Aug 17, 2012

If You Do One Thing Today To Improve Your Online Security, Do This



The week is winding down and we're sure you're getting excited for the weekend, so here's just one, simple step you can take today to increase your online security:

Update the password for your email address, and make it a secure one.

It may be old advice for some of you, but if you've been putting off the process of strengthening your passwords, don't delay any longer in making your email account's password as strong as it can be. Do. It. Now.

Why? It's a known tactic that hackers target sites with weaker security, to then harvest email addresses and passwords that they can test against other, more popular (and important) sites. With rampant password reuse, it gives easy access to critical accounts where you've used the same login details. There have been an unending stream of database breaches in the last several months, and the login information for tens of millions of people have been posted on the web.

For most people, their email account is a window to their personal, financial, and even work life, so it's critical to (1) use a unique password and (2) to use as long, strong of a password as you can manage, which means it can't be guessed and isn't dictionary-based.

LastPass can obviously help there, by generating a long, secure password for you, then remember it so you don't have to - it's as easy as a few clicks. Now you really don't have an excuse!

There are many more elements that go into being proactive about protecting your data, but it's a good starting step. If you're looking for even more ways to increase your online security, check out our round-up of security tips & tricks from the past week:

11 Ways to Make Your LastPass Account Even More Secure via How-To Geek
10 Online Security Tips for Gen Y via Mashable
Turn on Two-Factor Authentication via Lifehacker

And now you can relax just a little bit more this weekend!

Best,
The LastPass Team

Graphic courtesy of Lifehacker.com

26 comments:

  1. I want to make my password a complex, nonsensical, random, crazy super secure password. Really, I do. Every other password I have is unique, long, and complex. But there's a catch with my email:

    When you're trying to log-in to a Chromebook using your GMail password, LastPass can't help you there.

    Granted, my GMail password is sufficiently long, uses upper- and lower-case letters, numbers, and symbols, and is unique.

    Any suggestions, oh password gurus?

    ReplyDelete
    Replies
    1. Jeb below has a good point - use a "passphrase" that you can still add to LastPass (via LastPass.com or the browser addon, or the mobile apps, etc) but that's easier for you to type out without LastPass' help with autofilling. Something memorable but not guessable, and super long. LastPass also has a "pronounceable" option in the password generator, which would make remembering that generated password a little easier.

      Delete
    2. There are many ways that you can create a password that is sufficiently complex as to be an effective digital lock. A good place to go to learn how to make very good, complex passwords is the Password Haystacks page on Gibson Research's website (https://www.grc.com/haystack.htm). It is a great resource for learning about and constructing good, secure passwords.

      Delete
  2. I would also suggest using something like Google Authenticator. I have it on my gmail and LastPass account and now my Google Account generates a random password for each device or service that wants to use it. I can see a list of them, when each was last used and revoke access whenever. I highly recommend it.

    ReplyDelete
    Replies
    1. Agreed - thanks for the input, Tom!

      Delete
  3. Well, one of the problems with lastpass is that even with double authentication through a physical device, the email password is the weak link.

    If I have double authentication enabled, I can always disable it through the lastpass login window, e.g. if I have lost the physical authentication device. But in the end that leads to one-stop authentication only - if my email password is compromised, all my passwords with lastpass are compromised, right?

    ReplyDelete
    Replies
    1. The security email address does help in that situation - it can be enabled in the LastPass settings dialog and ensures that multifactor authentication emails (and other notifications for critical account changes) are directed to a secondary, more obscure email account.

      Delete
    2. if my email password is compromised, all my passwords with lastpass are compromised, right? - No, not at all.

      Delete
  4. @Erik : One and only good solution for you --> http://xkcd.com/936/
    Combine 4 or 5 words wich do not make any "sense" together, but do for you.

    ReplyDelete
    Replies
    1. Best password comic ever :). Thanks for the input.

      Delete
    2. Is that a comic or a training manual? Nice job by xkcd on that one.

      Delete
    3. I refer everyone to that xkcd when talking about password strength. You can also play with the following site to see how long it would take to crack your password.

      http://howsecureismypassword.net/

      If you password is <100 years its probably not secure.
      CorrectHorseBatteryStaple would take A quintillion years to crack.

      Delete
    4. That's actually the system I've used for my LastPass password, with a couple non-alphanumerics thrown in for good measure. I guess I could do the same thing with my email.

      Delete
    5. Great comic. I use this for my LastPass, Google and Apple iTunes accounts. Everything else is now LP Generated. And no they are never reused. Worked through the Security Challenge at the beginning of the year and did a major clean up.

      Delete
    6. Oh, and I use oAuth to Google wherever possible. Easy to review and deauthorize if needed.

      Delete
  5. I remember only two passwords: LastPass and Google. Obviously they are not the same... and super strong.
    The rest of my sites, accounts, etc are all fully randomized. THANKS LP for making me life so much easier - and safer!

    ReplyDelete
    Replies
    1. Glad LastPass can help you achieve that!

      Delete
  6. I really wish that financial institutions would step it up a bit more. I once had a retirement account that required a 4-digit numeric PIN to access.

    Really made me feel safe.

    ReplyDelete
  7. Now they have no new information in their new posts, they just repeat the old news, like robo... Sucks. I will unsubscribe from this blog.

    ReplyDelete
    Replies
    1. We'd love to hear feedback on the types of articles you'd be interested in - security reports? News of breaches? More technical explanations? You can also send feedback directly to pressatlastpassdotcom.

      Delete
  8. If you've chosen a truly strong password then changing it periodically is stupid and unnecessary.

    ReplyDelete
  9. I believe there are certain passwords that should not be stored in lastpass. Your email, your bank, and your tax passwords. These should only be in your head and never written down.

    Storing your email password in lastpass I kinda stupid. What of you forget your lastpass password and can't reset it via email because you don't know your email password?

    ReplyDelete
  10. Re, the site that says your password can be cracked by a desktop PC in x days: Does that really count? Is that how fast it could take if the answer were local to the PC or hitting a web site? In other words, are we talking about making repeated brute force attempts over the web to crack my email password? Wouldn't that take much longer? Do the major sites lock you out for some amount of time if you get it wrong some number of times in a row. Wouldn't that significantly lengthen the time it would take to crack a password?

    ReplyDelete
    Replies
    1. Likely yes, it depends on the site, but services like LastPass do lock people out after a series of failed login attempts which would lengthen the time required to crack a single password via brute-force.

      Delete
  11. I just read this article from Ars Technica website,

    "Why passwords have never been weaker—and crackers have never been stronger"
    http://arstechnica.com/security/2012/08/passwords-under-assault/

    How do LastPass procedures stack up against these kind of threats?

    ReplyDelete
    Replies
    1. Thanks for reaching out. We employ salted hashes and have implemented PBKDF2 (http://helpdesk.lastpass.com/security-options/password-iterations-pbkdf2/); the article does mention the benefits of both. We continue to evaluate our security standards based on the current threat landscape and known best practices.

      Delete