DefinIT

My password confession: a.k.a sorting out password security with LastPass

| 04/02/2011 | Tags: , , , , ,

I can’t plead ignorance: I should know better!

For years I have preached to users about the importance of strong passwords, regular password changes and non-proliferation of the same password, yet I’ve fallen foul of 2 of my own rules. My password is strong – 13 characters, random alpha-numeric, upper and lower case and including special characters – but has been re-used in a few places, and hasn’t been changed in a (long) while.

I do use different passwords for specific things: my online banking, for example, has a unique password. But in other cases the same password has been used in multiple places – e.g. social networking sites, iTunes account, the DNS management for this domain, my email account. Even as I write this list it’s a bit alarming! It’s laziness, and to some extent an inability to remember a password for the dozens of accounts I have.

One Password to Rule them All

I’ve been opposed to using password keepers such as LastPass, KeePass, RoboForm, et al because they have just one password to unlock them, and then the proverbial horse has bolted. I’ve now come to the conclusion that this is more secure than password re-use – at least if there’s one password to rule them all, I can make it a good one.

I’ve tried a “tiered” password system – one password for social networks, one for email accounts, one for financial accounts, and this does improve on the password re-use situation, but it still means if one is compromised they all fall.

Installing LastPass

Installing LastPass is a simple affair:

image image

image image

image image

image image

image

Securing your passwords

image

The simple fact of the matter is that just installing LastPass will not secure your passwords – you can still use the same old ones, just auto-filled by LastPass.

There’s a handy tool on the LastPass website called the LastPass Security Challenge that can help see how secure your passwords are – the image on the right is how secure my passwords were to start. Yes, 10.9% – shocking.

To secure your passwords, you need to create a strong password for each and every account you have. Yes, I know that’s a pain in the… proverbial. If an attacker compromises your Twitter password, you don’t want them accessing your Amazon account and ordering £1000 of death-metal do you? It’s not as paranoid as you might think.

imageWith LastPass installed when you browse to a website it will recognise a login and ask if you want to save it. If it has a login stored for a website you can set the option to auto-login.

It will also recognise when you’re changing your password and update the stored password for each site.

With a bit of fiddling, and a password generator, I have now updated all my saved website passwords to strong, unique passwords. It will take a bit of discipline to maintain them, but I think that LastPass will help!

image

image

Password strength

I have randomly generated the passwords from https://secure.pctools.com/guides/password. The settings I used to generate the passwords were as follows:

  • 12 characters in total
  • Uppercase letters [A-Z]
  • Lowercase letters [a-z]
  • Numbers [0-9]
  • Special characters [!*_£$%^&]
  • No similar characters [e.g capital i and lowercase l, zero and capital o]

Shamed websites

The following websites wouldn’t let me use a secure password:

eBuyer.com, London Stock Exchange – no special characters allowed

HP.com – no special characters allowed AND maximum 8 characters