Using a password manager has been one of security experts’ top tips for keeping yourself safe from hackers.
We’re always being told to use a different - and complex - password for every online service
Using a password manager has been one of security experts’ top tips for keeping yourself safe from hackers.
We’re always being told to use a different - and complex - password for every online service we access.
No one can remember 70 different passwords, of course.
That’s where a password manager comes in: a piece of software, protected by a master password, that stores your usernames and passwords in a virtual vault. It can automatically generate passwords for different websites, then auto-fills them. Problem solved.
But it all seemed to go to heck last month when the maker of one of the most popular password managers, LastPass, said hackers had gained access to its cloud-based system and stolen copies of the usernames and passwords used by all 33 million of its customers - and that included the usernames and passwords both for its own vault, and log-ins for every online bank, healthcare provider and other service stored in that vault.
LastPass played down the attack, noting that passwords, usernames and form-fill data was encrypted. The online intruders had that data, but they couldn’t read it.
But some LastPass users will still be vulnerable to having their data stolen, says Jordan Heersping, an incident response manager for the Government’s Computer Emergency Response Team (Cert NZ).
Heersping notes the hackers did get a lot of unencrypted LastPass data, including people’s LastPass username, their email address (which is used as a username by many sites), billing address, telephone numbers and, crucially, a list of website addresses from each person’s vault and whether someone used weak or vulnerable passwords.
That means the hackers would take the list of websites a person visited, use their email as the username, then try common weak passwords - or run the person’s password through dark web databases compiled after other hacks, to see if they could match it up with previously-stolen passwords.
Heersping says LastPass could have been more on the front foot with some of its communication about its data breach. The firm’s chief executive, Karim Toubba, told the New York Times it was users’ responsibility to “practice good password hygiene”. He stopped short of telling people to change all their passwords.
“Many security experts disagreed with Mr Toubba’s optimistic spin and said every LastPass user should change all of his or her passwords,” the Times said.
The paper quoted Sinan Eren, an executive with security firm Barracuda, who said: “I would consider all those managed passwords compromised.”
Heersping agrees. “It’s better to spend a few hours changing all your passwords than putting your bank account and other data at risk,” he said.
Yes, you can still trust password managers, Heersping says. He uses one himself. But the proviso is that it should be coupled with good password hygiene.
That means two things:
A couple of years back, security expert Colin James - then with Vodafone - told the Herald that a “pass phrase” was a good alternative to a password.
If a site supports it, then the longer the password or pass phrase the better.
James’ top tip was to use different lines from a favourite song as your password - or pass phrase - for different websites (many sites support spaces, for natural language - though remember to throw in some numbers too, such as “3″ for “E”.)
This lyrical approach is a great way to remember long, complex passwords for different websites without shelling out for a password manager.
Cert NZ’s Heersping gives this tip his stamp of approval, saying it’s a great way to generate passwords of 30 characters or more.
Cert NZ does have an online guide to choosing a password manager, which tells you the features to look for, but it doesn’t recommend any specific brand.
You’re probably already using a password manager, because Google, Microsoft and Apple’s browsers all have them built in, as does security software from the likes of Norton.
If you’re after a dedicated password manager - which can have advantages in terms of exporting a list of passwords, attaching secure notes or sharing passwords with family or a set of work colleagues - a Wall Street Journal round-up said the best free password manager is the open-source Bitwarden, which it called full-featured in its basic form (there’s also a US$1 ($1.54) per month version, which offers frills including a security report identifying weak passwords and emergency access - that is, an approved second person who can access your passwords if you’re incapacitated).
The easiest to use is 1Password, the Journal said, which is priced from US$2.99 ($4.60)per month, with no free tier. 1Password was also the WSJ’s overall pick.
Honourable mention went to Dashlane, which is priced from US$2 ($3.08) per month.
The New York Times-owned Wirecutter also named 1Password as “the best password manager”, saying it bettered 40 other apps. So did Wired and the Times itself. Wirecutter said 1Password was the easiest to use and had the best family-sharing options.
Wirecutter also gave Bitwarden the nod as the best free password manager: “It does everything you’ll need and doesn’t cost anything”.