Skip to main content

Online security tips: A password manager alone isn’t enough

Everyone knows that for proper security, each and every account needs a complex and unique password. The problem is that it’s just too difficult for most people to remember dozens of fifteen-character passwords. That’s why password managers are so useful: They take care of the memorisation problem, and allow easy and secure access to the user. Is that enough, though?

First off, don’t rely on a single point of failure. LastPass keeps your data safely on its servers, but what if it becomes inaccessible for just a day? You’ll be out of luck when you go to do your banking or log into Facebook. Export your data, and keep it in a safe place. Storing your password database in an encrypted disk image on a USB stick would be your best bet for security and accessibility.

If you’re using LastPass, it’s as simple as selecting Export in the drop-down menu at the top of your password vault. From there, your exported data will be saved to disk in a comma-separated values (CSV) file. As far as encryption goes, TrueCrypt should be all you need (and remember to use a suitably complicated encryption key)!

It’s not a silver bullet to simply use good passwords. Whenever possible, you should be using multi-factor authentication – where along with your password, you also need a second, different passkey to log in. This keeps your account safe even if your password has been compromised. Many sites, Google and Paypal for example, have multi-factor authentication available for users to reduce the possibility of security breaches. In fact, Google has its own authentication system that third parties can integrate with. LastPass itself is compatible with Google Authenticator, so you should be using this for optimal security.

Most importantly, you need to be changing your passwords frequently. The longer your password remains the same, the more risk there is of someone cracking it. Popular sites like those run by Gawker Media are not impervious to security breaches, so hostiles could be spending a lot of time and CPU or GPU cycles trying to crack your password. Even worse, as we’ve learnt from big hacks over the last few years, some services store your password in plain text – no cracking required. If you make a habit of changing your passwords once a month, you’ll be much safer from such attacks. Take the time to set a monthly reminder, and you’ll be glad you did.

In summary, using a password manager for all of your accounts is a very sensible idea, but don’t be lulled into a false sense of security. You’re not immune from cracking or downtime. To be truly safe and secure, you need to keep an encrypted copy of your password database locally, use multi-factor authentication where possible, and change your passwords frequently. If you take the time to do it right, you’ll never have to feel the shame of knowing you could have prevented your own identity theft.