My hatred of using advertisements to fun “free” services is pretty well known at this point. However, it seems that a lot of people prefer the business model where they’re the product instead of the customer. Knowing that, and knowing that password reuse is still a significant security problem for most people, I feel the need to inform you that LastPass, which still remains a solid password manager despite being bought by LogMeIn, now has an ad supported “free” version:
I’m thrilled to announce that, starting today, you can use LastPass on any device, anywhere, for free. No matter where you need your passwords – on your desktop, laptop, tablet, or phone – you can rely on LastPass to sync them for you, for free. Anything you save to LastPass on one device is instantly available to you on any other device you use.
Anything that may convince more people to start using password managers is a win in my book. People who don’t utilize password managers tend to reuse the same credentials on multiple sites, which significantly increases the damage that a password database leak can cause. Furthermore, using a password manager lowers the hurdle for using strong passwords. Instead of having to use passwords that are memorizable a password manager also allows users to use long strings of pseudorandom characters, which means if a password database is breached the time it takes to unveil their password from its stored hash is significantly increased (because the attacker has to rely on brute force instead of a time saving method such as rainbow tables).
If money has been the only thing that has held you back from using a password manager you should take a look at LastPass’s “free” version. While ads are a potential vector for malware they can be blocked with an ad blocker and the risk of being infected through ads is significantly less than the risks involved in not using a password manager.
But … if you use a password manager, aren’t all those passwords accessible to anyone who can guess or otherwise divine your password to the password manager? I guess it would usually be harder to capture THAT password than one that’s actually sent out to remote places, but still, it looks to me like asking for trouble. My strategy has been to use the same or similar passwords for less vital places (an identity on a news site so I can post comments, for example), and to use unique passwords for more vital places (bank, etc.). By holding unique passwords to a reasonable number, they all become memorizable.
They’re only accessible if they are also able to obtain the encrypted database storing your passwords. LastPass allows for two-factor authentication so, if enabled, even if an attacker were to obtain your vault password they still couldn’t get a copy of the encrypted database without your second factor token. And as you noted, obtaining that password is more difficult since it’s only used locally.
Remembering a single complex password is feasible, remembering multiple complex passwords isn’t. As you noted, you use similar passwords for a lot of things, which means if an attacker obtains one of those passwords they can likely derive access to more of your accounts. Furthermore, I guarantee you that your complex passwords aren’t nearly as complex as 63 characters of pseudorandom characters. That’s something a human cannot memorize but a password manager can.
The risks you run when using a password manager are significantly less than the risks you run when not using a password manager.
63 characters, eh? Taking ASCII 32 thru 126, there are 95 possible characters for each slot, so 63 of those make for about 3.95×10^124 possible passwords. There are approximately 10^80 atoms in the universe, according to Wikipedia, so you’ve got at least 10^44 possible passwords for each atom in the universe. I’d call that a serious case of overkill. Any competent password-to-hash function is deliberately made computation-intensive to fend off brute force attacks, but even in the absence of such sophistication, I think a 15+ length password should be pretty secure.
As you noted, you use similar passwords for a lot of things, which means if an attacker obtains one of those passwords they can likely derive access to more of your accounts.
Yeah, they can take that password and use it to make a comment to more than one web page using my name. Somehow that doesn’t bother me very much.
But I have to confess to a deep, dark secret: in effect I have my own “password manager”, a PGP-encrypted document in which among other things are my sensitive passwords. So I guess through my own behavior I must concede the point. 🙂
I let the NSA manage my passwords.
That’s the worst way to manage your passwords. Have you seen how much data government agencies “lose”?