As we mentioned in our first article, low password strength and password re-use are serious problems. Even if you use a very strong password, if you use that same username and password combination everywhere, you are putting yourself at risk. Every time you fill out a registration form for another account at another web site, you are giving your username and password information to the operators of that site– and, while most web site administrators responsibly store web site passwords in a strongly encrypted format, there are still some who don’t. It only takes a data breach at one website to compromise your information. So, even if you have the strongest password in the world, it can be compromised if you use the same password on every site.
So what’s the solution? Ideally, you need to use a different strong password for every web site you visit. There are tricks to making strong passwords memorable- take a look at our January 28th segment on IT security for tips on creating memorable, strong passwords. You could make complex, memorable password strings, but you’re going to need to make a lot of them for different websites, and the more complex you make them the harder they’re going to be to remember, defeating the purpose of the whole enterprise.
The real solution is using a password manager. Secure password managers allow you to use a different strong, randomly-generated password for every web site you visit, while storing all of your passwords in an encrypted, secure format, protected by their own master password. One of the best password managers on the market today is a piece of software called LastPass. The amazing thing about LastPass is that it will make your time on the Internet both more secure and easier. I know that’s hard to believe, but over the next couple episodes we will explain why this is true. Oh, and did I mention it’s (mostly) free?
Let’s walk through the process of creating a LastPass account. Really, it’s no more difficult than signing up for any other website account. You simply visit their web site, lastpass.com, and download the recommended software. LastPass is cross-platform, supporting Windows, Mac OS, and Linux, along with iOS, Android, and a whole host of other platforms. Once downloaded, you’ll have an icon in your web browser, usually in the top right-hand corner, that looks like an asterisk. Click on that, and it’ll give you the option to create an account. Remember that, since this will be the one password that protects your entire online life, you should make it a very strong one. (Of course, you can– and should!– change this password later.)
Once your account is created, this is when the magic happens. Visit a web site where you have an account and log in. LastPass should offer to remember the password for you, and you’ll want to click “Remember.” But, since this password is likely an old, insecure one, we’re going to go ahead and generate a new password. Go into the web site’s account settings and tell it you want to change your password. Then, right-click, go down to LastPass, and select Generate Secure Password. Paste that into the “new password field” and hit Submit. LastPass should detect the change in your password and offer to save it for you. That’s it! (Although, of course, you should do this on all of the web sites you use.)
So, how does this make your life easier? Watch this– log out of the site. Now, you’ll notice that the passwords are automatically filled in. Once all of your accounts are stored in LastPass, you’ll never need to even type in a password again, let alone remember it. Because of this, you can make all of your passwords as strong as they ought to be, and never worry about forgetting them.
Two final points– one, you’ll note that I said that LastPass is “mostly free.” A LastPass Premium subscription is required for a few advanced features, including, most notably, support for the iOS and Android apps. Premium only costs $12 a year, though, and in our opinion it’s more than worth it. Two, you might worry about sending all your passwords to this company you’ve never heard of. We did, too, but LastPass uses a technology known as “Trust No One Encryption”. The software is designed so that the information stored on the company’s servers is only stored in encrypted form, and only you have the key. If you’re interested in how this technology works, you check out Steve Gibson’s Security Now! podcast on LastPass, Security Now! #256. You can find Security Now! at Steve Gibson’s website, grc.com
Next month, we’ll talk about how to use some of the advanced features of LastPass that can make you more secure. Stay tuned!