Next week in Part 2 we will be looking at the benefits of Password Managers but for now we are going to focus on why we should trust the good ones.
This article is really responding to some of the questions I have had from people and it bears some investigation as it seems to be a common misconception around the use of password managers.
I use a password manager, specifically LastPass although there are others out there. I tend to use only paid–for products. If you can’t identify the product that you are being sold, then it’s fair to suggest YOU may well be the product. This goes double for any security product.
Password Management Misconceptions
That aside though, this is what I hear from friends, customers and acquaintances.
- I don’t trust the cloud. You are telling me that you put all your passwords in the cloud?
- So…. if someone guesses my one and only password they get all my passwords.
- All this stuff gets hacked eventually
- What happens when they hack LastPass and they get all my passwords?
I’m going to take each of these and dissect it a little to come to a more reasonable understanding.
Protection with Encryption
It is really helpful if we first have a working knowledge of encryption.
Encryption is a super interesting topic, or at least it is to me. Every government, even since the Egyptians were a big deal, has used encryption. We tend to think that access to encryption to protect our privacy is a basic human right. It would probably have been the exception rather than the rule in times past. Often it appears/appeared to be like magic.
In fact, in the 16th century there is a wonderful story of King Philip II of Spain encrypting his communications with his envoys using substitution cyphers, not realising that everyone else in Europe had worked out how to crack these using frequency analysis (counting the times a letter was used) and had basically rendered it utterly useless. Philip was so convinced that his messages were unable to be breached without supernatural help that he petitioned the Pope at the time to have the French crypto analyst Viete tried as a demon. Really! In an embarrassing incident, the Pope turned down the request on the basis that they had been reading Philip’s messages too and knew no super natural powers were required. Just an abacus. #awks!
Cracking the Codes
I would argue that encryption hasn’t really changed much in all that time. All encryption will eventually be cracked. The encryption that we use today is the type RSA invented in the 70’s and is described as Public/Private Key Cryptography. We are more mature in our use of cryptography and recognise that in time it will be broken as computing becomes more efficient at cracking codes. Security analysts are constantly analysing what type of encryption is needed to retain security. A few years ago 1024 bit keys were deprecated as they can now be hacked by a suitably determined person. Now we use minimum 2048 length keys with options for 4096 for the paranoid.
So, in response to the earlier statements:
- I don’t trust the cloud per se. But I do trust modern cryptography done well. So do you, or you wouldn’t have bought half your Christmas presents online. It’s the exact same crypto.
- True, but better to secure one thing well than 100 things badly. If someone hacks my password, they then need to hack my two–factor authentication too. That’s much harder; it’s the Fort Knox principle.
- As I said, security analysts are constantly changing the types of crypto used in order to stay away from the stuff that is now vulnerable to being hacked.
LastPass doesn’t know my passwords. In fact, it is much more likely that you will forget your password and end up locked out of your password vault and LastPass won’t be able to help you. You need to remember to print your recovery key and stick it in your home safe or when you forget your password that will be a bad day at the office. You have been warned.