hard drive during the install to protect your data if it were to be stolen. Ubuntu is almost never attached the way Windows is so you don’t have to run antivirus on it.
I have installed Ubuntu with encryption on my laptop and made a virtual machine running Ubuntu with encryption on our Windows machines. We use those to connect to financial sites. The passwords are in a text files on the encrypted drive so they are protected by that. We also use Truecrypt to make an encrypt those files on a USB drive for safe keeping.
fyi.. There is a good random password generating command line program called makepasswd available in Ubuntu that I have started using.
take care,
Dan
Interesting setup Dan. I’ve looked at Trucrypt before, but not bought into it yet. I like the idea of encrypting some of our more sensitive files. Have not heard of Ubuntu before. I will read more about it.
Nina
I’m a techie and have been using 1Password for a while now and even have my 84yr old father using it. It works great for us and about a secure as you can get. After 30 years plus in the tech business this I can say about passwords, they’re guessable with enough info, i.e., FB or other social networking. This is what I have seen a lot in my years in the business: women tend to make pw’s something to do with kids, grand-kids, or pets and men tend to do hobby type pw’s; younger folks like band names. So, if the FB page shows kids, hobbies, pets, music, etc…………
I freaked out a woman years ago when I said, “I bet I can guess your pw in three guesses (knowing that she had 3 kids). Sadly I was correct. And, yes even with all of the scary stuff in the cyber world people STILL use these same types of passwords. If you have parents or you yourself are older than 50, most likely you suck at the password game. My father had 1.8 million dollars in an online accessible account that had my moms name as the password!!! Which BTW he saved in an email in his Gmail account under, “passwords”.
Just sayin’
Those are the types of stories that scare me Kurt, and exactly what I hope to get people to avoid. I’ve got many buddies who use 1Password and love it.
Nina
Hi Nina – again, thank you for this post.
I had never heard of multifactor authentication – so I’ve been reading about that all day!
Just fyi – it does appear that Last Pass does offer two options that are part of the free version – see the list of their options below:
Google Authenticator (Free)
Grid Multifactor Authentication (Free)
Sesame Multifactor Authentication (Premium)
Yubikey Multifactor Authentication (Premium)
Fingerprint Authentication (Premium)
Smart Card Authentication (Premium)
Gayle
Oh thanks Gayle! I didn’t realize that two of the multifactor options were available with the free version. That’s really, really neat (I’ll update my main post with this info).
Highly recommend activating one of these multifactor options for your account. It adds ALOT of extra security.
Nina
Just found the feature comparison table that shows what’s in the FREE versus PREMIUM versions of LastPass. Exactly as you said, there are several multifactor options available even in the free version:
https://lastpass.com/features_compare.php
Nina
What keeps the folks handling your pwd’s via password mgmt from stealing your pwd’s (possibly selling them)?
Well, like I mentioned in the above comments there are several security barriers in place to prevent this from happening -> everything is 256-bit encrypted, your Master Password is never stored online & (if you enable it) two-step security verification prevents your account info being taken even if primary security levels are breached.
Put it another way, LastPass only stores encrypted versions of your passwords, and those encrypted versions cannot be decrypted without your master key. Your master key is never stored by LastPass, and only communicates to them via a one-way hash. Decryption only ever happens locally on your computer (never on their servers) and the entire transaction takes place over SSL. If you enable two-step verification you have even more protection since you need yet another piece of verification (another device, another code) to open the account.
The whole business of these companies is to keep your passwords secure, so it makes sense that it would not be easy to steal them.
Still, I understand some folks will not be comfortable even with multifactor enabled, and in those cases more “old-fashioned” methods can be used. No matter what method you use to manage your passwords, it’s really important to have UNIQUE and STRONG passwords for all your accounts.
Nina
Nina and Paul…If you use one of these programs, what is to stop out siders from getting to your master password via the program operation? You mention all you need is one code to enter and then a password is randomly generated for you and nothing is stored…isn’t your password to the site stored? If not, how does it recognize you? Wait, as I write this I see the answer. Yes it is stored but it doesn’t go anywhere as you are given another password….Man, sometimes it takes a shovel to the back of us non-techies…..
Well, not quite. The master is created by you and never stored online. Plus if you enable 2-step verification you need a 2nd piece of info (typically another physical device with another set of separately-generated codes) to access the account. With 2-step a thief would need to have to have BOTH pieces of info to access anything (very, very slim possibility).
Here’s more info on how all this encryption and related security happens directly from the LastPass website:
https://helpdesk.lastpass.com/getting-started/introduction/why-is-lastpass-safe/
Nina
And to explain this in a little more detail (although this is getting technical). The way LastPass communicates the Master Key is via something called a “one-way hash”. Basically software running on your local computer encrypts your master password, applies a salted hash to it and sends the data to LastPass.com. LastPass stores the result of the salt and uses that, not your master password, to authenticate you and send you back your encrypted database. So, your master is never stored at LastPass and there’s a computation process that needs to be done on the hash which makes it very hard to decrypt the original Master. So, “hacking” your Master from the program is darn near impossible. This is the same method, by the way, that’s used for secure digital signatures.
Of course if someone happens to know your Master (i.e. you tell them or they guess) and log in as you, they could potentially decrypt your files. This is where having a STRONG master and enabling 2-step verification makes you so much safer. With 2-step you automatically add a 2nd layer of protection (often an entirely separate device) which is very, very difficult to breach.
Nina
Now I have read all the comments and see that some people have the same concerns as I have. The real value I see in doing this is the convenience especially with a lot of passwords like you have. I was thinking public WIFI and how this would help which I guess it would not. I do use the public systems while traveling so now I am more worried. I guess I will make more phone calls for the real important stuff…Thank you Nina
The password managers are management programs, not internet security barriers. They help you create & manage strong passwords and keep them safe (within the program), but cannot protect how you use them outside the program. If you’re on a public network and enter your password on a site, whether or not you use a manager, you’ve just entered your info in a public space & that leaves you open to snooping. There is a good level of protection if you log onto a HTTPS site, but none if you log onto a non-HTTPS site. And of course, if you use a public computer you are even more open to vulnerabilities.
If you use public systems alot I really, really recommend investing in a VPN on your main PC. It’s fairly easy to set-up and would provide you alot of added protection on public networks.
Nina
I tried the link, entered my password, it said it would take 9 billion years to crack..lmbo…but I like the idea, seems the wifeunit would have an easier time, since I change them regular (and forget to tell her sometimes)..oops..lol
Sounds like a good number 🙂
Nina
I cannot believe this post….I was going to ask you about password management programs when I next see you…I have had IPassword forever but have never used it…mainly because I don’tunderstand how to do it:(….will have to check all this out when I get home..
Great post….
Since you have 1Password you should definitely use it. You guys are mostly Apple-guys and 1Password is a great program.
Nina
Great post Nina – it inspired me to write an article of further tips and tricks on the RV Mobile Internet Resource Center. Because this topic is so important, we left this article open to the public:
http://www.rvmobileinternet.com/resources/password-managers-just-do-it/
BTW – one semi-correction on two-factor authentication… Because 1Password does not keep your database on a cloud server, you are not logging on to access it, and thus two-factor authentication isn’t really playing the same role as it is for cloud-based LastPass. They are really rather fundamentally different in this regard, though they are both excellent tools.
Cheers,
– Chris
Good input Chris (AND great article!).
I did learn a lot more about cloud-based versus non cloud-based managers from comment/further reading and, like you pointed out, two-factor is much more relevant for the former. With 1Password your database stays locally on your computer so you do not have an “authentication” process in the same way you do with cloud-based storage. So, unless you lose your computer *and* your Master your stuff is very safe. Of course you can choose to Sync 1Password on a cloud-based storage (e.g. Dropbox) too, but your file remains encrypted (much like LastPass) so even with a breach it’s not trivial to access the data. Good to know!
Nina
There are different risks with the two models. With LastPass, if some theoretical attacker takes out the LastPass server or some lawsuit shuts down the company – the service will cease to function. Though the way they encrypt data, at least your passwords will not be easily compromised if this happens.
1Password on the other hand does not rely on the cloud and the service is completely independent of the parent company, and you can choose to sync multiple devices via WiFi (always in your control), Dropbox, or iCloud. Or you can skip sync all together.
Both are great models. But the way that 1Password works, lacking two factor isn’t really a reason to fault them.
Cheers,
– Chris
It makes sense and yes I agree. I was trying to voice that in my last comment (the fact that multifactor is not really relevant to non-cloud based managers…like 1Password), but perhaps I didn’t make it clear enough. The two models are completely different in the way they store and access your data. Both are very good tools.
Nina
I’ve updated the main post to take out the comment on two-step (for 1Password) and add the fact that multi factor is primarily important for cloud-based programs. Hopefully that clears it up a little without altering too much of the original content.
I’m learning as I go along 🙂
Nina
I tested two of my PWs at https://howsecureismypassword.net/ and discovered that one can be cracked in about 157 billion years while the other is a bit more secure at 23 trillion years. I guess I can relax now. I use a different PW at every acct but employ a simple method that creates PWs I can remember.
Most breaches don’t occur through cracking but identity theft. It’s the difference between counterfeiting and armed robbery. Counterfeiting (like cracking) is complex and requires skills while identity theft (like armed robbery) is simple, requires little skill and is almost as lucrative.
Good PW security is like locking your front door, a good first step. The most important defense against cyber crime is to not be gullible.
Identity theft, and major bulk thefts (like when hackers break into a company and steal all their client passwords) are definitely big issues. Like you said locking doors, not falling for online “scams” and never giving away your personal details to strangers are your first-line of defense. Having unique passwords for every account you use is another important defense.
Nina
We have been using LastPass for a number of years on Windows PCs, Macs, iOS & Android devices and more recently on a Chromebook. It is truly multi-platform and very easy to use. You made a good choice.
I particularly like using the “Fill Form” feature to quickly complete address and credit card info when making on line purchases from new vendors where I don’t already have an account. It’s a convenient but still secure benefit that is a great time saver.
Good to know you still love it!
Nina
I’ve needed a PW management system and we are now FT RVers so this spoke to me. I decided I would go with LastPass since we have a Mac and PC and iPhone. But as I am filling out all the forms to set up my account, it wants not only my SSA and a credit card but ALSO my bank account info. This just doesn’t seem right.
Those are all OPTIONAL! You do NOT need to input credit card or SS or any of that stuff unless you want to (for example, for auto-fill purposes). Just leave it empty and continue.
Nina
Thanks. I guess it asked if I wanted FREE credit monitoring…that sounded good but not giving out all that info.
Oh right! Yes, LastPass now offers credit monitoring too (and you do need to input SSN, bank accounts and all that stuff for that), but it’s totally optional. We did not sign up either.
Nina
Thank you! I tested my passwords..most were really good but, a couple would be hacked in 16 seconds!!!
Holy Moly!
Great Info!!!
Great steps, I manage my passwords this way since 2010. For everything like creating strong passwords I use Sticky Password and I feel safe. Especially now that I don’t need to type on my mobile very long passwords 🙂
I enjoyed and learned a lot from this post when you put it up last month, Nina, and I thought you might get a kick out of this NY Times article I just ran across about the softer side of password selection…it’s amusing and thought provoking!! http://www.nytimes.com/2014/11/19/magazine/the-secret-life-of-passwords.html
Thanks to Nina and Chris for great articles and to all who previously replied. I learned a lot and am using lastpass.
Nothing is secure!
http://www.computerworld.com/article/2936144/cloud-computing/lastpass-hacked-itbwcw.html
Well that is true, but still, if you use offline approach and never put your passwords online, you’re safe. I do this with Sticky Password (https://www.stickypassword.com) and there is nothing what could happen to me if they’ll be hacked.
Mine are offline also. I am not fanatical about security but prefer to think that I have a very common sense approach to my info online and so far I have never had a problem. Uh-oh, shouldn’t have said that….
Yes, you shouldn’t have said that 🙂
I saw the announcement this AM. So far it looks like none of the password vaults were stolen (only e-mails, password reminders, server salts, and authentication hashes), but they’re advising users to change master passwords anyway. I’ve done the change and am keeping an eye on it.
Nina
Follow-up. The report is that no passwords were stolen and the LastPass 100,000 hash worked as it should:
https://blog.lastpass.com/2015/06/lastpass-security-notice.html/
I’m still comfortable with the security levels of the program, especially with two-factor authentication enabled (which I’ve enabled for all my important online accounts, not just LastPass), but I totally get that everyone’s comfort levels are different. Lots of other options out there.
Nina
I’ve been looking at LastPass for quite awhile and your article along with the helpful reference links within, helped me to finally decide to move forward. On my second day of using LastPass, it’s getting much more familiar to use. I didn’t realize how many sites I actually have log-ins for. This will definitely make life easier for me, and hopefully much more difficult for any hackers!
Excellent. We’re still using with it and have been very happy with it.
Nina
Great article. My wife and I have been considering a password manager for way too long. Finally bought the LastPass premium edition as we have many devices; Mac, PC, android. My question is, what’s the best way of sharing accounts with your spouse. Do you and your husband just access the same account equally as co-administrators, or do you each have an account and share between the two?
Thanks,
Bob
We decided to just keep one account and both of us access the same one. It’s easier that way and we both have access to each other’s stuff as needed. I believe there’s a way to split stuff into sub-accounts in Lastpass, but we haven’t explored it.
Nina