Experience with password managers

Edit: a ‘feature’ in WordPress publishes anything written from a draft (anything that takes more than one bite to write, ie) as though it was published on the date the draft was started. Thus, this was published earlier this week, but disappeared back through time into my archives as soon as I hit ‘publish’. Apologies to anyone who was bereft at the lack of blogging on my part.

A couple of months ago, I mentioned that I was looking into using a password manager instead of relying on my memory to store all 184 of my passwords (or thereabouts).

It was a good choice.

I ended up choosing LastPass for my trial. Web research and the experience of a work mate suggested it was easy to use and offered all the functionality I wanted.

What it does

LastPass (and similar companies like 1Password) store your passwords in a secure location, pasting them into forms when you ask for them. Practically, this means you need to remember just one password (the one to open LastPass) instead of scores of them. It also generates new passwords when I ask and offers to autofill forms with details ranging from my address (which it has) to my credit card number (which it doesn’t).

The screen shot below show how it looks when I log in to Facebook now. The asterisks at the end of the username and password field show that I have saved information for those fields; the number shows how many different identities (handy if you’re sharing an account).

The Facebook log in screen showing an asterisk with the number '1' in front of it, both on the far right of the username and password fields.

I chose LastPass for my system because it works well on my phone, is web based so I can use it at work, and is well priced – $12 a year. You can get it for free if you only want to use it on computers, but I encourage users to pay even then. $12 is a tiny amount to pay for something like this.

What I have to do

Adding a site to LastPass is really easy – when you log in for the first time, it should already be running in the browser. It will ask if you want to save that password, and you can just answer ‘yes’. Total time: 3 seconds.

My process is a bit more complicated. I’m moving from an insecure generic password for all my second and third-tier sites (e.g. stuff that isn’t completely disasterous if it’s hacked) to unique, unmemorable passwords for all of them.

Each time I log in to a site for the first time since starting to use LastPass (or the second or third time if I’m busy), I’ll stop and change the password to a newly generated random set of characters. It takes about 30 seconds to change the password all up. That would be a burden if I tried to do them all at once, but doing it gradually has worked well and barely affected my timetable at all.

So far, I’ve literally had no trouble with LastPass. 90% of the time I’ll be logging in to sites from my home or work computers and the passwords will come up automatically.

The rest of the time, I’m either using my mobile, or someone else’s computer. If I’m using my mobile, I can use the LastPass browser to access the site that needs a password. The browser on my phone can’t have plug-ins, otherwise I expect I would be able to do it in there.

If I’m on someone else’s computer and can’t install programs, there’s still a fix – I can go to the LastPass website and log in to their web service, then copy and paste the relevant password without it showing on the screen.

Risks

The obvious worry in doing something like this is that LastPass could a) be hacked or b) steal my password and then use it to steal my stuff. There’s a few reasons I’m not worried about that:

  • My old system had a single password or similar passwords being used all over the place, so there was a single point of weakness either way. So far, there’s no loss.
  • There’s also a gain in security: the single point of weakness in my system is now protected by a company that stakes its entire ability to exist on being able to protect my passwords. Their whole company literally relies on beating anyone who tries to crack their security. That means their system is going to be much safer than if I went around giving my password to all the sites I want to use, from Facebook to http://www.cutekittenpix.com. If you’re interested in thinking more about this, Lifehacker have already applied their braincells to the same problem.
  • At that point, the weakest point in the chain is the staff at LastPass – they could decide that the contents of my accounts is worth more than the $12 a year I give them to protect my information. But that’s going to be hard to pull off – aside from the fact that stealing my passwords would probably result in their staff being arrested for theft, the entire system is set up so that only I can see the plain text versions of my passwords – everything at their end is encrypted and salted.

And if all that fails, it’s still not a world-ending problem for me. I’ve kept the passwords for my key email account, my bank account and my work system completely separate from my LastPass use, so that my core services will be safe even if LastPass fails. Plus, those passwords are easier to remember now that I only have four to keep in mind.

Which is why I’m not too concerned about the biggest risk of all: forgetting the master password. Article’s like Lifehacker’s Choose (and remember) great passwords have helped me craft a password for LastPass that I haven’t forgotten yet, despite not using it often.

How it’s changed things

Using LastPass has done one simple thing: remembered my passwords so I don’t have to. While it’s pretty simple, it’s made a big difference for me. I can now:

  • Log into sites automatically, or with a single click rather than having to go through a password reset on every third visit to Amazon.
  • Stop stressing about which variation of my mnemonic I’d used.
  • Remember my four key passwords more easily, since there’s no other passwords for them to get tangled up with.
  • Save time logging in! Now I’ve got the system up and running, I know I won’t have to stop and fuss with a password reset to use a site that’s outside of my daily routine.

If you’re interested in taking a look for yourself, check out the LastPass website, take a look at one of its competitors like 1Password or KeePass, or see what other clever people have to say about getting a strong password system.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s