Many tech experts, including some writers who’ve contributed to the R-TT Articles and Reviews website, have lauded LastPass as one of the best password managers available. And there a number of compelling features that strongly support that judgment. But as we enter into a brave new world of Internet insecurity, it may be time to completely rethink the way that we store our most crucial data—including encrypted passwords.
First, I’m not going to deny that LastPass is an excellent piece of software and an excellent software for what it is. For those of you who’ve never used LastPass, LastPass is a password manager that helps you generate strong passwords using randomly generated, non-dictionary strings. It then helps you remember them by storing them on their own server and then autofilling them into webforms for you. You only have to remember one password, however, and that’s the master password that unlocks your LastPass “keychain.” The beauty of this cross-platform, cross-browser password manager is that it finally makes it easy to create passwords that can’t be cracked through brute force (you’d be appalled if you knew how many people use their pet’s names, their own first name, their birthday or ridiculous words like “password” as their password).
But even if LastPass were 100% rock solid, with absolutely no security loopholes, then it would still have one troubling flaw. When you use LastPass, your passwords and login credentials are stored on servers owned by LastPass. While this isn’t any less secure than keeping your secret diary or business documents on a thumbdrive locked in your desk drawer (where it could be picked up by a rogue employee or rebellious janitor), the problem is that it’s beyond your control. Protecting the security of these servers is someone else’s responsibility, and for many, that can cause some unease.
Especially when you consider the recent episode where LastPass noticed a “possible security issue.” While they did not indicate that their servers were hacked or any unauthorized access was made into any databases, LastPass still recommended that users change their master passwords. While so far, no damage has been reported, it raises an important concern over how safe your data really is when it’s in someone else’s hands.
Granted, even if there were a massive compromise with LastPass on the scale of the PlayStation Network breach, most of the fallout could be mitigated by having users change their master passwords. This should be done routinely anyway.
But if you are considering alternatives to LastPass, you might want to look for a program that doesn’t keep your passwords on a server. Storing your passwords locally, or better yet, in your head are the only ways you can guarantee that a third-party won’t slip up.
For local password storage, try KeePass, 1Password or Keeper. For memorable, yet unguessable passwords, consider inventing an absolute nonsense word and using that as a component of your password. Come up with some password conventions that are memorable to you, such as placing certain special characters in it at certain points, perhaps based on the type of website, and adding meaningful numbers. For example, you could make your nonsense word “luddleCoox” and then say, add a number based on the number of letters in the URL you are logging into. For example, a good memorable, yet unhackable password for Gmail.com would be luddleCoox?5G and your strong password for Facebook could be luddleCoox?8F. This way, your password is different on every website, but similar enough that only you can remember it.