How to Create and Protect Strong Passwords
Without using a cumbersome and vulnerable password manager.
Tech sites like PCMag have been touting password managers for years. I’ve tried some of them, and even the ones that are supposedly easy to use are cumbersome. Not only that, but the vendors’ servers are natural targets for password thieves.
Today’s PCMag newsletter brings these sad tidings:
Well, it’s bad. LastPass has lost a copy of customers’ encrypted password data to a hacker, who recently breached the company’s systems.
The hacker looted the password data by copying a “backup of customer vault data” from an encrypted storage container during the intrusion, LastPass said on Thursday.
The company supplied the update three weeks after LastPass announced it had suffered a breach that led to the hacker stealing customer information….
The stolen vault data contained “fully-encrypted sensitive fields such as website usernames and passwords, secure notes, and form-filled data,” along with unencrypted website URLs.
LastPass is emphasizing that the stolen vault data remains protected because it’s been secured with 256-bit AES encryption. To decrypt the data, the hacker would need the vault’s master password — something only the customer should know….
The problem is that the hacker could exploit various ways to obtain a customer’s master password. This could involve trying to guess it by using brute-force attacks. However, LastPass says this would be incredibly hard to pull off if the customer had used a complex password. As a security measure, LastPass also requires a master password to be at least 12 characters long.
Still, the other way a hacker could steal a master password is by phishing customers. This could involve sending fake emails or text messages pretending to be LastPass in an effort to dupe unsuspecting users into giving up the login credential.
During the breach, the hacker also obtained “basic customer account information,” including email addresses, telephone numbers, billing address and IP addresses —making it easy for the culprit to target individual users.
So to guard against such phishing, LastPass is telling users: “It is important to know that LastPass will never call, email, or text you and ask you to click on a link to verify your personal information. Other than when signing into your vault from a LastPass client, LastPass will never ask you for your master password.”
Hah! Good luck with that.
Here’s what I do: Generate random passwords myself. Store them in a password-protected file on my PC. Allow my web browsers to save passwords (for ease of access to online accounts and websites that store personal data and payment information), but password-protect my PC. Print a paper copy of all the passwords (including the passwords for the file and the PC). Keep the paper copy in a secure place in my home (which is protected by a monitored alarm system), and allow only my wife to know the location of the copy. (There’s a secure process by which our children can access the copy, but they won’t know how to do it unless both of us have died or are incapacitated.)
How does one generate random passwords? PCMag, in an article that touts password managers, explains how to do it. My method is somewhat different, but it comes down to the same thing: Use Excel to randomly generate unique and extremely strong passwords.
The rest — setting up an Excel routine, generating passwords, and securing what you’ve generated — is up to you.