Keeping track of passwords is hard enough (though a good password vault helps a lot). But now, it seems, we need to start keeping track of all the various and sundry breaches that have occurred, possibly without knowing whether we’re directly impacted.
Services like Have I Been Pwned? are a great start, particularly with its Pwned Passwords service, which lets you know if your account, or a password you use, is discovered in a breach. You can get notifications when your email address is discovered in a breach, but when it comes to passwords, it’s still a manual process.
How do password managers handle random security questions? I’ve never seen this mentioned in any of the articles that I have read. Am I still going to have to maintain a readily available list of security question answers?
Not surprisingly, password managers are all about passwords. More specifically, they’re about automatically saving and entering your username and password when you need to log in. When it comes to security questions, often also referred to as “secret questions” — well, that’s just not their job.
I’ve long recommended password managers like Roboform and LastPass to keep track of passwords for all online accounts. Besides offering an incredible level of convenience, these tools give you a greater level of security by making it practical to use truly long and complex passwords and generate different ones for every site.
But, as with all things relating to security, there are risks.
For example, what happens if you forget your LastPass master password? Master passwords cannot be recovered. While there are a couple of options that might regain access to your password vault, the worst-case scenario is that you lose the vault — and everything in it — forever.
Not to keep beating the same old drum, but the best solution is very simple.
Two-factor (or multi-factor) authentication is one of the most reliable ways to secure an account from being hacked. With two-factor authentication enabled, hackers can’t log in to your account, even if they know the password.
LastPass is a utility used to store and remember your login credentials. Using a tool like LastPass makes you more secure by creating long, complex passwords you don’t need to remember, because LastPass remembers them for you.
The most common concern about password vaults is this: what if someone, somehow, gets the master password to your LastPass vault? While extremely unlikely, the cost of failure is pretty high: that person would have access to every account stored in your LastPass vault.
That’s why I recommend adding two-factor authentication to your LastPass account.
Recently I tried to use RoboForm for an account at a large financial institution, but I couldn’t get it to work. In response to my inquiry, this institution said they do not permit log in using credentials that are stored on software because the security of the password could become jeopardized if my computer were hacked, invaded, etc. Is this true? Am I safer not to use tools like RoboForm?
Some believe using password managers represents a single point of failure. Very technically, they are correct: if someone gains access to your password manager, they have access to everything in it.
Not-so-technically, I strongly believe they are seriously misguided.
Using a password manager is significantly safer than the alternatives.
I keep hearing that I’m supposed to use a different password on every internet site where I have an account. What a pain! I can’t remember all of those passwords. Yeah, I know. You want me to use a password manager thing, but that seems like putting a bunch of really important things into a single basket. What if that basket gets hacked? I use a strong password, why isn’t that enough?
The hacks of several online services have brought this issue to light once again.
I’m sorry, but a single strong password just isn’t enough anymore. You must use different strong passwords on every site where you have an account – at least, every important site.
And yes, you must devise a way to manage them all.
Let me run down an example scenario that’s causing all of this emphasis on multiple different passwords.
News broke over the weekend about an approach to a phishing attack that could fool you into giving a hacker your LastPass credentials, even bypassing two-factor authentication. It’s not yet been seen in the wild, but code has been made available, so I’d expect it to start appearing.
Quick bottom line
If you get a message from LastPass that your session has timed out and you need to log in again, don’t. Instead, I recommend you close your browser, re-open your browser, and log in using the LastPass icon on the browser’s menu bar.
As I write this, the folks at LastPass recently announced that they saw unexplained traffic on their network and could potentially have seen some of their internal data compromised. It’s important to note that no user accounts have been hacked, and no unencrypted user account information has been compromised.
However, to err on the side of caution, they are recommending that we all change our master passwords.
While I am not particularly concerned about my privacy (all that stuff on the internet was out there before the internet, it was just a little harder to find), I am not particularly trusting. I realize that TrueCrypt was open source and Lastpass etc are all paid services but what happens if they go belly up? What happens if they hire some idiot and all of their saving software goes up in smoke? I have a hard time trusting these services or any others for that matter and these are things that I want under my control.
Actually, what you describe happens more often than one might think.
Typically, it’s nothing as attention-grabbing as the TrueCrypt shutdown, but I do regularly hear from people who have been using an application of some sort for some time and suddenly find that the company’s no longer in business and there’s no way to get an update. In some cases, that means they can’t migrate to current versions of their operating system if they want to keep running that now-unsupported software.
It’s something I consider when using important software. Depending on exactly what software it is we’re talking about, there are often approaches that you can use to protect yourself from potential obsolescence or disappearance.
I’ll give you one hint: it’s one of the reasons I moved from Roboform to Lastpass.
LastPass recently announced a couple of vulnerabilities. Although they’ve supposedly been fixed, does this mean I should stop using LastPass? Is it still secure?
LastPass is still secure.
Should you stop using it? No. In fact, let me be a little more clear: Hell No! Keep using LastPass.
I remain a strong believer in LastPass. The recently disclosed vulnerabilities – which indeed have been fixed – only affected a small percentage of users. Furthermore, there’s absolutely no evidence that the vulnerabilities were ever actually used to compromise anything.
Rather than say nothing at all, LastPass chose to be open about the discovery. I don’t want panicked over-reaction to punish them for doing the right thing.
I’ve got a quick question concerning saved username/passwords in browsers. Whenever you visit a website and need to login, you’ll be asked (depending on your browser settings) if you’d like to “save” the username/password information to make future logins easier. If you choose to do so, is this username/password information made visible to anyone who has compromised your computer when you access the website in the future? Since the fields are already filled in for you, you don’t actually need to type in anything.
The short answer is yes – if you’re not careful, anyone who walks up to your computer can access those websites as you, or perhaps even walk away with a copy of all your usernames and passwords.
There are actually several important issues around letting your browser – or any utility for that matter – save your passwords. Particularly when we advocate using multiple complex and different passwords for different sites, it’s not only important to use these types of features to keep it all straight, but to use them properly so as not to expose yourself to security issues should your machine ever be compromised.
I’ll review how these features work, and how to use them safely.
I have and use KeePass with Windows 7. I open KeePass in the morning and I leave it open all day. Does this make it unnecessary for malware to determine my KeePass password in order to see my password file? Is keeping KeePass open a security risk?
This is an interesting scenario and the answer really boils down to “it depends”.
I use LastPass, a KeePass equivalent. I keep it logged in all day …. and again, I don’t.
Hi, Leo. I searched your site and several other websites but could not find the exact explanation that I’m looking for. I’ve been keeping all of my personal financial information and website passwords in an Open Office spreadsheet that is saved with a long, complex password. From what I’ve been reading from your site and others, that spreadsheet is maybe not a secure as I think it is.
My question is – can anyone using sophisticated hacking software see the data in my file without breaking the password? In other words, if I have a relatively complicated password, shouldn’t I trust that as being secure? I find it very convenient to copy and paste login information from my spreadsheet. However, if I someday lose my portable backup drive or it’s stolen or if someone breaks into my home when I’m away, then could someone easily see the data in my password protected spreadsheet file? I assume, of course, part of this equation is how sophisticated the potential thief is and how much of a target I am perceived to be?
There’s a part of me that really wants to say that you’re safe.
In general, I’m not a big fan of using spreadsheets for passwords, but I know a lot of people do for saving that kind of information. And with a complex and lengthy password like you’ve said you’re using, in general, it should be safe to use a password-protected spreadsheet in a utility like Open Office, Microsoft Office, or any of a number of other applications that provide password protection for their documents.
I want to say that is safe.
Unfortunately, history does not really bear that out too well.
Does Cloud information disappear after deleting the software? My example would be LastPass or Norton Identity Safe. I’m now using Norton Identity Safe. If I delete LastPass from my computer, do my passwords get deleted from the Cloud or are they on the computer? It’s one area that I’m not an expert in because I tend to shy away from it for security reasons for anything online.
That’s an interesting problem. With cloud information, it depends entirely on the specific service and the software involved. Let’s start by talking about Last Pass
Whenever I talk about using different passwords to login to different sites and how it’s important to make sure that all those passwords are difficult to guess (and thereby, conversely hard to remember), many people throw up their hands in frustration.
It’s too much to remember; too much to keep track of.
Computers, on the other hand, are great at remembering things for you. As a result, there are many popular programs that will track your online passwords for you.