Monday, June 20, 2011

Strong Passwords and LastPass.com



This post is about crafting a strong password and using LastPass, a security oriented password manager that I have been using for a few weeks now with great success.


For years I used the same password for Gmail, for Facebook and for other things. It was a remarkably simple one, just the name of an obscure and insignificant character played by a girl I vaguely liked in a high school production; the character's name doesn't even appear in the more commonly known movie version. No reason anyone would ever guess it, and no one did. Then to beef it up I added a random string of numbers to the end. In the last decade, having a password that no one would guess was good enough. 


Now it's not because in most cases hackers won't be trying to use personal information to break into your specific account (although of course you still want to be on guard for that, don't use your birthday or the unencrypted name of the girl everyone knows you like). It's more likely to be phishing (tricking you into giving up your password) or a computer program churning through all possible combinations looking for yours. So aside from avoiding obvious passwords (for throwaway signups that I don't care about protecting sometimes I use "passwords" as my password), the key to a strong password turns out to be length.


From the New York Times (thanks Megan M):

Here’s a little quiz: Which is the stronger password? “PrXyc.N54” or “D0g!!!!!!!”?
The first one, with nine characters, is a beaut. Mr. Gibson’s page says that it would take a hacker 2.43 months to go through every nine-character combination offline, at the rate of a hundred billion guesses a second. The second one, however, is 10 characters. That one extra character makes it much, much stronger: it would take 19.24 years at the hundred-billion-guesses-a-second rate. (Security researchers have established the feasibility of achieving these speeds with fairly inexpensive hardware.)
Don’t worry about the apparent resemblance of “D0g,” with a zero in the middle, to the word in the dictionary. That doesn’t matter, “because the attacker is totally blind to the way your passwords look,” Mr. Gibson writes on his Web site.
“The old expression ‘Close only counts in horseshoes and hand grenades’ applies here,” he says. “The only thing that an attacker can know is whether a password guess was an exact match or not.”
Mr. Gibson says that as long as the password is not on a list of commonly used passwords and is not found in a dictionary, the most important password factor is length.
 The Times article goes on to endorse LastPass.com, which is a password manager. It is free, but for $12/year you can also add it to your smartphone. It takes a little fiddling to get used to, but basically LastPass lets you randomly generate passwords ("i9H120VgQrRhzmL") and stores them for you. This lets you have long, random, complicated and unique passwords for each log-in without having to worry about remembering them yourself. This is a huge improvement over using the same password for multiple accounts or using passwords simple enough to remember many of. Once I've logged into LastPass whenever I open a website that has a log-in page LastPass fills in the information and enters. Of course your LastPass password (the "last password you'll need" I assume the title means, although you'll want to change it from time to time) is now the master key and must be absolutely memorizable to you and unguessable to spying people and robots. LastPass is so committed to security that their own employees can't access your password and your data is never on their site in unencrypted form, so if you lose your password you've got problems. I'd honestly recommend writing this password down somewhere sneaky.


Using LastPass has simplified my computing experience by only requiring me to remember one password (hint: using a long phrase makes it easy to remember but difficult to hack) while allowing me to use a very long and complicated, randomly generated and unique password for each site. Because LastPass saves my passwords I am free to change them often, which is what you should do but don't because you don't want to memorize new passwords. I also believe this should help prevent phishing, because LastPass won't mistake a mockup of Facebook of Bank of America's website designed to fool a human into submitting his or her password.


I learned about LastPass from James Fallows, naturally enough. 

No comments:

Post a Comment