We all know we should be doing it, but password management just never seems to make it to the top of our lists – unless or until we get “hit.” Once someone has hacked our personal information, the problem can no longer be solved by a simple password update. The recent Heartbleed vulnerability made many of us pay attention to passwords. Even though most of us had no idea what Heartbleed was or is, we knew the experts were taking it seriously – an 11 on a scale of 1 to 10. We were left with that nagging feeling that we should be doing something to protect ourselves.
Personally, I have not been good about my password discipline. I use at most 5 or 6 passwords for the probably 100 websites where I have accounts. And, I’m not good about changing them often enough.
Heartbleed made me finally buckle down and explore password management software. This class of software stores all of your passwords for you in a central vault and logs into sites for you.
Password management software even generates complex passwords unique for each site. A generated password might look like “Gy876AOZMj2l.” Most attempts by hackers to discern passwords try common words and names first. To break this password, a hacker would have to iterate through all possible combinations of letters, case and numbers. It would take an extraordinary amount of time and computer resources to accomplish. It’s not worth it to get into your personal checking account.
There are many different password managers like Last Pass, 1Pass, Keeper, KeePass, Password Box, and others. I decided to go with Last Pass simply because at the time, they updated their Android app, and I’d heard good things about it.
Most of these managers cost a few dollars a year for Premium service. Last Pass is $12 a year. KeePass is free but not as user friendly as the others.
I downloaded the Last Pass, and it walked me through creating an account. You do have to specify a password for Last Pass, and it is the only password you will have to remember. If you forget it, Last Pass will not resend it to you but will send the hint you specified. You want to be sure to memorize that password, or at least write it down somewhere safe and secure.
Now each time I log into a website, Last Pass asks if I want to remember the site, username and password.
Once logged into the site, I can go to the page on that site for changing my password. Last Pass will generate a hard-to-crack password and paste it into both the password field and the “re-enter password” field and then update the password in the Last Pass vault.
Last Pass can tell you if a site has been fixed after the Heartbleed vulnerability. There is no sense changing your password on a vulnerable site until after the site has fixed the Heartbleed problem.
Since I have the Last Pass app on my phone, whenever my web browser encounters a login page, it checks Last Pass to see if there is an account name and password ready to go, and if so uses it.
Until recently, Last Pass couldn’t interact with the Chrome Browser on Android, so Last Pass had its own browser for Android. On iPhones, Last Pass has its own browser that automatically fills in usernames and passwords.
Once I have all my sites in and have updated all the passwords to unique, hard-to-hack passwords, I will be much more secure. And if a site is hacked, I only have to change that one password, since I will not be reusing passwords across multiple sites anymore.
Maybe someday, biometrics, like fingerprints, will control our access to sites. The iPhone 6 and the Samsung Galaxy S5 already have fingerprint readers. But until all phones do, and sites are set up to use them for login, we need to manage our passwords better.
Mark Stout lives in Lake Ridge. He started in the personal computer business in 1980, and is a blogger and author. For links mentioned in the column, go to www.familytechonline.com. For more of Mark’s online activities, see http://about.me/markstout.