The Island of Misfit Passwords

We interrupt your regularly scheduled vocational journey blog entry to bring you something a little different…

Password Managers for the Uninitiated

Ok, show of hands out there…  How many of you regularly blank out on an online username/password combination and have to click for the password reset? In an effort to retrieve your errant password, how much time do you waste trying to remember the answers to online security questions?  Like, “Did I put my grandmother’s first name, or her last?  Was my first pet the cat my family owned when I was born, or the puppy I was given for my 6th birthday?”  How many of you, in hopes of avoiding these very problems, use the same one or two username/password combinations for everything (more about why that’s a problem later)?  How many of you shiver a little at the words:  “Case sensitive”?  Did you once try to remember and write down ALL of your usernames and passwords on a pad of paper the realtor down the street gave out?  OK, and where is that paper now?

I find myself in these predicaments, particularly when I’m trying to access something like my insurance company’s website.  I don’t go onto it often, but when I do I always end up goofing up the combination and getting locked out.  It takes time for them to send me the email with the link to re-set.  On top of that, once I finally get logged on it asks me for a 4-digit PIN.  I also have to admit to the same-password-for-everything scenario, which is not only a huge security problem, but also doesn’t work for all sites.  Some want letters and numbers, some want you to add a symbol, some want upper and lower case… etc., etc.

Enter the password manager program.  These are neat creations that help a user secure and organize usernames, passwords and PIN codes.  Sounds great, but which one to use??  I recently (at the urging of my dear husband) started looking into some options.  My wish list of requirements:

1.    Easy to understand and implement.  Don’t give me all this “internal code optimization” and “state-of-the-art encryption algorithms” stuff, because I’m an organizer not an IT professional.  Clients who need organizing help need something intuitive, and so do I.
2.   Includes a strong password generator.  This feature gives the user the opportunity to let the manager create a random password for each login, without having to memorize each one.  Some version of a one-click login retrieves the password automatically and fills it in for you.
3.   Works for PC or Mac, and across all my devices.  If my house is destroyed by a tornado (and I live in Tennessee, so this is totally possible) and the only option I have for getting into bank account information is my iPhone, I need this service to work on it.
4.   Secure.  For obvious reasons.
5.    Reasonably priced.

Naturally there are numerous programs out there, and the options get overwhelming.  I downloaded and played with three in particular that were all highly recommended and thoroughly discussed by various techie sites – 1Password, Passpack, and LastPass.  Although I had wanted to write about all three, I ultimately decided that LastPass (www.lastpass.com) was the best example worth sharing with readers.  Here’s why…

From the get-go, it’s easy to understand what it does, and how to use it.  The site has quick “how-to” videos that aren’t overly technical, but don’t insult your intelligence.  Nothing snarky or cutesy.  The interface is all pretty intuitive, and installs instantly on your browser.  A red snowflake-like icon shows up on your browser toolbar, which allows you to login to any of your stored sites by clicking on it.  It works on pretty much anything and everything.  It did an initial “sweep” of the information on my computer and automatically created a listing of most of my current sites and passwords. I did notice that this list was incomplete, but also noticed that it found things I had completely forgotten I signed up for (like that all-important Labrador Retriever owners chat forum).  Of course, you can delete, add, and edit any of your stored sites and logins.  If you choose, it will pull off all of those automatically filled logins on your sites – it’s just as easy and more secure to use the little LastPass icon to login anyway.

What else?  It can help you create new, stronger passwords for all of your sites.  It will run a “LastPass Security Challenge” that shows you the strength and security of your logins (my score was 11.4% - pretty shameful).  You can create secure “identities” that will automatically fill in forms for when you do online ordering.  You can share passwords securely with someone who may need to access information from one of your sites.  Sharing passwords this way could be important not only from a work-related standpoint, but also if you, heaven forbid, become ill or injured and need someone to handle your affairs.  LastPass will even do credit monitoring.

LastPass is FREE, or you can upgrade to Premium for $12 a year (the upgrade gets you lots of things, but most important to me is the ability to use it on my iPhone and iPad).  I have no idea how this company makes any money, but I’m good with it.

Are the passwords secure, or can someone “on the other side” of cyberspace hack into the information?  Direct from their website:

LastPass is an evolved Host Proof hosted solution, which avoids the stated weakness of vulnerability to XSS as long as you're using the add-on. LastPass strongly believes in using local encryption, and locally created one way salted hashes to provide you with the best of both worlds for your sensitive information: Complete security, while still providing online accessibility and syncing capabilities. We've accomplished this by using 256-bit AES implemented in C++ and JavaScript (for the website) and exclusively encrypting and decrypting on your local PC. No one at LastPass can ever access your sensitive data. We've taken every step we can think of to ensure your security and privacy.

Um… yeah.  If you understood all of that you have no need to read my post anyway.  The bottom line is, keeping those passwords strong and organized is a great step towards protecting yourself from someone stealing your pictures on Facebook and creating a new profile of...YOU.  A new you that now routinely begs people for money.   Or someone sending out emails explaining how your wallet was stolen in Venice and now you need your good friends to help you out with a little cash to get home.  Or something worse.

If you want to check out the other programs I mentioned, here are the sites: https://agilebits.com/onepassword (30-day free trial) and www.passpack.com (free for basic service).  Here’s the catch with whatever password manager you use:  The real you has to get busy and make sure all of your passwords are strong and properly stored in your vault. So this Saturday morning, grab a good cup of coffee and some tunes, and spend an hour or so working on getting your passwords organized and secure.  It’s a whole lot better than having to convince your credit card company that you’ve never even been to El Segundo, much less spent $2000 at a Walgreens there.

p.s.  I wonder what one way salted hashes taste like?