The common refrain whenever there is a headline data breach involving the theft of personal information is that affected users should change their passwords, making sure they are a “strong” mix of unique numbers, letters and symbols.
Given the extensive number of online accounts the majority of people have, from social media to online banking to grocery shopping, it would be a herculean task to remember a different password for each one.
For this reason, security experts encourage people to use password managers, which can generate, store and automatically fill out passwords for users across all their online accounts.
Most common passwords
But some people have been hesitant to trust such a service to protect the keys for their entire digital lives – and rightly so. LastPass, one of the leading password managers, recently discovered a security flaw with its program that could have let hackers steal passwords. The “major architectural problem” was discovered by a security researcher at Google and forced LastPass to urge users to be careful using its service.
It isn’t the first time a credential management firm has suffered a problem of this scale. 1Password, another manager, was criticised in 2015 for leaking users’ bookmarks.
The news led some experts to warn users against password managers. “LastPass isn’t alone: Keeper, Dashlane and even 1Password have had severe vulnerabilities that allowed attackers to steal all of the passwords in a user’s account without their knowledge,” said Sean Cassidy, chief technology officer of Defence Storm.
“Browser-based password manager extensions should no longer be used because they are fundamentally risky and have the potential to have all of your credentials stolen without your knowledge by a random malicious website you visit or by malicious advertising.”
Despite fears, most experts in the field agree that password managers are still the safest way to secure online accounts. “I really, really hope this doesn’t put people off using password managers,” said Professor Alan Woodward, a cyber security expert at the University of Surrey, responding to the LastPass news. “In this day and age we have so many passwords and they need to be strong so you can’t remember them.
“Ideally we’ll start to move onto other forms of authentication like biometrics. Bur for now password managers are still the best option.”
HOW TO PICK A PASSWORD
- Don’t re-use passwords. One ultra-secure one won’t be any good if someone finds it
- While combining upper and lower case passwords with numbers to alter a memorable word – M4raD0na – is often advised, these are more easily cracked than you might think
- Good advice is to make a memorable, unusal sentence: “I am a 7-foot tall metal giant” is better than “My name is John”, and use the first letter of each word with punctuation: “Iaa7-ftmg”
- Alternatively, you can use a password manager such as 1Password, which can generate secure passwords and store them online
- The best way to protect yourself is to use two-factor authentication, which will send a text with a code or use an app to verify your log-in
“I tend to look at the record of how they’ve dealt with security incidents in the past. It’s almost inevitable that there will be problems, but how they respond to their users is important,” he said. “It’s a bit like a courier losing your package: it happens, but it’s how they deal with it that matters.”
When researching the best password manager, users are advised to check reviews and details about the companies behind the services.
“You really need to know that there’s a substantial organisation behind it, because there are a lot of free managers out there that are run by a man and his dog,” said Professor Woodward. “You really need to do a bit of due dilligence, don’t just pick the first one you see because it’s free.”