LastPass and the Little Black Book

LastPassLogoShadowSomething I’ve recommended often on my science and technology podcast–Sovryn Tech–to use for password security is the service LastPass. It’s cross-platform, and can actually be used for many other purposes other than simple password management, but is very handy for storing multiple passwords (because you never want to use the same password twice across various websites and accounts), and effectively this is how it works is:

1.) Install the app or browser extension.

2.) Create an account and set up a “Master Password”.

3.) Allow the app or extension to store your account info as you visit each site.

4.) Just log in to any device or browser with LastPass installed, enter your Master Password and you can then access any website or service that you have the information for stored in LastPass.

The beauty of that whole setup, even though it is Cloud-based, is that it gets encrypted client-side and you never actually enter your account information into LastPass’ servers. While I’ve never claimed that LastPass is a silver bullet for your security, it was definitely one of the better steps you could take–particularly better than storing your passwords in Google Chrome itself (since your passwords are not stored encrypted there).

Today however, LastPass has announced on their blog that they have been the victims of a crack (a “crack” is a malicious compromise of security, a “hack” is a heroic or neutral compromise of security, among other definitions). Regardless of the details (of which there are unfortunately very, very few, which is all the more concerning), the fact is that some LastPass user’s Master Passwords on LastPass’ servers have been compromised, and LastPass is recommending that all users change their Master Passwords immediately.

I’m not going to condemn LastPass in particular, but there is something very serious to consider here: Cloud storage of anything. Not just documents, passwords, or any other data. I think all Cloud storage is in question (and not just because of this recent crack). It’s been said before that anything stored online is merely on a timeline of not if it’s going to get cracked, but WHEN it is going get cracked and accessed. The fact is, we don’t have the systems and encryption in place with the modern Web to properly secure anyone’s data with a hands-off approach (READ: users don’t have to think about it, their data is just automatically secured). Will a truly-secure Cloud exist in the future? Maybe. Some technologies are being developed that may allow for it. But it’s rare.

For right now, the best thing to do is to store your passwords in some offline fashion. One possibility is to use KeePass, which operates similarly to LastPass, but instead all of your passwords and account information is stored and encrypted locally on your computer (or external drive if you want it portable, like from The disadvantage with this is that you can’t just access it from any computer, you have to have the KeePass file with you (which is another reason you may want to run it off of a portable drive, as you can then use it from any PC you use, though admittedly not your mobile device like LastPass can). Again, I’m not claiming that KeePass is any kind of security silver bullet, but with LastPass’ model now in serious question, this is a hard and fast alternative.

But I have been asked in the past, what is the “full-paranoid” way to store one’s passwords and account information? Well, “full-paranoid” options always take some work from the user, and they likely always will (if it doesn’t take some work, how do you know what you’re doing is actually working?). So, my answer for the “full-paranoid” storage of passwords and usernames? SURPRISE: A Moleskine or similar paper notebook.

Yes. A real-life paper notebook.

Why? Think of it as the modern day “little black blook”. you can carry it with you wherever you go (especially if you get some of those really small Moleskine-style notepads), or lock it away somewhere, and it can only be cracked by it being out of your hands, and in the sight of others (or a devices camera, remember that). Frankly, I don’t think anyone is interested in getting their hands on notebooks people have lying around anymore. I doubt even government agents take the time to search anything on paper, they think everyone just stores everything online so they go that route. Plus you can do better than delete it, you can light it on fire! Fire makes things literally impossible to ever be digitally or physically re-assembled for viewing. It’s a crazy option, I know, but then people had asked me about crazy, so I gave them an answer (one that I actually use). And again, this idea takes some vigilance on your part, and it has some serious inconveniences and drawbacks, so it’s not a silver bullet (haven’t you figured it out yet that there are no silver bullets?).

Again, it’s up to you what you do with your passwords. Another saying in the digital space is, “Go through life acting like everything is already compromised”. Many hackers (the good gals and guys) do so. But what you do with that particular notion, if you even decide to accept it, is up to you.

Just be sure to relax, life is still a beautiful thing. Really.

Carpe lucem!