Browsing Safe Sites Securely with LastPassJuly 11, 2012 at 3:04 pm | Posted in Computers, Internet, Online services, Security, Software, Technology, Web Apps | 9 Comments
You probably know that when you browse web sites and they ask for personal information or a login, you want to be on a secure server. The web address says https:// and the lock symbol shows. Your information is encrypted so is pretty safe. If anyone is “listening” to your data, they can’t read it.
But if you then use an easy-to-guess password like “password” or “0123456” (duh!), you’ve just tossed away your security. It takes hackers just seconds to break simple passwords that use common words and numbers. The fewer the letters, the faster. This is why many are getting their Hotmail accounts hacked, for example*. (Hotmail doesn’t prevent many repeated access attempts.(duh2))
If you use a harder password but use the same one everywhere, and then one of those sites is hacked, you expose yourself everywhere. This becomes increasingly important when there is growing cross-talk between services, like Googles integration, Facebook and suppliers, and so forth. You may not think it that important if someone can look at your Amazon book orders but don’t forget you gave them your credit card info too. It’s surprising what tidbits of information we spread around the Internet about ourselves. Do you remember what you entered 5 years ago?
[UPDATE: if you’d like a good password suggester, this PCTools page has a good one. Select quantity of 10 and it will give you a range to choose from. Choose one you like or run it again.]
I’ve used different techniques over the years. I tried KeePass but storage only tools are fussy to keep current. If not current, they lose usefulness fast. For awhile I used a spreadsheet in a secure Truecrypt “container” to store passwords. But this was a little fiddly to access and one day, it came up corrupted. Fortunately I was able to rescue the data. This also exposes another issue- backing it up. If it’s all stored in one place and that’s lost, you lose it all.
Storing your passwords on-line in a secure way can be the most convenient as they’re then accessible from anywhere. (with a secure password) When browser integrated, they’ll fill in forms and your remembered passwords automatically. And save new ones with a click. This makes them markedly more convenient plus you’re more likely to use a much more secure password if you don’t have to remember it.
You just have to remember one master password – for the password tool – and to log out when you step away from your computer. (NOTE: if you’re at a shared computer, closing the browser does NOT log you out of many services. The server doesn’t know you’ve closed your session. I’ve often sent people an email to themselves when I launched something like Gmail and was taken straight into their account. Yoohoo! And GMail – why have you made Logout harder to find??)
RoboForm is very well recommended but the free version is almost useless, storing only a few passwords.
Another I’ve recommended is LastPass. Gizmo now thinks it’s as good as Roboform. (See also Best Free Password Manager) It combines local software with on-line secure storage. The free version stores unlimited passwords in the cloud securely, decrypts them locally, fills in web forms, allows secure notes, and is accessible from any browser: computer, smart-phone, tablet, iPxx, whatever. (with the plug-in and your master password) Plus you can access your data when not on-line unlike pure on-line services.
Now, you may object to storing your passwords on-line but this is actually more secure than on your computer. They’re encrypted unless you open them on your local computer. LastPass staff cannot access your data, even if a court ordered it or someone hacked them. But if your local computer dies or is stolen, you’ve lost your passwords with the computer. With LastPass, they’re still stored on-line, just like your bank records.
My only quibble was that it didn’t offer a ‘generate password’ option to test strength until it senses you’re logging in to something. That sometimes doesn’t happen on a new site when you want to pick a password. However the Alt-G shortcut will bring you that option. Browse the Tools sub-menu for more.
The last setting during install is to Close LastPass with your browser. Unless you hop from one browser to another a lot, I’d recommend that change from default settings, especially if you’re on a shared computer. If you miss it, this can be set later in Preferences.
They also have a Premium mode that adds export, on-line backup, USB-key version, separated work passwords, and more for the professional.
This site tells you how to run a Security Check in LastPass. How secure are your passwords? You may find you need to work through them to improve your security. LastPass will suggest more secure passwords that you no longer have to worry about remembering. That’s its job.
If there are some sites you expect to need to access away from your computers (say, your email), you can log into LastPass from anywhere. But simpler to have those few passwords still memorable. A nonsense name blended with characters and numbers can still meet the strong requirement. Think of a fictional nickname of someone at a prior address or having done something an amazing number of times, etc. See the prior article and comments for more tips around this.
*email servers have become much more secure, so nasty spammers now look for easily cracked web-mail accounts they can use for spamming. If you don’t nip such a problem in the bud (like when you started getting a bunch of bounced messages you didn’t send), you may get locked out of your account and/or have it shut down. Change the password to something secure NOW!