As previously discussed in Part 1, a password manager can assist in maintaining secure and unique passwords for every site you access while only having to remember one master password. However, which is there right one to use? LifeHacker reviewed six in their article which I used as a starting point in my decisions. If you’re really paranoid you may also want to look at Clipperz which was not reviewed by LifeHacker. It appears very secure, however, only accepts Bitcoin as payment so that made me look at more easily available solutions for the current time.
Before picking a password manager a few things need to be looked at:
- Is it for local computer only or will it need to sync to other computers?
- What about use on mobile devices?
- The level of security offered and required to meet your needs?
- Costs of software?
For the past 10 years I had been using RoboForm as a local only password manager. If I was to continue or start using a new local only password manager I’d look at KeePass instead for being free and open source. However, with more things online and spending more time away from my computer and on mobile devices, it was time to find a new product with better mutli-device, mobile support and cloud synchronization.
While looking at cloud options I found that RoboForm does offer cloud sync for about $20/year ($10 for the first year), but after having already spent close to $100 over 10 years to maintain desktop and portable licenses I was hesitant to throw more money at it without doing more research of the other options and verification of security.
In that regard I chose to switch to LastPass for being cross platform with could synchronization but also looked at a number of other factors. Continue Reading
In today’s cyber world security is a must have, however, many go oblivious to their lack there of or believe in principles that are ineffective. With more reliance on the digital world now than ever before, one needs to be proactive with security to prevent being a victim of the next cyber hack attack or at a minimum mitigate the damages.
While some think that passwords must be complex and include uppercase, lowercase, numbers, and symbols to be effective this obscurification adds little if any security to the password. Today’s computers can now easily do the substitution of ‘@’ for ‘a’ or ‘$’ for ‘s’ while adding little time to the cracking attempts. It’s length that makes a password more secure. XKCD does good at graphically explaining this concept for creating long memorable passwords.
Another problem is the use of the same password for more than one site. With the difficulty in remembering passwords it’s not uncommon to use the same or slightly varied versions of a password across all sites, but this introduces the security risk that if one account is compromised then all your accounts are vulnerable to attack. Even though you may have picked one secure password you do not know how other companies and sites store that data. If the password was stored in a database as plain text or un-salted hash then an attacker could compromise accounts quickly should that database ever be hacked.
For the best security all sites should have their own password that is unique, randomly generated, greater than 14 characters, including your traditional upper, lower, number and symbol requirements. Websites should have password like ‘&AuGwW7ML&sBJ6Ga;Jr2hBdah’ or ‘rx97QMYE+Jgf6o9%~jtsL7o;t’ for maximum security. But who could remember that?
A simple solution to managing secure passwords is the use of a password manager. This allows for only having to remember one strong password, like described in the XKCD picture, and increases security by using randomly generated passwords for every site. There are many password managers to chose from on the market. This LifeHacker article explains a the features of a bunch and Part 2 of this topic will include which I chose to use and why.