Note: Since the recently released statement from LastPass regarding the theft of passwords, I have a new article about that here.
Every online account we have requires a password. And it can get overwhelming creating and remembering them. That’s why you need a password manager like LastPass.
Let’s face it, passwords are a pain. That’s why many people tend to create easy ones and reuse them. Both of those things are a recipe for a disaster like stolen credentials, or worse, having your money taken.
A while ago I wrote an article about the top 10 most hacked passwords. In that article I mentioned using a password manager.
The problem with using an easy to remember password is that they are easy to crack also. Let’s run a test on an easy password using Steve Gibson’s Password Haystacks: we’ll use “dogandcat”.
According to Haystacks, it would take 56.47 seconds to crack that password using a fast attack. Now let’s make some changes and see what happens.
Dogandcat – 7.87 hours simply by using one uppercase letter.
Dog-and-cat – adding hyphens increases this time to 5.38 centuries.
Dog-and-cat12345 – adding 5 numbers at the end makes it 1.41 hundred billion centuries.
Passwords are easy to make, but hard to remember
Yeah, I know my password is “dog and cat” something, but what? That’s where a good password manager comes in.
A password manager not only stores your passwords, but can help generate them as well. I just generated this password using LastPass and ran it through Haystacks:
weaYRFqRSg%*6MY^8ZV! – 11.52 million trillion centuries
That’s a pretty good password.
How Safe is Last Pass?
Yes, LastPass has had some breaches, but never has any passwords been compromised. Now that’s not saying that they never will be, anything is possible so let’s look at how LastPass handles your passwords.
First of all, your passwords are not stored “in the open”. They are encrypted using AES-256-bit encryption. That’s military-grade standard. Near impossible to crack. If a bad hacker was able to get into LastPass and steal passwords, this is what they would see:
dogandcat becomes “QkQscbhVYKsa6e+KI6nN0A==”
Without the encryption key, the bad guy has nothing to work with.
How LastPass Encrypts and Decrypts
With LastPass, you create a master password (the “last password” you will ever need). This should be as strong as possible and one you can remember. One good idea is to use some easy to remember phrase and use the first letter of each word. “Now Is The Time For All Good Men To Come To The Aid Of Their Country” becomes “nittfagmtcttaotc” (1.44 hundred centuries to crack). Add some uppercase letters, numbers, and special characters and you could get “niTtf@gm2ctta0tC” (1.41 hundred billion centuries).
what if hackers get my master password?
And here’s the kicker: LastPass does not have, and never sees your master password. It is encrypted at the device level, and this from LastPass: “Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass.” What they don’t have can’t be stolen.
There are other password managers out there, and I’m not saying that they’re good or bad. I’ve been using LastPass for many, many years now, and I trust them. But they are only as good as you make them. Keep your master password safe, and don’t ever reuse passwords.