One of the relatively easy ways to create longer, stronger, more complex, and totally unique passwords for all your online accounts is to use a password manager service. Some of the more popular ones include RoboForm, KeePass, and LastPass. These services create unique bits of gibberish for each site, and automatically apply them to the password form so you don’t have to type them in. These also protect you from entering your password in a fake web page clone from some phishy scam email link. All you need to work this magic is the one master password to open the password vault.
And this is the one weakness. If cyber-criminals or anyone else gets you master password, they then have access to all your online accounts.
Which brings us to the recent news (June 15th) from LastPass that their online database of customer information. The good news is that LastPass has very strong encryption in place that would make compromising the users passwords pretty close to impossible. None the less, LastPass is advising their users to change their master password. And if this master password is also a password on any other site, to change the passwords there as well.
When I am teaching my cybersecurity course, or giving a public speech on the topic I am often asked if I use one of these services, and which one I would recommend. My answer is that I do not use a password service, I have a rather complicated but memorable way to deal with this issue myself. I am reluctant to put this information into the cloud. Frankly, I am reluctant to put any information of value in the cloud, but we are really too late to do anything about that, “ALL YOUR BASE BELONG TO US”, all my personal information is already in big hackable databases kept by retailers, medical systems, and the government.
So in my totally trivial way, I am keeping the responsibility for the security of my password trove as the last vestige on online privacy. The database I am using is my brain. I did find the explanation that LastPass provided on their website comforting, and if you use the service, there is a high probability you are just fine.
Here is my problem with the cloud in general. The security is only as good as the company whose server you are on has made it. Most companies are run by technical morons and troglodytes who can’t read their own email and may be great at reading a spreadsheet but probably can’t create one. (I got people for that!) Decisions are made based on cost and ROI, not customer security. So I don’t trust them to do a good job. Just look at what happened to the Office of Personnel Management!