Tuesday, September 20, 2011

Lastpass (Technical Tuesday)

As a computer programmer I feel that I should apologize to the world for a big problem my profession created. There's no way to measure the number of lost hours or the amount of frustration.

In our defense, we didn't mean for things to get this bad. Every step of the way, we were just trying to make things better--safer. And now, even programmers are caught in the quagmire.

I'm talking about passwords. They're a necessary problem, but a problem nonetheless.

As I see it, there are two things that cause us the most grief:
  1. Passwords are too complex (and getting worse all the time).
  2. There are too many of them.
History in a Nutshell

It all started out simple enough. Huge machines were easy to secure--lock the door. Then computers got smaller.

Smaller computers were more public and had more users. Those users wanted security, so in came the password. Back then passwords could actually be real words. Then computers got faster.

See there are only about 250,000 words in the English language. That may seem like a lot, but my computer can count to 250K in about 1 one-hundredth of a second. So guessing a word is trivial.

We started requiring rules for passwords like they couldn't be words, they had to be eight characters long, they had to have uppercase and lowercase letters, they had to contain numbers and symbols. I'm sure you're all familiar with these.

Today people have to choose a mishmash of letters and numbers, and we're not built to remember things like that. Sure we can remember one or two. More than that and it's a lost cause, so we take shortcuts.

We use our name. Either your own name, the name(s) of your children, spouse, parents, or even a nickname. Then we tack a number on the end. For example, "Thomas11".  If we don't use the number 1 then we use a number that is important to us--our birthday, anniversary, graduation or phone number like "MyName1990" or "MySpouse1996".

We use a simple word we can remember like "password" or "letmein". Sometimes we get sneaky and replace letters with numbers: "P4ssw0rd" and "L3tM3In". Again, we'll tack a single number on the end until it's long enough usually the number 1.

We also like series of numbers or patterns on the keyboard: "12345678", "Qwertyui", "Asdfghkj"

Have I come close to guessing your password yet? Most likely.

The worst part is this. Even if you do have a very secure, hard-to-guess password, odds are that you use the same one or two of them on almost every site you sign up for. Because you can't remember dozens of different ones.

A Horror Story

I don't want to dwell on this sad story, but there's a lot to learn in it. By the way, I've changed the names and details of the story, but the heart of it is the same.

I have a friend who ran an online business. He reviewed items on Amazon, and people used his affiliate link to buy things. He wasn't making a fortune, but the couple hundred dollars each month helped a lot.

One day, he was surfing the net and found a cool site where he could track his exercise. He signed up with them so he could get access to training schedules and a weekly reminder email.

A few months later, the exercise site was hacked. The hackers got away with everyone's username, password, and email address, but they were sneaky and the site owner didn't know. The first thing the hackers did was write a program to access everyone's email address using the password they stole from the exercise site. They were able to get into my friend's online email account.

Once they had access to his email, they changed his password. Then they did a few searches through his mail and found out the name of his bank, his paypal username, and his Amazon ID. They went out to those sites and tried the same password, but it didn't work. A friend had told him to use a different password for his business affairs, and he took their advice.

That didn't bother the hackers. They clicked on the "Forgot Password" link, and changed the passwords using the hacked email account. They then proceeded to buy stuff with his credit card on Amazon, they wrote offensive reviews for products, they sent rude emails to clients and customers, they sent money through PayPal to random people, and turned off his automatic bill pay.

It took many, many months to recover. He never did start up his business again. His reputation was tarnished and his motivation was in shambles.

Don't let this happen to you.


Here is one thing you can do to keep yourself safer. Use a program called LastPass for all your sites (except your primary email and financial sites).

This program installs in your browser (on your computer and on your phone) and fills in password prompts for you. It will even help you generate passwords when you're signing up for sites. By using this program, you can use a unique, random password for every site. That way, even if hackers strike they won't get access to everything.

As the video explains, passwords are encrypted and stored using a master password--your "Last Password". It is encrypted in a way that even the company couldn't access your information without spending years breaking the code. Lesson: Don't lose your master password.

Personally, I don't put my email or financial passwords into LastPass, so that means I have to remember four passwords: my bank, my PayPal, my email, and my master password. That's not so bad. LastPass remembers everything else for me. Besides, if LastPass completely tanks, I can still use the "Forgot Password" link on any of the sites to access my accounts.

What to Do

This is Technical Tuesday, so here are some steps for you to follow to get setup with LastPass.

  1. Visit https://lastpass.com/ and learn more about the program. They have several good videos and FAQs.
  2. Download and install LastPass on your computer. Follow the steps to setup a new account. Use their recommendations to choose a secure-but-memorable master password.
  3. Change your password on your email and financial accounts. Pick a password you haven't used anywhere else. You can let LastPass remember these for you, or not. It's up to you.
  4. That's it. Now, as you surf the internet and login to your sites change your password using LastPass. Also, when you sign up for new sites use LastPass to generate the passwords.
  5. If you like the product, buy something from them. This is what keeps the free version free, and what pays their paychecks to create more great products.
Soon, you'll only need to remember a few secure passwords and LastPass can remember the rest.

Note: Today's post wasn't an answer to anyone's question, but I felt this was an important topic to cover.

* I'm always impressed when someone can use a simple, common object and take a great photo. tehusagent did just that with the key photo. You can see the full-sized image on Flickr. I especially like the little strand of pocket lint clinging to the side.


Stacy Henrie said...

Woh - that's crazy about your friend. Good information. Definitely makes me want to be more careful.

John Waverly said...

Stacy - That story was a big wake up call for me too. While I'm not a foil-hat person, I do make sure to take time to really think about what I'm doing.

Creative Commons LicenseUnless otherwise noted, all posts on the John Waverly blog by John Waverly are licensed under a Creative Commons Attribution 3.0 Unported License.
* Background image based on Night Sky theme by Ray Creations