3DSC Day 7: Install a Password Manager

Welcome to the second week of the Thirty-Day Security Challenge!  We are officially one-quarter of the way through the process!  Today’s task is install a password manager on your computer and/or phone. This is an absolutely critical step.  Future posts in this series will ask that you change current passwords and create new accounts with good, strong passwords.  Being limited to feeble human memory requires most of us to choose poor passwords.  We use the same ones on multiple accounts and some of the new ones we will create this month will probably be lost or forgotten.  Storing passwords insecurely on a Word document or spreadsheet isn’t a great idea, either, since it’s really vulnerable to loss.  The password manager will solve these problems for us by creating good passwords, recalling them for us, and storing them securely.

Below I have listed some reputable password management options.  Review these, choose one, and install it.  After you have chosen a password manager, secure it with a good, strong password.  Pin it to your taskbar (Windows) or keep in in your dock (Mac). This will place it within easy access for the remainder of the month.  Take a few minutes to get familiar with creating and accessing entries – you should be using this a lot in the future.

There are a number of good password managers out there and your choice will be somewhat driven by your operating system(s).  The list I give here is by no means exhaustive and there are loads of options.  I am only willing to list the ones that I have used and have familiarity with, however.

FREE OPTIONS

Password SafeWindows:  If you primarily use a single Windows computer, Password Safe is the way to go.  It is widely known for it’s user-friendliness.  Password Safe is what is known as a host-based password manager meaning your password database is stored only on one, single device.  It isn’t transmitted to the cloud or stored on a remote server.  There are variants of Password Safe for other operating systems, too, but none of them are supported by the original developer.

KeePass/KeePassX/MacPassCross-platform:  KeePass and its variants are open-source password managers and perhaps the most universal of the ones listed here.  There are forks that work on nearly any operating system you can imagine and all of the databases are compatible with other versions.  These are not the most user-friendly password managers, however, and they lack some of the functionality and polish of most of the alternatives.  They do enjoy the benefits of being strongly encrypted, cross-platform, and totally free.  Like Password Safe, KeePass (and its sister applications) only stores your AES-256-encrypted password database locally, on a single device.

LastPassCross-platform: LastPass is the only cloud-based password manager I would even begin to recommend.  LastPass stores all of your passwords in an encrypted database in the cloud.  This means that you can access your passwords from any device, as long as you can access the internet.  One other major benefit of a cloud-based password manager is that you will have an offsite backup of your passwords should your computer crash or be stolen. Unfortunately this is exactly the reason I don’t prefer LastPass; being able to access your passwords from the internet means that someone else can, too.  It also means that you might be tempted to enter your master password on a computer that you don’t own or control.  LastPass is free on a single device; to install it on multiple devices will require a premium account, which is only $1/month (which is still really close to free).  Premium accounts can be installed on all your devices and shared among up to five users.

PAID OPTIONS

Codebook Password Manager:  I have a fondness for Zetetic’s Codebook that I have written about it before.  I have used it for years on my iOS devices, and if you only have one or two devices this may be a great option for you.  However it is a paid program and you must purchase a subscription for each device.  Codebook is a host-based password manager that allows you to sync with other devices locally through Wi-Fi.

1Password:  I include 1Password because it consistently ranks among the most popular password managers.  I personally don’t love it but I also don’t have anything against it, and it does have some good things going for it.  1Password is a host-based password manager that allows you to sync with other devices locally through Wi-Fi.  It is also incredibly user-friendly and good looking, but it is expensive.

Thoughts on the LastPass Breach

I have a couple of thoughts regarding the breach on the popular password manager LastPass earlier this week.  Initially I was disheartened to hear about the breach but was very glad that LastPass dealt with it swiftly and responsibly.  I actually learned of the breach from LastPass, with an email alerting me to change my master password.  Additionally LastPass is verifying all intial post-breach logins via email unless two-factor authentication is enabled on the account. I was also glad to hear that the attackers were unable to make off with anything more substantial than very strongly hashed (encrypted) master passwords, cryptographic salts, and email addresses.  Though certainly less than ideal, the attackers were still unable to capture plaintext password vaults.

LastPassLogo822x100

Though I don’t use LastPass anymore I did for several years and because of this and my comfort with it, I recommended it in Your Ultimate Security Guide: Windows 7 Edition and plan to in the upcoming iOS 8.3 Edition.  The two big take-aways from this breach (at least in my mind) are:

Cloud-based password managers are inherently risky.  This may be a provocative statement because many people use web-based password managers without incident.  But for how long?  Because of the treasure trove of information a password manager contains they are naturally a target.  Secondly, because they are a more complex system than a host-based password manager like Password Safe there are more potential points of failure.  The data must transit the internet, back and forth from your computer to the internet, be decrypted locally to be used, be re-encrypted before being re-uploaded to the cloud server, etc.  A lot of things have to be done correctly for it to be secure throughout the entire process.

Two-factor authentication is important.  When I first saw the email from LastPass about the breach my heart sank.  I no longer use LastPass but I know a lot of people who do.  Fortunately I know that msot of them also use two-factor authentication and as I learned more about the breach I realized that accounts protected with two-factor were still safe.  I gave high praise to LastPass in Your Ultimate Security Guide: Windows 7 Edition for the multitudinous two-factor options it offers: “The Grid” (my favorite), Google Authenticator, fingerprints, Yubikey, etc.  With two-factor enabled my friends were able to rest easy that their passwords had not been breached.  This is the kind of confidence I want in an internet system, especially one with which so much critical data is entrusted.

As I said earlier, I would still recommend LastPass to anyone who is determined to have a web-based password manager.  The convenience of the system is hard to deny, but personally, I’d rather have the security of knowing exactly where all of my passwords are stored.