All in the Password

By Charles Miller

In the tech world, the fallout concerning the hacking of the popular password manager Lastpass continues to be in the news. It is unfortunate that so much of this reporting has made its way into the mainstream media and is often misleading. Therefore, a number of people have asked me if using a password manager is a bad idea. I firmly believe that the advantages of using a password manager far outweigh the possible disadvantages. There are many password manager programs from which to choose, and in spite of the recent hacking incidents I still use Lastpass and continue to recommend it.

There is a popular axiom that says “perfect is the enemy of good.” Perfect security is a pipe dream, but that does not mean taking sensible precautions to protect yourself are pointless. Like it or not, on the internet, password use is the most common method to provide online security so it makes sense to be smart about your passwords.

Another axiom in the internet technology world is “convenient is the opposite of secure.” In the case of Lastpass, this is something that the company seems to have forgotten. The fact is that a simple easy-to-guess password adds risk while a longer more-complicated password provides better protection. This is true not just for Lastpass, but everywhere passwords are used. A big mistake Lastpass made was to not mandate users to create longer and more-secure passwords.

The conundrum faced by Lastpass was that if it had required customers to use a cryptographically-secure password of at least 12 characters, upper case & lower case, including numbers, punctuation, and no dictionary words, that would have prompted some customers to say “To heck with Lastpass!” so the company chose to allow customers to use less-secure passwords.

Now, the concern is some Lastpass servers were hacked and some backups of customers’ data are now in the hands of the hackers whom stole it. This terrible breach of security should have never happened because it could result in data falling into the wrong hands, just like losing a personal laptop or smartphone. The possible safety measure that likely stops the hackers from retrieving the data is if the master password the Lastpass user chose is strong. A tech-savvy user understands that if a strong master password provides very good protection for their stolen data. Anyone who used a simple password, like «Fido123», should be very concerned.

Since the problems at Lastpass came to light, I have spent a lot of time helping friends and clients evaluate whether or not they are at risk. Fortunately, most of my clients have learned the password they chose would take years or decades for the hackers to crack. Knowing their password is that good means it is not likely the hackers will ever be able to gain access to sensitive data. Knowing how to determine whether or not a password is a good one is important too, so be sure to pick up next week’s Atención for important tips.

Charles Miller is a freelance computer consultant, a frequent visitor to San Miguel since 1981 and now, practically a full-time resident. He may be contacted at 415-101-8528 or email FAQ8@SMAguru.com.