I did a count the other night and found that I have more than 80 passwords for various sites including email accounts, shopping sites and online forums. That's a lot of passwords, but no two are the same. And I know none of them by memory.
That's because I use an online password manager called Last Pass, which both randomly generates passwords and stores them under digital lock and key on servers the company behind Last Pass controls. To gain access to my list of passwords, I have one master password and that's it.
It's a simple, relatively convenient and supposedly secure method of creating and accessing passwords, and in an era in which, according to a recent article by the online tech site Ars Technica, hackers have entered a golden age of password cracking, it or a similar service is worth considering.
The Ars Technica article by Dan Goodin is a fascinating, and disturbing, account of how hackers have more powerful and cheaper hardware and software tools at their disposal than ever before. At the same time, online users, that's you and I, have become lazy and are reusing the same password for multiple sites. We're also using predictable patterns of creating our passwords, and as hackers have broken into major online services and retrieved millions of passwords, they are discovering common patterns to reduce the variables needed in cracking passwords through brute force calculations.
Some of us make it easy for hackers by using passwords like "password" or "1234567," or the names of pets and hockey teams. But according to Goodin, even relatively sophisticated users are getting tripped up. In creating our own passwords, according to actual databases uncovered by hackers, we almost always put capital letters at the beginning, and nearly all punctuation and numbers at the end. We also have a strong tendency to use first names followed by years, "such as Julia1984 or Christopher 1965," Good in writes.
What's worse is that we use the same password for multiple sites. If that's your strategy, that means if someone guesses or discovers your password for your Facebook account, they will also have access to your Yahoo emails, Twitter and Flickr. You're giving it away.
Goodin's article goes into much more detail, but the obvious takeaway is that we're lousy at creating our own passwords. The more memorable we make them, the easier they are to guess. When we try to make them stronger with fancy capital letters and numbers, we fall into predictable patterns.
That's where services like Last Pass, and similar services such as 1 Password and Robo form, come in. They will randomly generate passwords for you as strings of numbers and letters and store those passwords in an online account only you have access to. The advantage of online access is that you can access your Last Pass account from just about any compatible computer or mobile device using your browser.
Using such a system requires a change in approach. You won't know your passwords by heart and won't need to. You will have to remember your master password and find a way to keep it secure. Hugh Thompson, the former founder of the excellent Digital home.ca, noted in his recent monthly column for the Globe that he has his master password for Last Pass memorized, with a copy written down and kept in a safety deposit box in a bank.
You also have to trust that the online service knows how to keep your passwords secure. But LastPass says not even it can gain access to the stored passwords of its users, and the service comes recommended by security gurus like Steve Gibson and experienced tech writers like Thompson and Goodin.
The basic service from Last Pass is free, which is all I use. Last Pass is not perfect. It sometimes gets confused by multiple accounts for the same website or email service. But it's relatively easy and convenient, and ease and convenience are half the battle in online security.
email@example.com Twitter: @trueblinkit