A quick little post today to let you all know about a great service I’ve been using the past few weeks. We all have so many online accounts these days. Social media, online banking, forums, multimedia sites, productivity sites – and most people don’t think enough about the the security implications involved.
I know so many people who use the same password for all their online accounts. Stupid. Very very stupid. Earlier this year Twitter sent emails to a number of users advising them to change their password after ‘suspicious activity’ was detected. Turns out, it was a phishing scam that used a backdoor in free bittorent/forums software that a hacker exploited to gain the usernames, passwords and email addresses of potentially thousands of people. When I ran an online gaming site, one of the off-the-shelf gaming ladder systems we used stored users passwords unencrypted, plain text. That made it real easy for me, as an administrator, to fix users’ account problems, but it was a glaring, and unnecessary risk. Late last year, popular Facebook application developer RockYou (which made Super Wall and Birthday Cards, among others) had their servers hacked and thieves stole 32 million usernames and passwords. If your Facebook password is the same for your email or bank account, you’re giving those thieves access to a lot of damaging information. And there’s huge corporate implications here too – if you use your Facebook password for your work network or corporate email, you could be jeopardising sensitive business information. Every site you use should have its own, unique password.
And those passwords should be long, complicated and unpredictable. Online security company Imperva analysed the passwords stolen in the RockYou attack and reported that ‘nearly 50% of users used names, slang words, dictionary words or trivial passwords … The most common password is “123456”’. In fact, the detailed report lists the most common passwords and reveals that many passwords are so short and simple they would be easy for a “brute force attack” to crack them. Fortunately, Angus Kidman over at Lifehacker has produced a really handy guide to choosing passwords that are unique to each site, yet still easy to remember. That’s the system I use. However, if you’re really really worried about your passwords, security expert Steve Gibson has developed the Perfect Passwords page, which generates completely random 64-character strings every time it is refreshed.
But right there is the problem – how are you going to remember 64 different characters, for every single site you use? Obviously, you can’t do it just by memory. One popular way is with the free, open-source and program KeePass. KeePass stores your passwords in a very secure encrypted file, which you can access and decrypt with your (strong, right?) master password. This is perfect for your home computer, and it’s completely portable (doesn’t even need to be installed, and can be run straight from a USB drive) so you can take your passwords with you. It is something of a hassle, though, to have to copy and paste your passwords from KeePass – but that’s where KeeFox comes in. KeeFox is a FireFox extension that integrates your KeePass database. It’s still new and needs some refining, but it does the job and will improve with time. But obviously it’s limited to Firefox – if you’re using Chrome, Opera or Safari (we’re talking security, so you’re obviously not using Internet Explorer, right?) you’ll have to copy and paste from KeePass.
For the last few weeks I’ve been trying another method which solves that problem, and integrates nicely into all browsers on all platforms (and, for a small fee, even mobile devices). Lastpass is essentially an online KeePass. Your passwords (and notes and other sensitive data) are stored in your “Vault” online, accessible only with your master password. Connections between your computer and their server are secure and they only store your password in encrypted form – the decrypting happens on your computer, in your browser. You install the LastPass extension for your browser – Firefox, Chrome, Safari, Opera doesn’t matter, they’re all supported – and it can import and then delete passwords in your browser. Passwords stored in your browser are almost always in plain text, and therefore anyone with access to your computer can see them. After that, whenever you go to a website and log in, you can set LastPass to automatically log you in, or you can choose which username you want to log in to if you have multiple accounts for that site. Speaking of multiple accounts, you can have several with LastPass as well – so your spouse can log in to all his/her sites but not yours, if you wish. There’s a version designed for Firefox Portable, so you can load it on a USB drive and take it with you as well.
Both Keepass and LastPass are excellent password managers that I willingly recommend you check out. For me, I prefer LastPass for a number of reasons. Firstly, being online my passwords are available whether I’m at work, home or on the laptop. With KeePass, I’d have to sync my database file on all machines whenever I changed a password or signed up for a new site. Since I use Chrome on most of my machines, I can’t use the Firefox extension KeeFox but LastPass is available for all browsers I use. It’s also quicker and easier than KeePass because it can automatically log me in to my favorite sites. But KeePass is open-source, has a huge community behind it and has a proven track-record, so you may find it suits your needs just fine. Remember also, with LastPass you’re putting your trust in a third party and whilst they can’t see your passwords, if their servers go down you won’t be able to connect to anything. And if you’re without an internet connection, your saved notes won’t be available. The good news is, there’s no reason why you can’t run both, and keep your secure notes available offline.
How do you keep your passwords secure? Have you tried LastPass or KeyPass? Or have you ever had your account hacked as a result of phishing or an insecure password? Let us know!