But, I wanted to mentioned something I found recently related to internet password management and password security. As I have mentioned in other posts, besides being security and backup paranoid when it comes to all things computer, internet security has become somewhat of a hobby of mine. I actually hope to take a graduate program in "Network Security and Information Assurance", a program the U of M starts this year. We'll see where that fits in...
Anyway - one of the podcasts I listen to regularly is "Security Now" with Steve Gibson and Leo Laporte. I highly recommend that anyone with even a small interest in how the internet and security works listen to this weekly 1-hour show - they go into topics that are quite advanced but break them down into fairly simple pieces. Plus, every week they cover the latest in security news, what patches you should make sure to apply, etc.
Last week, they covered a password management tool called "LastPass" (http://lastpass.com). Password management for internet sites is a very difficult thing to do in this era where we all have many, many site accounts, userids, passwords, etc. Just keeping track of what sites you have userids on is hard, much less what the userid and password is. This drives many people (including myself up until now) to use the same password for many sites, sometimes all sites, which is a VERY bad thing to do - if someone gets a hold of your one password, it wouldn't take too much to start trying to hack into every account you have. I admit that I was doing this to some degree (even though I know better!) and was keeping an excel spreadsheet to keep track of everything. I kept this on a thumb drive that was physically in my possession, but that's still not a good solution (and if you don't have the thumb drive with you you're out of luck).
Lastpass solves all of these problems, and does it brilliantly and securely. From the convenience/management side of things, when you set up an account with Lastpass, they create an online database which can be accessed by signing in from any web browser anywhere. Additionally, there is a plugin for pretty much any browser or platform known to man - for me, Firefox on Windows and the Android mobile phone operating system were what I needed, but the list was huge. Once you install the plugin, and add your sites and passwords (it actually does this automatically too the first time you visit a site - more on that later), when you visit the site again, you can either have Lastpass auto-fill the userid/password fields from the database, or you can manually select "fill" when you are at the site login page if you're uncomfortable with them automatically doing it.
So, storing passwords in an online database sounds scary...let me tell you why it's not in this case. What Lastpass stores on their servers is an encrypted version of all your data - even the password to your Lastpass account is encrypted! Everything is encrypted on the client (your browser) side, with a key based on your userid and password, meaning only you can generate this key and decrypt the data that is obtained from their server or encrypt the data stored in their server. Their documentation and forums are very clear on how they do this (I read a lot of it) and several people have done independent tests and verified that they are doing what they say they're doing. What this means is, there is no way that they, or anyone, can get your stored passwords with the data stored on their servers. Only you (or someone with your Lastpass userid and password, which is only you if you're careful with it) can do anything with the data they store. Meaning that, for example, FBI could get a warrant and ask Lastpass to give them some password data from their database, and Lastpass literally could not comply - there is no technical way they could give them anything meaninful.
Now here's the kicker. All of this is free. Well almost all of it - if you want to set up your smart phone browsers to do this, there is a premium version which costs $12/year, and gives you a few more features. But most people wouldn't need to do this (I got it because I wanted to do some of their advanced stuff but that's because I'm a geek :) The premium version also gives you the option of adding a Yubikey/Yubikeys to your account. If you want to know more about what a Yubikey security key is, go to http://yubico.com/ and read about them (it's complicated and far too much to write about in a blog entry, but basically it's a second authentication factor which makes this even more secure). I have pictured the 3 I bought below - they're small USB plug-ins with one button.
For anyone who's interested, I'd be glad to show them how my Lastpass account works.
No comments:
Post a Comment