Password management
Password management: a reader asks…
Hi Chris, I’ve read what you say and recommend about password managers, but I’m not convinced. We don’t do online shopping, banking or social networking. We visit websites but almost never create a user account. So we really only have three passwords to remember, our email account password, our Apple ID and our Macbook’s login password. Do you think we qualify for an exemption?
You might, but only if you are really good about what passwords you use for those three items. That means using completely unique passwords for each one of them, and making sure that each password is both long (13+ characters) and strong. So what makes a password strong?
To be a strong password, you must use a random assortment of type-able characters on your keyboard:
- at least one upper-case letter, and
- at least one lower-case letter, and
- at least one number (0-9), and
- at least one other character (the characters you get by holding down the shift key while typing a number key or another key on the keyboard other than letter or number).
If your password is made up of strung-together words (in any language), it’s not strong. So basically, if it’s easy for you to remember, then it’s probably not a strong password. Adding a number to the mix improves the strength somewhat, but adding a symbol (#4 in the list above) adds a lot more strength.
The truth is, length is just as important. Hackers have custom computers with off-the-shelf components that can crack any password, given time. It used to be that a 10-character password using all the above strength factors would take centuries to crack, but now it can be done in days. And the tools hackers use are continuing to improve – fast. My guess is that we have no more than 5 years before any password you use would be useless – at that point we’ll need secure biometrics (think NCIS eyeball readers, fingerprint readers and deep-radar facial recognition). But until that time, our two biggest protectors are strong passwords and 2-factor authentication. The former is easy to implement with a password manager, the latter is just starting to catch on (but if you can, use it wherever it’s available).
The other factor in play here is length of time – the longer you’ve gone without changing your password, the likelier it will have been hacked. Fortune 500 companies like to put their employees through hell by forcing password changes every 90 days or so, which is flat-out ludicrous without having a password manager helping you. Even so, these companies are getting hacked right and left because the hackers are relentless, motivated, and well-funded. And frankly, we as a society aren’t any good about security – that includes many of the people in the business of security as well as rank-and-file employees and particularly executives. I call this a target-rich environment for hackers, and it’s only getting better (for them) and worse for us.
So if you truly only have three passwords to remember and take care to make them unique, strong and long, and change them from time to time, then you might get an exemption on using a password manager. But for the vast majority of consumers (the rest of us), we need help to manage this process. What’s left is which password manager to you use?
My recommendation for several years now has been LastPass. What I like about them is a combination of factors and features that isn’t shared by most of the competition:
- basic capability is free, and only $12/year for unlimited use (any device, as many as you want) per user
- LastPass works pretty much the same across all platforms (Mac, MS Windows PC, Android or Apple tablet, Android, Windows, Apple or Blackberry smartphone) and access type (Internet Explorer, Apple Safari, Google Chrome, Mozilla Firefox, Opera).
- LastPass plays nicely with 2-factor authentication as well as biometric (such as iPhone/iPad fingerprint ID)
My #2 recommendation is 1Password from AgileBits.com. There are two primary reasons why I rated LastPass higher:
- Cost: 1Password charges by the user/platform, while LastPass charges by the user. So if you’re a typical family, you’ll probably have to buy separate licenses for Mac, for PC, for iPhone, and for Android. And that price is a lot more than $12. I should note that 1Password has a Mac & PC bundle to help reduce the cost a bit, but it’s still significantly more expensive. And don’t think that because 1Password advertises it as a one-time cost (while LastPass is a yearly cost) that you’re better off. Security software is on a constant upgrade cycle because hackers buy it and reverse-engineer the software to figure out how to defeat it. So every year or so you’ll have to pay an upgrade price – for each license you buy.
- Features: 1Password has different versions for each of the platforms they support, and doesn’t work the same way across all the platforms, browsers and devices. Their support forum has plenty of entries about how this or that feature doesn’t work yet on this or that platform, browser, or device. Always followed by “coming soon”, but some of the postings are pretty old.
There are other decent options, such as Dashlane Premium ($40/year), KeePass (free), and RoboForm ($20/year), but in my opinion, it’s not worth using a ‘decent’ password manager, you want the best you can get. However, there is one factor that might push you to using something other than LastPass or 1Password – keeping out of the cloud. Both my recommended password managers sync your password vault across multiple devices and computers, by keeping the master vault in a heavily encrypted server in the cloud (on the internet). To me, that’s a decent trade-off between security and usability, but if you only use one device, then by all means go with a password manager that doesn’t put a trace in the cloud. Such as DashLane, KeePass or RoboForm. Please note that only KeePass is a local-only option, but you can configure both DashLane and RoboForm to only use a local vault. I will tell you the downside to the local-only option is that if your computer crashes or is stolen and you haven’t got it backed up, you’re toast.
One Last Note: just recently the venerable LastPass was bought out by the venerable LogMeIn remote access software-as-a-service (SaaS) company. Change can bring both good and bad with it, and I’m going to be watching closely to see exactly what happens with LastPass in the coming months. What I’m most worried about are three things:
- feature bloat: adding more features that we don’t need or want, and perhaps that don’t work as well.
- cost creep: reducing what you get for the free version of LastPass (or eliminating any free option), as well as increasing the cost to use LastPass. Because they’re already talking about adding more features, I’m half-expecting some change in cost to consumer.
- support slide: LogMeIn has been accused of having poor support (but then, same for lots of companies we all deal with, Verizon and Comcast – I’m looking at you), and I’m worried that as LastPass folds into the LogMeIn organization, its excellent support services will be degraded.
I’m hopeful that none of these worries will materialize, and you can bet that I’ll be reporting the facts as they surface. Until something changes, I still recommend LastPass for most consumers as the best value in a password manager.
This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via:
or by mailing a check/cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182. I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public. Thanks!