Update 1/18/2016: There is a security flaw in LastPass’ Google Chrome extension. Don’t be fooled! You can mitigate this attack by:
- using Firefox with the NoScript addon (which eliminates the cross-site scripting vulnerability), and
- using a two-factor authentication solution that’s routed through your phone instead of your computer, like Duo or Transakt. This eliminates the possibility of a man-in-the-middle picking off the two-factor code entered into the same compromised browser session.
Update 10/16/2016: LastPass has been acquired by LogMeIn! Congrats guys! Don’t get cocky.
Update 5/13/2015: Edited for clarity, and for the change introduced in iOS 8 that allows browser extensions in Safari.
Update 5/8/2014: The Wall Street Journal ran another review of password managers.
Update 1/16/2014: Apple now incorporates a password manager, iCloud Keychain, in iOS7 and OSX Mavericks that has many of the same features as LastPass. I’ll stick with LastPass (since it’s a platform-independent solution), but Apple’s solution is probably easier to use for most folks. Here’s ArsTechnica’s coverage of it’s pros and cons.
The Wall Street Journal recently ran a review of PasswordBox, an online password manager. Many people don’t understand why using a password manager is vitally important to maintaining online account security. Consider for example Charleen Larson, who made the following comment:
“OK, so how again is this superior to me keeping a small notebook at home with my passwords? My husband knows where it is and doesn’t have to sign up for yet another account at PasswordBox. We both have too many accounts (free and otherwise) already.”
It was clear from this tidbit, as well as her replies to the responses she received, that she still doesn’t get it.
Charleen, this one’s for you…
First, a password manager randomly generates passwords for you when you create a new account, and it makes them as long as you want (I use 30 characters.) It can also, of course, generate random passwords on your old accounts if you bother to change them. If you don’t understand why this is important, see this article. Random passwords for each account are especially valuable because they discourage the use of a single password across multiple sites, even for accounts you don’t care about keeping secure. Using the same password across sites is like using the same key for your office, house, car, gym locker, etc. If you don’t understand why this is important, see this article.
Second, you can use password managers from more than one machine at more than one place; you don’t have to be at home. I use LastPass, and have its browser extensions on my computer in Safari and Firefox, and in Safari on my iPhone and iPad (the same company also make an iOS app.) This is like having a copy of my virtual key ring on each device, and makes it easy for me to access my accounts securely from all of those platforms. And if I’m really desperate, I can reach my LastPass vault directly online (though I won’t do so from an untrusted machine except in dire circumstances, such as being forced out-of-town by a natural disaster.)
Third, using a password manager means you don’t have to type the password in every time you access an online account, which helps defend against keylogger attacks. If you don’t understand why this is important, see this article. (If you’re really paranoid, you can copy-and-paste your master password to avoid it getting keylogged, but then you’d better really know what you’re doing as far as security by obfuscation goes, as your password will have to be accessible somewhere in plain text format.)
Fourth, best-in-class password managers offer an optional two-factor authentication mechanism that’s linked to a physical device that’s distinct from the computer itself. If you don’t understand why this is important, see this rather eye-opening article. Use it if it’s available.
And finally Charleen, now that everyone who reads the WSJ article comments knows you keep your passwords in a handy-dandy notebook at home (hint: it’s near the computer, probably in a desk drawer), you’ve got a security issue you can’t easily fix. If you don’t understand why this is important, see this site.