In light of the widespread internet security vulnerability disclosed this week, known as Heartbleed, Redtail yesterday published what we are doing to address the issue in regard to our solutions. Here, I want to share with you some information on password security, specifically how LastPass might help you to better manage and protect your passwords. Note: there are other password managers out there, but LastPass is an established and respected password manager and the one with which I have experience.
I’ve been using LastPass for about two years. it’s free for use on your computer, but if you want to use it on your phone and/or tablet, you can upgrade to Premium for $12 a year (for a dollar a month, it’s a no-brainer to me, but, even if you don’t go Premium, you should give the desktop version a go to experience just how much time it can save you).
If you aren’t familiar with LastPass, after download you just create one password that you can remember but that would be difficult for anyone to crack, i.e., a combination of upper and lower case letters, numbers, symbols, no dictionary words, etc. When you pull your browser up in the morning, you’ll just log into LastPass from the icon that’s placed in your browser’s toolbar. Then, whenever you go to any of your accounts that require login, you autofill the login info from your LastPass menu icon.
While at the start you’ll need to log in to each of your existing accounts, change password (by allowing LastPass to generate a random password) and then save the Site to your LastPass vault with the new Password, you’re going to end up saving a lot of time over the years, as you won’t need to search for passwords or click Lost Password links — you’ll have them all stored securely within LastPass. Also, you don’t have to do all of your password changes at once — just start by doing the ones that are most sensitive, i.e., banking, credit card, Facebook, Google, Yahoo, etc.
I store around 180 username/password combos within LastPass (and they are all different). I imagine most of you have a large number as well. But, here was the cool thing about LastPass in regard to the Heartbleed situation: you can run a Security Challenge on all the data you have stored w/i LastPass at any time to see how strong your protection is currently rated. As of yesterday, a new section was introduced to the Security Challenge Results that lists Heartbleed “impacted sites you have in your vault,” along with a recommended action. Basically, this is a tool that checks all of your websites to see if they are vulnerable to Heartbleed, and whether they’ve updated their security certificates. This is much easier than trying to follow all of your website accounts via Twitter or their blog, etc. to see when they’ve performed the necessary actions. Mine looked like the below:
What this tells me is that I need to go update the password for three of these sites (Ifttt.com, tumblr.com and yahoo.com), but that I need to wait to update passwords for the others listed here until they have updated their security certificate. Note: as this is a rapidly evolving situation, this list will be updated frequently, so you should run the Security Challenge several times a day over the coming week or so in order to stay on top of the data LastPass is pulling in from the sites with which you have accounts.
I believe that this week’s events offer compelling evidence that we should all be more diligent about our own personal security efforts and LastPass is certainly a good first step. In addition to the time it has saved me over the last two years, it has also made handling this week's event much easier in terms of all of my password management.
One final note: for those of you out there who use one password for everything (and many people do), this allows you to carry on with that practice in a sense, as you only have to remember one — just make it one that's gonna be hard to crack!