Password Hell - New Year's Resolution

7 Jan 2015

Last year, following a number of online services that had password breaches, I decided to get my act together & make sure I did as much as possible to secure my passwords for all the 740+ logins I've got.

State of play beforehand

The situation I was in, certainly wasn't as bad as it could be...

I was using the Firefox password manager to remember + secure all my passwords
My Firefox profile is kept in an encrypted volume & Firefox required a Master Password to access password filling
I used a website to help me generate 9 character randomised passwords
In general I wasn't re-using passwords across sites, well certainly not with more recent ones, but I wasn't sure about some of the old sites

Tipping Point

I noticed that LastPass was doing a good job at alerting it's users as to whether their passwords were in breached password lists
The Firefox password manager didn't seem like the best place to store everything
Logging into the same sites in Chrome (on the same PC) was a pain
I wanted to share my logins with my home PC

What I changed

Before I did anything, I did a lot of research into what I should do. There are plenty of articles on sites like LifeHacker, but one of the more compelling arguments to use LastPass is it's positive evaluation on TWiT's show Security Now. So this is what I did next..

Exported all my passwords to LastPass
Removed all logins from the Firefox password manager
Enabled 2-factor autentication in LastPass
Ran LastPass's "Security Challenge" to see how bad the situation was.. wasn't as bad as it could have been!
Installed the LastPass plugin into browsers where I wanted all my passwords accessible
Use the LastPass secure password generator to create 12 character random passwords for all new sites
Started using Secure Notes (in LastPass) to store some extra info I'd got written down in text files

Now that I've had LastPass running for a while, I'm really happy with it & feel like I've done everything I can to protect myself.. all my new passwords are at least 12 characters long with a complexity that will take an estimated 25 thousand years to brute force -- https://howsecureismypassword.net/ The 2-factor authentication doesn't get in the way & works well. The login filling works nicely across all my browsers. And I can even share certain logins with my wife.. if I change them, they'll sync to her account.

The standard (free) version is absolutely great, but at Christmas I subscribed to LastPass Premium which (amongst other things) lets me use it on my iPad & is integrated with TouchID that makes it super simple (yet secure) to log into sites on the tablet.

UPDATE 2017 - in November 2016, LastPass altered the features in the free plan. That free tier now has everything I need/want. If the limitations of the free plan and the cost of the premium tier were putting you off, now is a good time to take a look & get your passwords under control across all your devices.

Top Comments

mcollinge over 6 years ago

Just a quick update; in November 2016, LastPass altered the features in the free plan. That free tier now has everything I need/want. If the limitations of the free plan and the cost of the premium tier were putting you off, now is a good time to take a look & get your passwords under control over all your devices.

https://blog.lastpass.com/2016/11/get-lastpass-everywhere-multi-device-access-is-now-free.html/
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
gadget.iom over 8 years ago in reply to mcollinge

They're a pain aren't they!

Google has recently released Chrome 39 with built in support for U2F from the FIDO alliance. Yubico now produces yubikeys compatible with this protocol as well.
The advantage of this approach is that each service can have unique crypto-keys on the same token. Definitely work a look: http://fidoalliance.org/adoption/video/yubico-fido-alliance-universal-2nd-factor-u2f-demonstration

Hopefully HSBC will jump on as universal acceptance increases.
- Cancel
- Vote Up +1 Vote Down
- Sign in to reply
- More
- Cancel
mcollinge over 8 years ago in reply to gadget.iom

Neat; I like the small form factor.. until you forget it's in there & start trying to ram in a USB mouse and wonder why it won't go in

It's good you can use it for a whole bunch of other services.. I'd probably switch to it if I could get away from the HSBC bank secure key they make you use;
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel
gadget.iom over 8 years ago in reply to mcollinge

I have to confess, I don't use the LastPass service.
I do use the Yubikey on a daily basis though for UNIX(Sudo) authentication, VPN access, and Website 2-factor authentication.
It's great for authentication on a regular basis because it is able to spit out a 44 character One-Time-Password (such as ccccccbhknbgunfejcduuficrglhbckgbbugjegrbbbj) straight into the input field in less than two seconds. Switching from Token/On-Screen codes has saved me a lot of time.

Here is mine buried deep in my MacBook.
- Cancel
- Vote Up +1 Vote Down
- Sign in to reply
- More
- Cancel
mcollinge over 8 years ago in reply to gadget.iom

Hi Paul, thanks for commenting. When I first looked at the multi-factor options I had a quick look.. nice idea; the price isn't high but it still put me off (£18 at Amazon UK) and I didn't really see how it was much/any better than using Google Authenticator, especially over multiple devices. I'm not sure how it'd work when you don't have a USB port (like with an iPad.. I didn't see an option for a secondary multi-factor authentication method).

Do you use YubiKey with LastPass and find it worth the investment over Google Authenticator?
- Cancel
- Vote Up 0 Vote Down
- Sign in to reply
- More
- Cancel