It seems like every month, a handful of companies disclose that their user database has been hacked, informing you that you should change your password and monitor your credit card statements for strange activity.
In late 2010, popular blogs Gawker and Gizmodo were hacked and their databases were posted online. In 2011 there was another security breach that affected millions of users.
When news broke of the Gawker attack, I searched the actual database that was posted online, and sure enough, there was my email and my favorite password at the time, listed in plain text for the entire Internet to see.
I did some common password searches, just out of curiosity. You’d be surprised at the number of people who use “password”, or even “ABCDE” or “1234” as their password. It was staggering, to say the least. Now, I know, these were probably mostly throwaway passwords, right? I really hope so.
Next, I set about changing my own passwords at every site I could think of. Before long I had set a new password for my accounts after a lot of crossed fingers that I still had access to my email account, but I was still using the same basic passwords almost everywhere because I wanted to remember them. I knew I wasn’t supposed to, but I did it anyway, because I was lazy--there, I said it!
Experts say you’re supposed to have a different password for every site. You shouldn’t use the same username everywhere, especially usernames on banking websites, or any place that has access to billing you. You should use “strong” passwords that are at least eight characters (so they are immune to brute force “guessing” attacks) and those should be random characters with special characters mixed in like punctuation marks. You shouldn’t fill out any required “security questions” with correct answers because most of that information (like your mother’s maiden name) is available somewhere on the Internet. I didn’t want to have to worry about any of that. I can only remember so many passwords.
At the recommendation of a few friends, I was directed to 1Password from AgileBits.
1Password is a password manager, but it’s so much more, too. It creates strong, unique passwords and stores them in an encrypted database on your local machine and stores just about anything else you need to keep safe. 1Password breaks down your information into Logins (website accounts), Accounts (things like your Amazon, iTunes, email, Instant Messenger, and even your wireless router accounts), Identities (you know you have more than one), Notes (anything you want to jot down), Passwords (your general purpose list of passwords), and Wallet (bank account numbers, driver’s license, passport, reward programs, social security number, and credit cards).
1Password allows you to sync your database through Dropbox, a cloud-based storage and sync service (which you can easily create an Account profile for in 1Password). How is this useful? Any desktop system allows access to Dropbox and you can also access your passwords. The encrypted database that 1Password creates can only be read if you enter the master password, and you can choose to individually protect each account/login with an additional layer of security by requiring the master password to be entered for each one.
Aside from the Dropbox sync, what really sold me on 1Password was the app availability for iOS (there is also an Android version). The app syncs over Dropbox and gives you mobile access to all you sensitive data. The app itself is protected by a 4-digit PIN, so you can’t get in without knowing that, and there is still master password protection.
Reducing all of my passwords down to one big, long complicated character sequence that only I know is something I could easily do. I purchased 1Password for Windows and iPhone and I can say without any understatement that it has changed my life. Back when I had just changed all my passwords in late 2010, I was really only one hack away from having to panic all over again. Using 1Password, I generated strong, unique passwords for every account I have. My biggest gripe was creating passwords every month for my user accounts at work--now I just generate new ones and memorize them over the span of a day. When it asks me to create a new password, it’s a treat! If any other database is compromised, the hackers only have that one password (that I don’t even really know). Since the password is stored in the database, I’m copying and pasting it when it’s needed, which avoids being snooped on by any key loggers of which you may or may not be aware. The 1Password app on my iPhone is probably my most-used app, the next being my twitter app (Tweetbot, if you’re wondering).
There are a ton of neat tips and tricks that 1Password supports on both Windows and Mac that I can’t even begin to cover.
The one shortcoming that I found with 1Password was that it wasn’t working with Chrome, my browser of choice. It was working fine with Internet Explorer, but I wasn’t going to subject myself to IE to fully use 1Password’s browser integration. Enter LastPass, the cross-platform password manager that works with Chrome! Now, I’d already shelled out cash for the Windows and iPhone versions of 1Password, so I wasn’t ready to pay for premium LastPass, and I really only needed it for one job: browser passwords.
I created an account for LastPass (with a different master password than I did with 1Password, of course!) and their browser add-on for Chrome has done everything I need to compliment 1Password. The additional benefit of using two different managers (and keeping them somewhat separate) was that if one was compromised (the odds are extremely long, but you still worry), hackers would only have about half of my sensitive information. LastPass’s web interface is extremely easy to manage and I use it regularly to create accounts all over the web for whatever I need (or don’t need). Using LastPass, I’ve even exported my passwords to files that 1Password can read, so bulk transfer of your data doesn’t take a lot of tedious typing.
I can’t stress this enough! Go make sure all of your passwords are unique and strong. Make sure you’re not sweating the next time another database hack is announced!