When I posted the following on Facebook:
Make 2017 more secure: use LastPass.
LastPass is a password management app. It saves your passwords for you, so when you log into it, it fills the passwords for the sites you visit.
You could argue that saving passwords on the cloud is not the safest practice, however, statistically speaking, you are probably too lazy to change your passwords often and have a hard time remembering passwords your bank website asks you to remember. You know, the minimum 12 character, 2 special characters, two numbers, one capital letter and one jump in your chair for the hell of it.
LastPass can also change passwords for you and runs a test on your passwords to tell you what needs to be changed. Not only that, it can store your address, credit card information and more so you don’t need to take out your credit card each time you want to buy something on the web.
I’ve been using LastPass for the last 6 years, and it’s been my first extension to install on my web browser upon each fresh installation.
Also (did I mention?) it’s free.
It’s not only safer, it’s also easier. Do yourself a favor, protect yourself. There’s a lot of scary stuff out there.
I mostly got less than enthusiastic comments:
“This sounds like a bad idea. I think my brain is more secure.”
“And then, LastPass database gets hacked by some 15-year-old hacker from Indonesia?…nope, I’m still gonna stick to my IT girl guns and change my passwords every month. if you have too many passwords to remember, be responsible and find a secret place to write them down (that you won’t forget :p)”
These are two common excuses that must be purged from your mind as a new year resolution. I decided to go a bit more in-depth to explain what is so important about having a password manager. Let’s break this down.
“My Brain is More Secure”
First, we assume that what’s in our possession is safer than something in a data center somewhere. Unless you live in a locked room behind two or three high-security gates, this is not true. Data centers have better physical security than your own home.
Second, the flawed logic that just remembering passwords is safer. This is tricky. In theory, one could argue that remembering passwords is safer than storing them somewhere. In theory. The problem is that in practice, we have too many passwords to remember. In 2007, studies showed that the average user remembers 6.5 passwords. While the number of websites we use every day increased since then, our brain capacity hasn’t. Let’s give you the benefit of the doubt and say you remember 10 unique passwords. This means you have to reuse the same passwords 10 times for about 100 websites. According to LastPass, I stored well over 200 passwords over the last 5 years or so that I’ve been using the service.
Most passwords are not unique; people come up with predictable passwords. Most hacker tools come equipped with password dictionaries. These are files that easily store thousands of common passwords. Here’s a fraction of one such list which I found as I was writing this post:
Keep in mind, this is just a small fraction of the entire list in this file. This list also contains special-character passwords and other combinations. In total, this basic list contains over 3000 passwords. The biggest dictionary files contain tens of thousands or hundreds of thousands of passwords. Besides, a hacker can use several dictionary files at once. Modern computers are capable of going through a whole list like the one you see here in a matter of seconds.
Common, reused passwords is every hacker’s wish. A wish granted far too many times. Databases with passwords get stolen every month. The worst one is pretty recent: December of 2016. That’s one billion hacked accounts alone. Most of these billion passwords are reused in other websites. Here’s a list of additional known data breaches from Wikipedia:
This is a list of only major, known and disclosed data breaches. Think about how many more breaches are out there that you have no way of knowing about. As far as you know, one of the websites you use every day had a breach and your password is on some hacker’s thumb drive. That password will be shared to one of these dictionary files.
So, no. Your brain, which can’t remember more than 7 passwords on average, is not exactly secure.
“And then, LastPass database gets hacked? …I’m gonna change my passwords every month. if you have too many passwords to remember, be responsible and find a secret place to write them down.”
True, LastPass got hacked before. And it’s a good idea to change passwords every month and keep them in a secret place. But who changes passwords every month? All of them for all websites? As a matter of fact, that’s one good reason to use LastPass. Where else will you keep your 50 or so unique passwords so you have them with you? An “encrypted” notepad?
LastPass makes it much easier to change your password. You have a list of all your password in front of you, and now LastPass can change passwords for you if you let it.
OK. So let’s say LastPass gets hacked again and you need to change all your passwords. You use the list, go to the websites, and change your passwords. You can even export your passwords to a spreadsheet. Can you do that with the “safe place” where you store passwords if it gets stolen? Will you even remember all the websites you have a password for? LastPass encrypts your passwords twice. It forces you to create a unique password for your password storage. This is the only password you will need, so it could be something crazy like a 50 character sentence. By the time a hacker will crack that, LastPass will inform you and you will be able to change your passwords many times over.
There’s more to LastPass to like. Not only it makes it easy to change your passwords and create new complex passwords, it also tells you which sites have the same passwords, which have weak passwords (like the ones that might exist in the dictionary file above), and which sites are compromised (were hacked) with links to a proof.
LastPass gives you too much information and tools to care about, but that’s the point. LastPass is the kind of tool that shows us just how much work we need to put into our online security. Work that, lat’s face it, we never do. This is why it’s good to have it around to help us. It is not bulletproof, but it’s definitely a step in the right direction.
Do yourself a favor and try it.
A final note. While this post was written almost as an ad for LastPass, there are other great password managers out there. KeyPass is a long time favorite among IT folks, and there’s also the excellent 1Password known best for Macs and iPhones. These last two work about the same way.