A quick little post today to let you all know about a great service I’ve been using the past few weeks. We all have so many online accounts these days. Social media, online banking, forums, multimedia sites, productivity sites – and most people don’t think enough about the the security implications involved.
I know so many people who use the same password for all their online accounts. Stupid. Very very stupid. Earlier this year Twitter sent emails to a number of users advising them to change their password after ‘suspicious activity’ was detected. Turns out, it was a phishing scam that used a backdoor in free bittorent/forums software that a hacker exploited to gain the usernames, passwords and email addresses of potentially thousands of people. When I ran an online gaming site, one of the off-the-shelf gaming ladder systems we used stored users passwords unencrypted, plain text. That made it real easy for me, as an administrator, to fix users’ account problems, but it was a glaring, and unnecessary risk. Late last year, popular Facebook application developer RockYou (which made Super Wall and Birthday Cards, among others) had their servers hacked and thieves stole 32 million usernames and passwords. If your Facebook password is the same for your email or bank account, you’re giving those thieves access to a lot of damaging information. And there’s huge corporate implications here too – if you use your Facebook password for your work network or corporate email, you could be jeopardising sensitive business information. Every site you use should have its own, unique password.
And those passwords should be long, complicated and unpredictable. Online security company Imperva analysed the passwords stolen in the RockYou attack and reported that ‘nearly 50% of users used names, slang words, dictionary words or trivial passwords … The most common password is “123456”’. In fact, the detailed report lists the most common passwords and reveals that many passwords are so short and simple they would be easy for a “brute force attack” to crack them. Fortunately, Angus Kidman over at Lifehacker has produced a really handy guide to choosing passwords that are unique to each site, yet still easy to remember. That’s the system I use. However, if you’re really really worried about your passwords, security expert Steve Gibson has developed the Perfect Passwords page, which generates completely random 64-character strings every time it is refreshed.
But right there is the problem – how are you going to remember 64 different characters, for every single site you use? Obviously, you can’t do it just by memory. One popular way is with the free, open-source and program KeePass. KeePass stores your passwords in a very secure encrypted file, which you can access and decrypt with your (strong, right?) master password. This is perfect for your home computer, and it’s completely portable (doesn’t even need to be installed, and can be run straight from a USB drive) so you can take your passwords with you. It is something of a hassle, though, to have to copy and paste your passwords from KeePass – but that’s where KeeFox comes in. KeeFox is a FireFox extension that integrates your KeePass database. It’s still new and needs some refining, but it does the job and will improve with time. But obviously it’s limited to Firefox – if you’re using Chrome, Opera or Safari (we’re talking security, so you’re obviously not using Internet Explorer, right?) you’ll have to copy and paste from KeePass.
LastPass integrates with your browserFor the last few weeks I’ve been trying another method which solves that problem, and integrates nicely into all browsers on all platforms (and, for a small fee, even mobile devices). Lastpass is essentially an online KeePass. Your passwords (and notes and other sensitive data) are stored in your “Vault” online, accessible only with your master password. Connections between your computer and their server are secure and they only store your password in encrypted form – the decrypting happens on your computer, in your browser. You install the LastPass extension for your browser – Firefox, Chrome, Safari, Opera doesn’t matter, they’re all supported – and it can import and then delete passwords in your browser. Passwords stored in your browser are almost always in plain text, and therefore anyone with access to your computer can see them. After that, whenever you go to a website and log in, you can set LastPass to automatically log you in, or you can choose which username you want to log in to if you have multiple accounts for that site. Speaking of multiple accounts, you can have several with LastPass as well – so your spouse can log in to all his/her sites but not yours, if you wish. There’s a version designed for Firefox Portable, so you can load it on a USB drive and take it with you as well.
Both Keepass and LastPass are excellent password managers that I willingly recommend you check out. For me, I prefer LastPass for a number of reasons. Firstly, being online my passwords are available whether I’m at work, home or on the laptop. With KeePass, I’d have to sync my database file on all machines whenever I changed a password or signed up for a new site. Since I use Chrome on most of my machines, I can’t use the Firefox extension KeeFox but LastPass is available for all browsers I use. It’s also quicker and easier than KeePass because it can automatically log me in to my favorite sites. But KeePass is open-source, has a huge community behind it and has a proven track-record, so you may find it suits your needs just fine. Remember also, with LastPass you’re putting your trust in a third party and whilst they can’t see your passwords, if their servers go down you won’t be able to connect to anything. And if you’re without an internet connection, your saved notes won’t be available. The good news is, there’s no reason why you can’t run both, and keep your secure notes available offline.
KeyPass can be downloaded here, and LastPass can be found here.
How do you keep your passwords secure? Have you tried LastPass or KeyPass? Or have you ever had your account hacked as a result of phishing or an insecure password? Let us know!
These are some great tips on password generation and safeguarding passwords. Love the idea about surrounding your common ‘base’ password with the gateway your using. I don’t really have a system for passwords. Just a core group of 4 or so. But I only use the hardcore 1 or 2 for my financial info. The rest can be used on more social sites. Thank goodness for the ‘forgotten my password’ function.
I use Mitto (http://mitto.com) which is another online password manager. Because it logs me into my sites, I am much less susceptible to phishing attacks. When I use their bookmarklet, if I am on a site that looks like the site I want to be on (but it’s not) it won’t fill in my information. It’s safe, easy to use, and free!See http://mitto.com/reviews.
You can use the following script to test the security of your keepass database:http://www.q-protex.com/software/password-recovery/keepass-self-bruteforce
Good choice of services, I use LastPass myself and I find it a big relief. Sadly, this article doesn't do full justice to the LastPass service."Lastpass is essentially an online KeePass"On of the most important security meassures of LastPass, is that your Master Password is never transmitted and never stored on the server, not even encrypted. So even if their security would be comprimised, the stored information remains useless. When you connect to LastPass, only a one way hash key derived from your emailaddress is transmitted. Only if this corresponds with an existing LP account, encrypted information is downloaded and decrypted locally on your computer with the locally stored encrypted Master Password.How can I login and get access to my data from any computer?"if their servers go down you won’t be able to connect to anything"Not true. Login details remain stored online as well as locally (encrypted of course).Where is the local copy of my data stored?So even if you have no access to their servers (very unlikely), you can still use LastPass browser plugin to login to existing accounts. But you wouldn't be able to save any changes because that requires updating (syncing) with the LastPass servers.What happens when LastPass.com is down?As an optional safety meassure, LastPass lets you export your passwords (not advised!)Can I get an export of all my usernames/passwords?If I put all my passwords in this system what happens if you disappear?"But KeePass is open-source, has a huge community behind it and has a proven track-record, so you may find it suits your needs just fine. Remember also, with LastPass you’re putting your trust in a third party"Has your software been verified by an independent 3rd party?
I have been using Lastpass for quite a while now & do find the autologin very handy. However I received this email the today that concerned me. I 1st thought it was a phishing email but it was confirmed on the Lastpass blog."On May 3rd, we discovered suspicious network activity on the LastPass internal network. After investigating, we determined that it was possible that a limited amount of data was accessed. All LastPass accounts were quickly locked down, preventing access from unknown locations. We then announced our findings and course of action on our blog and spoke with the media."This has caused me to seriously consider returning to Keepass so that I don't have my data stored somewhere online & place my whole trust in a 3rd party to keep it secure. You just never know…