My wife and I got a security alert that our personal information was found on the dark web. I decided to do a computer security update on both of us, including checking her password wallet. We use LastPass to store our passwords.
The idea being that all you have to do is know the master password for the LastPass, and then allow LastPass to generate and store all of the other passwords you need. They can be as long and complicated as you need them to be. I began using it after I struggled with passwords a decade ago.
With a tool like that, there is no need for short, easy to remember passwords that are easy to guess or on the list of weakest passwords. There is no need to reuse a password. You can use a random password like Defw;n%348mEoi and know that no one is going to guess it, you will never need to remember it, and as long as you keep the master password secure, things are great. You password is stored in an encrypted format that uses your master password as the decryption key. No one, not even the company that makes LastPass, can access your wallet without knowing the master password.
The app will even generate secure passwords for you at the touch of a button. You can the specify the length of the password, as well as characters used. I have mine generate 15 character passwords that contain an upper case letter, lower case letter, numerical digits, and symbols.
That is why I was so disappointed when I opened our LastPass wallets to run the built in password security analyzer. It checks all of your stored passwords to ensure that they are strong, and that they are not duplicated. My score was fine, a 94 out of 100. My wife’s security score was a 50.2. I opened the detailed report to see why. That was when I discovered that she had more than 200 passwords stored, and:
- 140 of them were classified as “weak” passwords.
- 112 of them were duplicates of another password.
- 40 of the “weak” passwords had a score of less than 10 out of 100
- 10 of the duplicates were the word “password” or a variation of it
- 5 of the duplicates were simply her name
Even worse, her master password was one of the passwords stored in her wallet. Now to the positive side, the passwords to financial accounts and other high risk passwords were valid, high security ones with scores of 75 to 100. She just didn’t see the risk to having low security passwords to store shopping accounts like those used for customer loyalty cards or online shopping retailers.
So we had to have a conversation about computer security, why I pay for us to have a secure password wallet, and why it’s a bad idea to not use it correctly. I had to point out to her that computer criminals are more active that ever before, and barely a week goes by that we don’t get a notice that one company or another that we do business with has had a data security breach.
Imagine that you do business with an online retailer. Say, an online pet supply store. Their data is compromised. The hackers now have your name, address, password, your pet’s name, and your email address. They now cross reference that email address to others retailer where you reused the same password. Now they are gaining small, seemingly insignificant details of your life until they hit the big one- they gain your SSN, credit card number, and date of birth from a breach of your hospital’s computers.
So I am spending time today to correct and update all of her passwords. My goal is to get her security score above a 75 by the time this post goes live.
ANOTHER TIP FOR SECURITY: LastPass allows you to store secure notes for each retailer. For your security questions, have the password generator create another random password and store that in the notes as the answer to your question. Then if you ever need it, you have a secure answer to that question about your mom’s maiden name that some hacker can’t get from another source.
DISCLAIMER: As usual, I will inform everyone that the products and services I mention on this site are not paid advertisements. I have no connection to them whatsoever, other than being a paying customer. I receive no discounts or special pricing beyond that which is available to anyone else in the general public.
3 Comments
it's just Boris · February 7, 2022 at 1:40 pm
Yep, had this conversation with Mrs B a few years back. We use 1Password (using the versions that don’t sync to their servers) but sounds like a similar feature set.
Re the security questions, that’s excellent advice. In fact, given the number of social media “contests” that ask exactly those same questions, and the easy search of public records, not doing so is asking for problems.
tfourier · February 8, 2022 at 6:25 am
I know a little about this subject as I have been making and breaking software security for decades. As part of my day job. One rule that has not changed is passwords are weak security, pass-phrases are strong secure. A three or four word / number pass-phrase sequence is both easy to remember and basically impossible to crack. Unless you have access to a TLA’s custom hardware farms.
Decide on the word sequence, say person / place, date/zipcode/telephone number, action / event and use to generate for all pass phrases and you have something that is both secure and easy to remember. Mixed words and numbers work best.
Not a huge fan of password storage applications. never happy with single points of failure. Thats always the first point of attack. But for people who cannot do what I do, a custom passphrase recovery app designed with cracker psychology in mind, the can be a useful tool. But never forget that anything written down and filed away from prying eyes cannot be accessed by some script kiddie in Transdneister or China. Old school hard copy is often the best security.
Jonathan · February 8, 2022 at 2:04 pm
Agreed. I don’t like storing passwords anywhere electronic; any true security relies on out of band methods.
The best passwords don’t make sense to anyone besides you.
Don’t use true answers to security questions – add or remove information, or use the second instead of first answers. For example, use half of your school name instead of all, or give your middle school instead of elementary – easy for you to remember, hard for others to figure out.
Comments are closed.