Sorry for the poor photo quality, I was just so amazed this was a thing I think I was shaking.
I want you to look at that photo. This is an actual thing sold in stores.
But, friends, I’m here to tell you, that’s not how you keep your passwords secure. As someone who has too many passwords to remember, too, I understand the desire to write them down. However, that is bad. Very bad. As bad as having ‘password’ as your password.
Maybe you’re saying, “I’m not that stupid, Casz.” Perhaps you’re like I was and have a rotating grouping of passwords for your various accounts and it’s got to be one of those or it isn’t easily accessible to your memory. That’s bad, too. Not as bad as having a gold-plated book on your desk for anyone to find, but it still leaves you vulnerable to compromise. If your passwords are always variations on your pet’s name or your favorite sports team, it won’t take much work to guess that your password is “fluffy2017” or “GoWings34.”
Or maybe you were also like me and thought you upped your game by having an encrypted spreadsheet. Ha! If an attacker has access to the location where the passwords are stored (whether physically or through malware), then your spreadsheet’s password will not offer any meaningful resistance. Additionally, you have no protection in this scenario should your machine be stolen or suffer a hard-drive malfunction. “But, Casz,” you say: “backup is paramount to breathing…” Sure it is. But storing extra copies increases your risk of one of them being exposed to nefarious characters (doodle your favorite hacker drawing here). Not to mention managing multiple backup versions, which all might have different passwords for the same account. Because you do rotate your passwords regularly, right? (That’s a topic for another blog post)
Regardless of how you look at it, lack of secure password management is bad. It leaves you vulnerable in multiple ways. Maybe you’re not compromised today, but security is all about managing risk. Wherever you can reasonably reduce being exposed to risk, you should do so.
The inside of the no-no password management system.
Why? Easy answer = hackers. That includes phishers, scammers, phreakers, breakers, and all manner of people who try to exploit vulnerabilities for profit or pleasure.
Passwords are a pain, and until recently there haven’t been a lot of good solutions available, leaving people to develop some really risky habits. So how do you ease the pain of passwords, while keeping them secure and still have access to them?
Enter password management applications. These are much better than the pictured journal above, encrypted spreadsheets, or sticky notes under your mouse pad, because they offer things like two-factor authentication (another blog post), security challenge questions, and you can sync your passwords between computers and even to your phone.
You can pay for such software, and PC Mag did a recent review of those available for purchase: http://www.pcmag.com/article2/0,2817,2407168,00.asp
But I have chosen LastPass, which has a free version that works easily and intuitively. I am able to share my list with my spouse in case something happens to me and he has to handle my internet presence.
I recently adopted it and am thrilled with how easy it was. Go to a website and a popup message alerts you to add it to LastPass. Or you can manually log everything into the application. I like the popup window because there are sites I go to infrequently and don’t always think about if I need to include them in my password management. The quick answer to that is: yes you do. Add it all in.
You have your own separate “vault” and you can share one password or all of them. Syncing to your phone is a small fee. I’m using the free version of LastPass.
But, wait, Casz, you say: What happens if LastPass fails somehow? Good question! As long as you have logged into the plug-ins you would be able to export all your passwords, even with LastPass completely gone – this is possible because a locally-cached copy of your data is stored by default when you use the LastPass plugin or LastPass mobile apps. To use any of the exporting options you can go to your LastPass extension Icon > More Options > Advanced > Export.
LastPass Pocket is also offered for backup access on your USB/portable drive.
You can also re-import your passwords back into the Internet Explorer and Firefox password managers.
That being said, LastPass is spread across two data centers, two countries, and have a team of people who can each run the service individually. Plus LastPass tells me (us) that they don’t plan on going anywhere. Besides in the world of security, there are no absolutes. You can only limit your vulnerability. LastPass, and programs like it, do that.
It certainly beats the above leather-bound journal or a spreadsheet on your machine or phone, or the unbelievable ‘password’ as your password.
Stay secure out there.
Editor’s Note: As stated in former IN THE WEEDS posts, I’m brand new to this world of #infosec and #digitalsecurity. I’m allowing you to learn as I learn. I am no expert. Your mileage may vary.