There has been a lot of questions and discussions about passwords with the discovery of the Heartbleed vulnerability a few weeks ago. The discovery is a good reminder of good password habits….
- Each service or web site should have a unique password. They should never be repeated.
- A password should be very complicated and random – no words that can be found in a dictionary or proper names
- You should include at least two of mixed case (upper and lower case letters), symbols, and/or numbers.
Probably the biggest challenge is that unique password for each service or web site. Without any sort of tool I don’t believe that I could follow this rule effectively. I have been through a few different password storage tools over the years. The first couple were based on an encrypted file stored on a thumb drive. The potential problems with that strategy is that flash-based thumb drives do not last forever, and they can easily be lost. I tried to keep two current copies of the encrypted data file in two different places, but it is not always easy to be that disciplined.
About a year ago after much research I moved my passwords to the cloud. I was apprehensive until I found a cloud-based solution that put green checks on my security checklist…
- local-only decryption – This means that the data is only readable by a human once it is accessed on my local computer or mobile device. This means that if I lose the master password the password storage service should be not be able to access my passwords. If I lose the master password my passwords are gone forever.
- very strong encryption methods – The technology used to encrypt the data should be current. Computers are getting faster and faster by the day and they are becoming more capable of breaking older encryption methods. Look for at least AES 256-bit encryption.
- multi-factor authentication – You should have the option of using your master password as well as another method such as a secondary authentication method such as sending a verification text to your mobile phone.
- complicated password generation – The system needs to be able to generate good, strong passwords.
- remote access – It was important to me to be able to access my passwords away from the office and a computer. The easier it is to access your passwords in a secure store the more likely you are to store your passwords securely.
My choice settled on LastPass (lastpass.com). They hit all of the marks on my list and it even does things I hadn’t considered such as sharing passwords with other users. Another great feature is during initial setup on your first computer it will scan your browsers for saved credentials. It imports those items then you gives you the option of deleting those usernames and passwords. You can only import passwords from other programs as well.
If you only use the software on a desktop computer in a browser it is free. If you want to access passwords from your mobile device you will need to pay a nominal $1 per month. They also offer enterprise plans for companies to share and more importantly control passwords across your organization.
Getting your password situation under control can be very reassuring especially when it is so easy, cheap, and safe.