LastPass - and password managers in general
I wrote a few days ago about the disaster that is/was Heartbleed.Today is about LastPass -- and more broadly password managers in general.The first question is why would you need a password manager. The real reason is that you need to have different passwords to different sites. That, in turn, begs the question why you need that?When I first started using the internet -- actually well before that even -- I had a tendency to use the same password everywhere. I got to the point where my fingers basically could type several random strings of letters without even thinking about it. Sure, the few passwords I was using were random and not english words, but they were the same few passwords.In a perfect world this wouldn't be a problem. In a perfect world sites would properly salt and hash passwords before storing them in their database and those databases would never get compromised.But we don't live in a perfect world.Here's the scenario to worry about: a database stores passwords in clear text and that gets stolen. This, unfortunately happens with shocking regularity.
- Sony
- Yahoo
- Adobe
- Cupid Media (not OK Cupid)
These happen like clockwork.The upshot of all this is that if you're using the same password on multiple sites, you're at the mercy of the one with the shittiest security. Once someone knows your email address and password, they can use that to log into most other sites out there that you've used.That's bad.Even if you use variants of passwords from the same base, that's no guarantee. You're up against password crackers that can try 350 billion passwords per seconds to try to guess a hashed password. Your compromised password just goes into the list of roots of passwords they will try the next time a password list that's properly hashed goes public.How do you fight this?By not using the same password anywhere. By making the passwords long. By using random punctuation. By doing almost everything to make things impossible for you to remember.Enter: the password manager.A good password manager has a few attributes you want to look for:
- Is secure, obviously
- The client controls everything
- The server can never decrypt the passwords
- Can generate secure, random passwords
- It works everywhere
Basically, if you can do a remote reset of your password, the password manager has a key to your kingdom. If they can do it for you, someone can force them to do it on your behalf -- like the government for instance. Or, if they fuck up, they can do it accidentally and leave you worse off than before.You also want the security to be off their server. You have to assume that you are dealing with a compromised server. Even if they are compromised you should still be OK.What you want is something like LastPass. They meet the criteria I laid out above. I'm sure other ones work too, but LastPass has had a lot of vetting to ensure that they actually are good. The fact that real life security experts use password managers is a good sign that this is something that's good for you.I'll leave it there for now. Suffice to say that if you're just coming up with passwords that you can remember you're probably doing it wrong.