Sincere apologies for the long delay in getting this post out, and thanks to @justinlamo for the question: “Are on-line password storage sites safe?”
Per my promise to all of you to get to the point first, the quick answer: Not 100%, but you should use them anyway.
And the longer response:
How many times have you received an email saying, “Please ignore that odd post/email/request, it seems my account was hacked”? Or worse, how many times have you had to send one yourself? Hacked accounts are a reality of the modern digital age.
Absent turning into a Luddite, your best protection is a strong password for all of your accounts. A strong password is long, nonsense, and composed of a variety of different types of characters (including upper and lower case, numbers, and punctuation like #, !, @, &, etc.). There is a lot written about why you should use a strong password, and you’ve all heard the horror stories, but also check out one man’s explanation as to how easy it is for him to crack your weak passwords. Hopefully that’s convincing enough so I don’t have to dedicate time to hammering the point home. To create your own strong passwords, reference this clear, concise article by Eric Wolfram.
Still, even the strongest of passwords can be compromised. Unsophisticated companies can mess up and store your passwords in plain text, where they can be stolen from the servers; you can expose yourself by falling for a fake site asking for your password (known as a “phishing attack;” or perhaps you simply log in from a public computer and forget to log out. Having your strong password stolen or hacked for one site can cause enough damage, but if you’ve used the same password for all of your social networks, bank accounts, blogs, email and more, the results could be disastrous.
So, the best practices recommendations for strong password protection is actually to use a DIFFERENT strong password for EVERY site (or at least every category of sites). But, you ask, how can you keep dozens or hundreds of passwords straight? The answer, of course, is that you can’t. That’s where password managers come in.
Password managers in general are pieces of software that store and organize all of your passwords and the associated sites and accounts you use them for. The most rudimentary are simply protected spreadsheets or databases stored as files on your computer; if you can remember one password (the one to open that file), known as the “Master Password,’ you can look up all the rest of them as you need them. The trouble with the rudimentary form is that it is a tremendous hassle. Taking time to log into a site is already a barrier to what you are trying to do and no one wants to make that harder.
So, a new breed of password managers emerged. These new password managers were also form fillers and often came as browser extensions or add-ons. In other words, these password managers work in coordination with your web browser, recognize the site you are on and automatically fill in the needed password. You still need to remember the one master password, but after that, your browsing is much smoother. But, there are problems with this set of managers as well, chiefly:
- If you’re computer crashes or you delete the files, you’ll lose ALL of your passwords; and
- If you’re away from home you either need to bring the files with you (on a thumb drive, by using Dropbox, or some other way), which can be hard to remember.
SO… online password managers were invented. Like the others in the new breed, the online password managers fill your forms and work with your browsers to save you time, but now, instead of storing all of the information on your own computer, you now keep copies online in ways that are accessible across multiple devices.
The concern with keeping this level of sensitive data online is that it too risks being compromised. On the one hand, you’re using a password manager so your sites are more secure, but on the other, you’re storing your sensitive data in the cloud so that it risks being stolen.
There was recently a threatened attack on a reputable online password manager, but the threat was largely overblown. Back in May (when Justin first asked this question), LastPass was attacked, but the CEO has since explained why there was little cause for concern in an article posted by PC World.
The reality is that the risk of your password manager data being stolen, given how securely it is encrypted and the protections the password manager companies have in place is very small. The tension between privacy and convenience is an ancient one, and convenience always wins. If one option for convenience is a system with dozens or hundreds of attack points (i.e. ANY of your accounts) and the other is a system with one attack point that is heavily guarded (i.e. your online password manager’s server), I recommend going with the latter.
Thus… yes, you should use online password managers. I don’t have a recommendation as to which one is the best as I haven’t tried them all, but LastPass does a very good job. For some other suggestions and help choosing the one that’s right for you, check out the following links:
- PC Magazine – Six Great Password Managers
- LifeHacker – Five Best Password Managers
- TopTenReviews – Password Management Software Review