I am a terrible person – but not for the reasons you may think. It turns out part of my terribleness is related to the fact that I only had three passwords or so that I used for the entirety of my presence on the internet. I had known this for years and years. I would occasionally update my passwords – only to change it to one of the previously used ones, or a new password that I would use for everything. It was a shameful state of affairs, and I’m sort of shocked that I didn’t have my identity stolen more than the basic level I experienced that I think everyone gets.
The good news is I am a changed woman. And the scare news about every big leak finally got to me when it was about a data breach called Cloudbleed. Yes, it was a bad breach, but probably not the worst one, but it was sort of the final straw. I’d been hearing for years about how I needed a password manager, but dutifully ignoring that information. Perhaps it was the idea of having my website hijacked – not that there’s a lot of use for that beyond wanting to convince my dozen or so friends who read that that I’ve gone round the bend, but still. So I finally got on that, and made the leap into password management.
I will say that I didn’t do a lot of research before diving in. Mostly because I’d heard of LastPass, and the few articles that I did read about “best password managers” came back saying it was a really good choice. Perhaps PC Magazine isn’t the gold standard in digital/electronics rating and journalism anymore, but I still think being their editors choice for best password manager has to mean something. And this may be an example of confirmation bias, but whatever. I don’t care that much, which is a lie, because I do care about the quality of my password manager, but maybe don’t care so much that I answered my own question before asking it?
In any case, I got LastPass. It’s a free service, and here’s how it works. You sign up at their website, and then download a browser extension which will make it easier to actually get into websites without a lot of going back and forth to copy passwords. You create a master password that becomes the one you use to get into your LastPass “vault” – the place where all your account information is stored. There’s a lot more information on the level of encryption and exactly how/why LastPass doesn’t actually have access to your passwords here, but you can read that for yourself, because I can only trust that it’s good. Theoretically you can upgrade to a premium account for $12/year, but the only benefit I see from that is the ability to store and share information, documents and passwords securely with trusted persons/family members. Which means you’d have to get your people to sign up too. And the Boy isn’t really interested – he’s just too paranoid about “but what happens if LastPass gets hacked, and then you’re totally fucked!” and I’m thinking, “well, at least they’d let me know if someone was trying to get into my account, and also I have crazier strong passwords because of LastPass, which is good. So who knows if I’ll ever convince him.
Theoretically I should have been able to convince him when we listened to the ReplyAll podcast that was about having your password hacked and had a discussion about password security called “The Russian Passenger“. As we drove along together, listening and guffawing at what happened, I found myself for the first time in my life feeling smug – I’d done the things that they’d suggested just a few weeks before. I was on top of things! But something I didn’t know about was the very interesting site ‘;–have i been pwned? It was created by an Australian data security specialist and goes through the information about publicly posted breaches and lets you know if your account was one of them. If you know that you were breached, you can change your password, because chances are – like I used to do – you’re using the same password on multiple sites. So knowing is half the battle. (Also, if you’re interested, there was a creepy as hell follow-up to that podcast episode called “Beware All“, and it will just scare the pants off you regarding internet security)
So yes – I like LastPass a lot. I can use it across multiple computers (having to log into the website to gain access to the passwords in my vault each day), and even on my phone, which requires me to use my fingerprint or master password to verify that it is indeed me. I’m able to set stronger passwords for my accounts with little to no effort, and am able to retrieve those passwords just as easily as if I had them stored in a text file, which I definitely do not have (anymore). Am I scared of having my LastPass account hacked? Sure – but I think the chances of that happening are less than having, say, my ebay account hacked. Using LastPass has also opened my eyes to how many accounts I have online. I’m currently at 67, and I’m sure there are more that I just haven’t logged into in years. Which is sort of shocking. But the entire process of going in and changing your passwords is just eye opening. So…yeah. Highly recommended. Because you know you should have done this long ago too.
Ok – who out there has been putting off using a password manager? Or uses a different one? Who can explain to me in simple terms about how good LastPass’s encryption and security is based off of what they say on their “How it Works” site? And is there anyone out there who thinks I’m dumb for using a password manager because you too are paranoid about someone hacking the password managers?
UPDATE (4/20/17):
After doing a little digging, because of Nicole’s comment below, and because I’ve been getting a message on the app on my phone about, “Your LastPass Premium trial will expire in 6 days”, I did a little digging. It turns out that LastPass was giving people 60 free days of Premium, which allows syncing on multiple devices, but that your free account only continues on the first type of device you signed up on (Desktop, mobile, tablet). They weren’t really clear about the fact that (for me) the mobile service was only free for this trial period. Information here in this blog post. Premium service is $12/year, and allows for syncing across all devices, multifactor authentication, and removing ads. That seems like a pretty good deal for me, and considering I spend more money on other frivolous things, I think it would be a dollar a month well spent.
Details: LastPass (free on one platform, $12/year for Premium)
That’s really funny. I’ve been using LastPass for a few years now, but I was STILL using just a handful of variations on the same password I’d had for everything since we got the Internet when I was 11 years old. Basically, I was using LastPass so I didn’t have to remember which variation when to which site, and for its AutoFill and Auto Login features, which is such a tiny, simple thing but I love it so much. But then I listened to that exact same Reply All podcast and basically freaked out. I also used the Have I Been Pwnd? website (spoiler alert: I had).
LastPass has a great security challenge function where it analyzes all of your passwords and gives you a % rating for how secure you are and then gives you specific tasts to improve. It will even auto-change passwords on certain sites for you, which is kind of cool.
Long story short, I changed about 3 years worth of websites logins to randomly generated long strings of gobbledegook. Because I’d been using it for so long, it also had a ton of web sites saved in there that I no longer used, from random shopping websites I had to create an account for one time, to dead logins from past jobs. I deleted all those, had my random accounts shut down entirely, and I’m up to like 67% secure, even after all of that.
However, I did see an article about how LastPass was made aware of a “huge vulnerability” in their own software and were working to fix it. But they were confident it hadn’t been used by any maleficent sources, so I guess it’s fine??
Also, I DO pay for the upgraded version of the app because it allows you to put the software on your phone, which makes accessing websites way quicker and easier since I don’t have to open the website to look up my super-secure passwords anymore. The mobile app just auto-fill it for me (as well as generating new secure passwords and autosaving those on mobile, too) which a swipe of my fingerprint.
Yeah, I’m at like..90% on that scoring. Which is pretty good. 🙂 But it’s possible that I don’t have all my accounts on there, so…who knows.
Also – I don’t think you need to pay for premium anymore to be able to have the app on your phone. At least I don’t think so, but a button on the app has popped up recently saying, “Your LastPass Premium trial will expire in 9 days – Go Premium!”, and based on the information on the website, it looks like it should be free? Another thing to look into…
Maybe it’s free now but it certainly didn’t used to be. But $12 a year is negligible and when I can, I like to pay for the things I like, so I don’t mind continuing to be a Premium subscriber.