Password overload – we hear you loud and clear! I recently checked out LastPass. This free browser extension promises that once you give them all your passwords, one master password is the last one you ever have to remember.

Anyone Who Puts All Of Their Passwords Online Is Insane

Major companies are in the news all the time – millions of credit cards, home and email addresses, Social Security numbers and other types of identity data are stolen and sold.

In recent weeks, hackers known as Lulz Security attacked the websites of Sony, the United States Senate, the C.I.A, and more. Then they published the stolen names, email addresses and passwords online!

Threats from the Outside

While LastPass throws out some techno-jargon like “SHA-2” and “salted hash” to make their service sound secure, note that this only applies to the master password.

The very nature of password managers implies that the rest of the data is encrypted in a reversible way. In other words, the master unlocks everything else in readable, clear text – otherwise it’s unusable.

And if you can see it, so can a hacker.

On May 5, LastPass announced that they were subjected to an external attack, and urged their users to change their master passwords immediately.

Threats from the Inside

In addition to outside attacks, note that most crimes are insider crimes. Which means LastPass, like any website, is vulnerable to:

Better Safe Than Sorry

Safer methods for data security include awareness, better password management, and moving towards “multi-factor” authentication.

Awareness

Awareness means understanding the risks, and that any website can be hacked. Big ones, small ones. Your online bank. LastPass.

The easier it is for YOU to find your passwords, the easier it is for an attacker.

Better Password Management

Follow good composition principles even if the website you are using doesn’t require it. That means a minimum of eight characters, a combination of letters, numbers and symbols, and avoiding real words, especially anything personal like a birthdate or a name.

This is easier to do than you think. Come up with a phrase or rhyme, take the first letter of each word, replace some letters with symbols (like “$” for S and “3” for E) and voila – “Yankee Doodle came to town, ridin’ on a pony” becomes “Ydc2tr0ap”.

In addition, follow these guidelines:

But I still have to manage hundreds of passwords! There are ways to make them safer while still using a password manager. I use 1Password. It’s not online, it’s on only one device (laptop), and I keep my laptop and our home network secure.

Finally, see my post about multi-factor authentication. This sounds techie, but even popular sites like Google are moving in this direction, and it’s not as scary as it sounds.

Stolen identity data can, and has, drained bank accounts and embroiled victims in years-long efforts to clear their name. With so much of our lives online and more all the time (your medical records, coming soon to a computer near you), it pays to get serious about identity protection now. Whatever you do, keep your passwords out of this Thunder Cloud.