Personal Password Audit

login dialog

In my quest for better online security, I have been working on a personal password audit. I have been going through all of my accounts and changing the passwords. In the process, I am insuring that each account has a unique password. How will I remember all those passwords? How will I make sure I do not repeat myself? I have used a password manager for years. It makes it a lot simpler to use strong passwords and not have to remember them all.

My password manager of choice is LastPass. I chose it initially because of the free version, support for two-factor authentication, and the approach used to secure their customer data. Now that LastPass has actually been hacked and had their customer data stolen, I am even more confident. Even though the encrypted data got into the wild, the good practices LastPass uses to protect customer data has prevented anyone from actually compromising that data.

LastPass lets you access your passwords on virtually any device, as well as store secure notes. The convenience of having my passwords available to me on any computer, phone, or tablet is amazing. I am a huge fan of the sharing ability that is built into LastPass. I can securely share account credentials with my wife without having to worry about letting her know every time update the password. LastPass syncs the shared account information to her LastPass account whenever I make a change. She cannot actually view the password, unless I authorize it when I share the password with her.

Another great feature of LastPass is the ability to evaluate your passwords for security. It will let you know if you are using a duplicate or weak password. It is always good to have something keeping you on your toes when it comes to security.

Although I have a history of using strong passwords, I am starting to use the LastPass password generation feature more frequently. Since I no longer need to remember the password, it makes a lot of sense to use a string of 30 or more randomly generated characters and numbers.

Yes, I said 30 or more. Length is the best defense against password cracking attacks. The longer the password, the harder it is to figure out, even if the password is using plain text words. It strictly has to do with the number of possible combinations that are created. I try to vary the length I use to make it even more challenging for someone to crack my other passwords based on a single compromised password.

If you do not want randomly generated passwords, and really want something that you can remember, you can use a technique called haystacking. Essentially you pick some words to use for your password and add some padding characters and numbers. Make it a pattern you can remember. This will help you create a long meaningful password that you can remember, which is important for your master password for a service like LastPass. If you really want to geek on the math of it all or learn more about haystacking, you can get started with this Gibson Research Corporation article on haystacking and complexity.

Do not use information in a password that you share with anyone or is public record. Just like Google can make some good guesses about what you like based on your browsing habits, it is not terribly difficult to scrape together data from your social media and public records to generate a list of probable passwords. If you make up a password that is just a combination of things like your child’s birthdate, favorite sports team, and your favorite color, you have made it fairly easy for a password cracker to narrow the possibilities.

In my opinion, the best thing to do is take some time to install and use a password manager so you have no reason not use long, complex passwords. For your master password, take a few minutes to learn about haystacking and create something unique to keep all your passwords secure. Please do not use the same password for every site. Take some time to do a personal password audit to make it harder for someone to compromise your online security.