CNET recently wrote this article explaining how the majority of Windows passwords can now be cracked in less than 14 seconds! Identity theft seems to be a daily news topic and even Apple Mac users who have thought themselves immune to malware and virus threats have recently been reminded that they too are targets. You need to take prudent steps to protect yourself and employing a password manager is one important aspect of your online security health.
Online security experts often offer a number of authentication recommendations. Most of the advice is sage and will go a very long way towards ensuring you aren't a victim of identity theft. Following these steps also minimizes any potential damage (and liability) which may occur should one of your accounts happen to be compromised. Among the most important rules:
- Use strong passwords. So called dictionary attacks makes it increasingly trivial to hack into an account secured by a user password, or even minor variant, which can be found in a modern dictionary. So if your idea of a "good password" is using the word, "simple" or "simple123" even a rookie hacker is likely to be reading your email or checking your bank balance in a matter of minutes if they are so inclined.
- A close corollary to the first point, use pass phrases if at all possible! It is orders of magnitude more difficult to divine a pass phrase such as "simple solutions to 123 cake recipes" than "simple123."
- Far better than a dictionary prone phrase, is a truly strong, twenty (or greater) character password such as, "Uq7ZT2D8YeNIS9lO2tbz." This character string contains UPPER case, lower case and numeric characters. The odds of such a password being discovered using even today's sophisticated hacking tools and powerful hardware are extremely slim.
- Again, the value of such a strong password is greatly enhanced if you generate UNIQUE passwords for each of your various online accounts. If someone discovers the password for your old Hotmail account you haven't even reviewed for a month, the damage is very containable IF this same password isn't also the key to unlocking your online bank account or ROTH IRA!
- This is almost a given, but using easily discovered personal data in your authentication scheme is an extremely bad idea. In today's electronic universe of social networks and search engines, it doesn't require a rocket scientist in most cases to unearth your mother's maiden name or the fact your cute lovable pet's, moniker.
- Which brings me to one more security point worth mentioning. Even if you follow my advice and practice good password policy, if you answer those security questions with easy (or in fact true) responses, you still leave a rather big security hole in your online fortress. Especially for highly sensitive sites such as your bank and/or investment accounts, consider answering, or resetting, the security questions to information that is not available anywhere. In this case, telling a white lie or two is the better part of valor. There is nothing that requires you to answer these questions with the truth! It is really only necessary that you know the answers! So if one question is, "What street did you grow up on?" Avoid telling the truth. If you lived on "Eastside Avenue," respond instead with, "Westside Street." (Just remember what subterfuge you employed so if the worst happens and you truly do need to reset one of these sensitive accounts, you don't outsmart yourself! See Safe Notes, below.)
I am going to focus on Roboform and LastPass. These two tools have more in common than not in terms of what they offer. Importantly, these companies have extremely good security themselves! After all, creating highly secure authentication and then entrusting this data to a less than trustworthy third party really defeats the purpose of the exercise! These two companies offer truly secure password protection with high levels of encryption while still allowing you access to your password accounts across all of your connected devices (if you need and want this functionality). Others may have similar services and security, but I can vouch for these two alternatives.
First let me highlight some important functionality both services provide:
- Strong password generation. Effortlessly, create truly strong passwords, unique to each site you visit.
- Automatic log in. When you visit a site, these programs will offer to automatically authenticate you with the proper user name and password information you have created.
- Form filling. You can rely on these programs to fill out a multitude of online forms, saving you a great deal of repetitious data entry (and possibly data entry errors). You can also easily set up Identities, allowing you to fill out forms as appropriate (perhaps with individual information in some cases, company information in others, ....). Optionally, you can securely add credit card data and other personal information, further speeding the form filling process on most sites.
- Ubiquitous access. If you find yourself using multiple devices as I do, you know how challenging it can be to access various accounts on multiple devices. Roboform and Last Pass both offer premium "Anywhere" Access. (More on this later.)
- (Safe) Notes: If you have very sensitive information you want to keep handy and secure (perhaps those fake answers to security questions we discussed earlier), it is easy to create a secure note with this information which will always be available with a mouse click.
- Single password access! Yes, you will still have to commit a single master password to memory! No getting around this, but it is just one password and it is used to provide you "master access" and encrypt all the rest of your information from the rest of the world. One password is all you have left to remember. (You SHOULD provide this master password and instructions, to a loved one, executor, or caregiver. Should something happen to you, this password truly is the key to castle and having it in proper hands can be among the most important estate planning actions you take!)
- Integration with all modern web browsers. I have found a challenge or two using some obscure tools in various browsers, but key functionality-- managing and accessing web sites-- works well in modern versions of Internet Explorer, Firefox, Chrome, and Safari. Both companies offer plug ins for all these modern browsers.
Hopefully, I have convinced you of the value of these tools and the need to add one of these to your daily computational toolbox if you haven't already. I have been a long term user of Roboform. It is the grandaddy of password management. However, I no longer see any reason to pay this company's fees. Last Pass offers virtually all the functionality and security of Roboform without the expense.
As of this writing, Roboform Desktop costs $29.95 (free trial available). Lastpass is free to download and use. Confusingly, Roboform has another, separate program, Roboform To Go, designed to allow access to account information on a USB key ($39.95) AND Roboform Everywhere which is an annual fee based service which synchronizes your passwords, allowing access on Android, iPhone, iPad and other platforms using "free" Apps. Roboform Everywhere is available for $9.95 the first year, but renewals are pricier, costing $19.95 a year at the time of this writing.
Situations vary and you may not need, or want, all the functionality of Roboform's three products. If you do, it will cost you $80 the first year and $20/year thereafter. If you would like to review a comparison chart of the company's various offerings, click here.
On value, LastPass is the clear winner. LastPass can be downloaded at no cost. There are no gotchas. No limited functionality, no trialware, nada. If you want synchronized, everywhere, access, plus premium technical support, LastPass Premium costs $12/year. This fee is billed at one time and is refundable if you aren't satisfied with the service. Installation of LastPass on mobile platforms is also free (as are Roboform's mobile Apps).
The nearby video will provide a quick primer in using LastPass. If you would like to see some of this program's additional features in action, click on this link for a complete set of tutorial videos. With my annual RoboForm renewal days away, I decided to download and evaluate LastPass again. My conclusion, this program is every bit as powerful and functional as Roboform at a fraction of the cost. LastPass also transparently keeps you in full control of your data. You can easily export all of your information and use it as you see fit.
Siber (spelling changed from original post), the maker of Roboform, makes saving and exporting your data more difficult. In fact, exporting my logins, identities and Safe Notes from Roboform for use in LastPass was more challenging than I ever would have expected. It seems Siber consciously has made it difficult (impossible without some trickery), to get your data in a format which can be used by its competitor. (Shame on you!!!) For the record, moving from Roboform to Last Pass can be accomplished. The trick is downgrading from the current release of Roboform to an older version (which is no longer available on the company's official web site)! Once you have completed this step, the process isn't too painful, but there are still a couple of hurdles. If you are interested in learning how most easily to make the move from Roboform to LastPass, share your thoughts in the comment field, or contact me directly. I will be happy to share the specific steps necessary and if there's enough interest, I will write a formal follow up article.
If you don't have a Password Manager, stop what you are doing and download LastPass today. There is no cost and much to gain. Anyone who has suffered identity theft can vouch for how costly and painful this can be in life. Even if you haven't fallen victim to this dreadful modern day disaster, I bet you have scratched your head more than once trying to remember a forgotten user name and password!
Enjoy! If you find this post of interest, please share through Google+, Twitter and Facebook! We welcome your comments (which you can provide via the comment form below).
I currently participate in Associate Programs and certain item links included within this post may tie to these affiliate programs. By using these links, you help support Music Row Tech, I appreciate your support.
Companies: LastPass, Siber
This commentary is not meant as an endorsement of any company or to provide financial advice. If the author has any financial interest in any company mentioned at the time of this article’s posting, it will be explicitly noted. I welcome feedback and comments.