Tuesday, March 6, 2012

Online Security --> Just Use LastPass

These days many accounts are getting hacked, especially email, because the password was weak (too short), the computer was infected, or someone was fooled by a phishing attack -- going to a site that looked real, so they entered their password, but the site was actually fake. Plus many use the same password repeatedly -- so one compromised password can give access to many systems. Your email account is especially sensitive because it often contains records for many of the systems you use, as well as lots of other confidential information about you and others. And your email account is how many other systems verify your identity.

Here are a few of the things that could happen if your email is hacked: personal (and possibly sensitive) information is revealed, your other accounts get broken into, you send dangerous infected emails to your friends, and all your email history and contacts are deleted. It just takes once and most of you probably don't want strangers to have access to all of this private information.

Ever since my apartment was burglarized in the mid 1980s and my computer equipment stolen, I've been paranoid about security (and backups) -- particularly with computers. While I'm not a professional security expert per se, I am an information technology professional (Bank of Boston, Fidelity Investments, Apple Computer, Sun Microsystems, Adobe Systems), I have many associates who are true security experts, and I thoroughly researched security in this area as it affects everyday computer users -- everybody from me (with 600+ online accounts) to my mom (with just a few).

Here are my top 2 recommendations to keep your online life secure:
  1. Keep your own computer clean (install software only from trusted sources, keep your OS and applications current, use a good virus scanner).
  2. Use LastPass to manage your passwords.

Why LastPass? Because it is the best password manager that will keep your passwords secure and strong.

To prevent your email and other accounts from being compromised, it is critical to have strong passwords.

A strong password:
  1. is long -- ideally 16 characters or more;
  2. uses many different characters -- upper and lower case letters, numbers, and even punctuation or other special characters;
  3. is unique -- a different password for every system;
  4. is hard to guess -- not something that is easily discovered about you like your dog's name or your mother's maiden name (!);
  5. is changed periodically.

Many of us have dozens of different online accounts between email, Facebook, banks, credit cards, and more. Some of us have hundreds. How can a person possibly remember so many strong passwords for each of these systems? Humans can't, but computers can. Writing passwords on a piece of paper is possible but is very risky unless you keep it in a safe. The best solution is to use a password manager to store your strong passwords so you just need to remember one -- for the password manager itself.

LastPass is currently the best password manager I've been able to find. It remembers all your passwords and also:
  1. enters usernames and passwords automatically for you on the web so you don't have to type them manually;
  2. generates very strong passwords of any length;
  3. backs itself up automatically to a secure service in the cloud so it is available to you on as many computers as you wish (even if your computer is stolen);
  4. prevents phishing attacks by recognizing valid sites and not entering passwords on fake ones (catching URL subtleties that you might miss);
  5. is your safe deposit box in the sky for other critical but sensitive bits of information (account numbers, PINs, combinations, etc);
  6. is itself extremely secure (reviewed/audited by independent security experts, passwords are only decrypted on your local machine, supports multi-factor authentication, uses PBKDF2);
  7. works seamlessly on Mac OS, Windows, Linux, and many smart phones; and
  8. is free!! (well there is a charge for use on smart phones)

By the way, for maximum security, treat security questions and answers (used for retrieval of forgotten passwords) just like passwords. Security questions and answers should be hard for others to guess and different on different systems. If you use a password manager you can store these in it as well.

Don't trust me? That's good!! It's important to check references and do your homework. To verify everything I've said here, please read/listen to the following references that discuss password security as well as many different password managers. Also do your own research.

PC World's "Best Password Managers: Top 4 Reviewed" (2010)
http://www.pcworld.com/article/208113/best_password_managers_top_4_reviewed.html

Consumer Reports' "Hack-Proof Your Passwords" (2012)
http://www.consumerreports.org/cro/2012/01/hack-proof-your-passwords/index.htm

Password Manager Shootout – eWallet vs. KeePass vs. LastPass by Evan Kline (2009)
http://www.40tech.com/2009/06/30/password-manager-shootout-ewallet-vs-keepass-vs-lastpass/

LastPass vs. 1Password: Password Manager Shootout by Evan Kline (2011)
http://www.40tech.com/2011/05/16/lastpass-vs-1password-whose-syncing-method-is-more-secure/

Passwords for Dummies by Green Bay Net
http://www.greenbaynet.com/news/passwords-dummies

LastPass explained by Steve Gibson - Part 0, 1, 2, 3, 4, 5, 6, 7 (2010)
http://www.youtube.com/watch?v=z4-h5gWpvAc
http://en.wikipedia.org/wiki/Steve_Gibson_%28computer_programmer%29

IT Security: LastPass: Is it the password manager for you?
http://www.techrepublic.com/blog/security/lastpass-is-it-the-password-manager-for-you/3291

How to Build a (Nearly) Hack-Proof Password SYstem with LastPass
http://www.atozfree.info/how-to-build-a-nearly-hack-proof-password-system-with-lastpass-and-a-thumb-drive/

Zappos Passwords Hacked: What You Need To Do Right Now (2012)
http://lifehacker.com/5876462/zappos-passwords-hacked-what-you-need-to-do-right-now

LastPass Security Notification (2011)
http://blog.lastpass.com/2011/05/lastpass-security-notification.html
http://download.cnet.com/8301-2007_4-20060191-12.html

To get LastPass, visit:
https://lastpass.com/


Please note that I do not work for LastPass nor do I receive any financial benefit from it. I do use LastPass myself.

P.S. I invite everyone reading this to prove me wrong and/or help me improve this article. I want to make sure what I recommend here is the absolute best balance between excellent security and practicality (ease of use/features). The runner up option is 1Password (but not quite as secure). Keeping more than a 2-3 complex passwords in your head is just too hard. Advanced tip: put your LastPass password in a secure location that your heirs can eventually get to and then your LastPass account can also serve as a secure mechanism to make sure all your online assets get taken care of should you, well, pass away.

1 comment:

devesh said...

I highly recommend SplashId , because i have used it myself. Browser integration is fabulous. Also it is very easy to use. As soon as you create your account, you can actually set a pattern for splashid login, therefore you technically have to remember zero passwords. Extremely secure for USB usages as well. highly recommended.