You may have read several news about companies whose customer’s passwords are being stolen and exposed to public – be it hashed or worst, plain text. Although it is impossible to totally protect your account from being compromised by having strong passwords and using unique passwords for every website/services you are using.
Who cares if your forum password is leaked to public, it is not that important anyway. However, the real problem is when the attacker tries to access your accounts on other websites/services using the same stolen/cracked password. It could be your paypal account, odesk or email account.
So what do we need?
We need the following to minimize the risk of accounts being compromised.
- Strong passwords
- Unique passwords on all accounts you have
The problem with above is that it will be hard for us to remember all these passwords we got. Therefore we need something to manager our passwords.
Some geeks created software to easily manage our passwords so that we don’t have to remember them, and even not type them at all. There are two popular password managers that I know and have very good feedbacks.
I personally used LastPass as my password manager. It allows creating strong passwords. It will save your password on their servers (encrypted as they say, well I trust them anyway) so you can access your password everywhere. It is basically a browser integration. It allows auto-fill for username and password fields.
The basic workflow goes like this.
- You download LastPass and install its browser integration (either plugin or an installer).
- Setup a strong master password (one password to rule them all).
- Go to your favorite website and login using existing password.
- LastPass will offer to save your password. Of course that is what we wanted to.
- You change password, but this time you tell LastPass to create a strong password.
- Then you save the new strong password.
- Then forget about it.
The next time you visit your favorite website and tries to login, last pass will offer to auto-fill your password. It is convenient since you don’t have to remember all those passwords.
With this password manager stuff however, especially with LastPass, you sync your password to LastPass server. I’ve reviewed several feedbacks and it seems that LastPass staff will never see our passwords since they are encrypted before they reached the servers and stored. If for some reason they will steal our passwords, for some very weird reason, then we’re doom (including me). However, trust is there, anyway, just don’t put everything on any password managers, example, bank information, paypal, etc.
Another problem is the master password. Once somebody knows your master password, the attacker will be able to reveal all your passwords. Therefore, you need to secure the master password. There is an option for LastPass to use two step authentication, a master password and a USB key but haven’t tried that. That is too hassle IMO.
We are not totally safe on the internet but we have the control to minimize the risk. Its our option to use password managers. There is 1Password – another alternative (it’s paid by the way) and many more, some are even open source. Most of them store passwords locally though.
Therefore, to protect our accounts, identify the most important ones, choose your own way of securing it, then use password managers to the rest (set and forget). You should never trust anyone anyway.
By the way, I’m a proud LastPass premium user (it is free but you can pay to have more features like mobile integration).