Trust Your Passwords to the Cloud? Not Without an Umbrella.
Password overload – we hear you loud and clear! I recently checked out LastPass. This free browser extension promises that once you give them all your passwords, one master password is the last one you ever have to remember.
“The Cloud” is hot, so why not store all your passwords in the blue Internet skies? Here’s my advice.
Anyone Who Puts All Of Their Passwords Online Is Insane
Major companies are in the news all the time – millions of credit cards, home and email addresses, Social Security numbers and other types of identity data are stolen and sold.
In recent weeks, hackers known as Lulz Security attacked the websites of Sony, the United States Senate, the C.I.A, and more. Then they published the stolen names, email addresses and passwords online!
Threats from the Outside
While LastPass throws out some techno-jargon like “SHA-2” and “salted hash” to make their service sound secure, note that this only applies to the master password.
The very nature of password managers implies that the rest of the data is encrypted in a reversible way. In other words, the master unlocks everything else in readable, clear text – otherwise it’s unusable.
And if you can see it, so can a hacker.
On May 5, LastPass announced that they were subjected to an external attack, and urged their users to change their master passwords immediately.
Threats from the Inside
In addition to outside attacks, note that most crimes are insider crimes. Which means LastPass, like any website, is vulnerable to:
- Employees who can be bribed or blackmailed
- Infrastructure that may be in a data center with poor physical security
- The site may be hosted in overseas, often replicated across multiple countries
- Its developers may be paid minimum wage in a third world country
Better Safe Than Sorry
Safer methods for data security include awareness, better password management, and moving towards “multi-factor” authentication.
Awareness means understanding the risks, and that any website can be hacked. Big ones, small ones. Your online bank. LastPass.
The easier it is for YOU to find your passwords, the easier it is for an attacker.
Better Password Management
Follow good composition principles even if the website you are using doesn’t require it. That means a minimum of eight characters, a combination of letters, numbers and symbols, and avoiding real words, especially anything personal like a birthdate or a name.
This is easier to do than you think. Come up with a phrase or rhyme, take the first letter of each word, replace some letters with symbols (like “$” for S and “3” for E) and voila – “Yankee Doodle came to town, ridin’ on a pony” becomes “Ydc2tr0ap”.
In addition, follow these guidelines:
- Don’t share passwords
- Don’t e-mail or text any combination of personal information, like your SSN and your driver’s license number
- If you must a share a login or other personal combination, use different channels – for example, send a username by e-mail, followed with the password by text message.
But I still have to manage hundreds of passwords! There are ways to make them safer while still using a password manager. I use 1Password. It’s not online, it’s on only one device (laptop), and I keep my laptop and our home network secure.
Finally, see my post about multi-factor authentication. This sounds techie, but even popular sites like Google are moving in this direction, and it’s not as scary as it sounds.
Stolen identity data can, and has, drained bank accounts and embroiled victims in years-long efforts to clear their name. With so much of our lives online and more all the time (your medical records, coming soon to a computer near you), it pays to get serious about identity protection now. Whatever you do, keep your passwords out of this Thunder Cloud.