Search All Articles

Browse by Category

The continuous problems Lastpass has had with breaches of their database and lack of transparency has caused many to review their password strategy. Lastpass was once an excellent and highly regarded service, and now we learn, they had poor security measures. They exposed their users to both privacy loss and potentially, exposure of their entire password vault. It should act as a wake-up call for all of us to review our password strategy.

Here are the things no sane person should do.

• Re-use passwords
• Use simple easy-to-remember passwords
• Send out your password list to all your contacts, so you can call them for help if you forget a password.
• Using an Excel spreadsheet or word-processing program to list them

• Letting your browser handle your passwords
• You remain with LastPass despite its lack of transparency and continual security breaches.

You should encrypt your passwords, log-ins, licenses and other important information that you store on your computer. This process requires some responsibility on your part and some for your software or password system.

1. Decide where to store your passwords. If possible, you want a local program running on your computer. Keepass is the best option for Windows computers. I've written many articles about it, including startup guides. If you need to have your passwords available on many devices and add passwords from any of them, then you'll need to store your passwords online and locally. You'll save to the online service and your local program. If you need to use your passwords on multiple devices, I recommend Bitwarden. You'll have a safe and secure place for all your passwords and other critical information.
2. Make up a long passphrase which no one has ever said or written before. It cannot be a combination of two or three words or a word plus some numbers at the end. Break-ins have revealed millions of passwords to hackers on the dark web. Your password must not be on any of those lists. The objective is to bypass all existing databases of potential passwords or phrases, or any of their combinations. You must force the attacker to just guess every possible combination of letters, numerals and symbols. This will be the super password to your strongbox containing all your other passwords.
3. Stick all your important information inside this secure storage. I store everything in my password manager. I store all my credit cards, bank accounts and investment accounts. I have information like my driver's license, car VIN number, type of phone and tablet, licenses for all my software and much more. When I receive a license for software, I copy the important information from the email into my password safe. I create the username and password in my safe, before making a new online account and let the manager fill in the account. There is no chance of me mistyping anything.

Their job: What your password manager needs to do.

1. They need to do the basics right. They need to encrypt your information properly and protect it. If they are online, they need to protect your data. Lastpass failed to do this multiple times.
2. They need to create new random passwords for you and make it easy to insert your username and that password into the log-in forms.
3. They never store your password, they run it through a one-way hash and store the result. Your password is never stored. If you lose it, they can't help you get it back. They don't have it.
4. They mix it up with something unique to you, like your email address to prevent hackers creating specialized dictionaries. This is called salting.
5. They run that key through the encryption formula many thousands of times and use the final result to encrypt the file. This will slow down anyone who is trying to brute force the password with guesses.
6. They have outside experts audit them and try and find flaws. Both Keepass and Bitwarden were audited. Since Keepass is entirely local and supported entirely by volunteers, they only have a couple of audits. Bitwarden, however, has annual audits. Both programs are open source so thousands of people, and governments, have analyzed their code and found it excellent.

It is a good idea to review your passwords occasionally. The two things you are looking for are poor quality passwords and duplicate passwords. These should be fixed if they matter at all. In Keepass choose Find from the menu, then select Duplicate Passwords or Password Quality to get your report. Other password programs should have similar options.

Throw away the idea that you should know your passwords. I normally have no idea what password Keepass generated and don't care. The exception to long random essentially untypable passwords is if it is a site where I might need to type it in. For example my Google password which I need to type when I get a new phone or tablet. Also, my Paramount+ streaming service that I imagine I might need to type using my remote control on my TV screen!

Consider changing any duplicate passwords that are still functional.

Consider changing any password with fewer than 100 bits of entropy. Most security experts recommend at least 128 bits of entropy. I make all my passwords over 200 bits if the website allows it. Crackers are getting better and better and I'd like my passwords to remain secure in a few years so I don't have to go change them again!

You should check the basic security settings of your password database. The normal procedure is to transform the key many times then use the result to encrypt and decrypt the database. The idea is to slow down any attempt to crack your password file. If your password could be cracked in 1 hour and you inserted 100,000 transformation iterations then it would take 11.4 years. I recommend 500,000 to 1 million iterations for most systems.

Keepass does this from the File menu, then Database Settings, then Security. Check the iterations and increase if prudent. Be sure you don't set it too high because it'll slow you down too. Keepass has a 1 second delay button to determine how many iterations your computer can do in one second. Remember, if you use the database with other computers or your phone, then they'll require the same number of iterations. Don't overdo it.

Bitwarden defaults to 100,001 iterations on your device, then they do another 100,000 on their server and use that. You can probably increase your 100,000 to 500,000 without being inconvenienced.

Though I've never used it, I have heard excellent things about 1Password and if you are using that, I do not recommend a change. They seem to be fine.

• I wrote an article on choosing password managers.
• Keepass article about protecting against dictionary and brute force attacks.
• Bitwarden article on how they do encryption
• Bitwarden getting started videos

Date: February 2023