This post is a continuation of previous post, please find the part I here

Ok, so my password may have leaked - what's a big deal?

What if it was a meaningless password to the minor site, bound with account that does not contain any financial information. No harm done, right? Not really ...

  1. If you were using the same password on any other service / site - you may be in trouble: some evil mind / script may be already crawling via web just to find out whether you do or don't ... And this site may contain completely different sort of information ...

  2. I don't know / haven't heard about such a service, but I'm 100% sure that even if it doesn't exist YET, it will appear one day: I'm talking about service where anonymous hackers could sell collected, personal information for selected (via name, address or some similar information) individual (hacked earlier, due to volumentric breaches - not attacks targetted on individual). I'm more than sure that there would be a lot of people who'd like to use such an opportunity (pay-per-hack) to do harm against someone they dislike (or even more ...). Each leaked quantum of information - even something theoretically meaningless - may be used for matching / aggregation purpose - to corelate data that doesn't seem to have much in common.

Armed to the teeth

Chin up! You're not without means to defend yourself ...

2FA

One of the best ideas so far is 2FA - Two Factor Authentication - authenticating yourself with something you know (like password) AND something you have (like hardware OTP token or mobile phone). This method gets more & more popular - especially in the on-line games & banking. An important factor of this popularity boost may have been the Google Authenticator - adding 2FA to your service has never been that easy.

But there's a drawback - 2FA IS cumbersome & takes more time than usual authentication: using it for authentication in every service you use would be just to painful & plainly irritating.

Outsorcing duty

If you can't solve the problem on your own - outsource it :) This old truth works perfectly in this case as well: if you have the problem with managing passwords: get a piece of software to do that for you - a Password Manager.

What can a Password Manager do for you?

  • it can keep information about your passwords in the safe (but still synchronized via the web) way
  • it can (due to browser plugins) automate the input of passwords (so you don't have to type itself, etc.)
  • it can generate random passwords - different for each service / applications: and this randomness won't be a problem, due to the points above
  • good password managers are multi-platform: they play they role regardless of what kind of hardware / OS you're using: your mobile, tablet, PC, etc.

Notable players

I will just mention the few I've checked most thoroughly:

  • 1Password - iconic password manager, initially only on Apple stuff, but not anymore. Once a reference of what password manager should be capable of, now it's lacking many features competition already has. Very expensive (when compared to its alternatives).

  • KeePass - already mentioned above, OSS community's answer to 1Password. Not very convenient to use, but still useful & you don't have to pay at all.

  • LastPass - the new king of the hill: impressive list of features, reasonable free version (but paying for premium still makes sense) & cheap premium one; there were some complaints about it's overall look & feel, but those have improved A LOT since LastPass 3.0. My favourite features: massive import options, perfect browser (all major) integration & nice security check with sensible rating.

  • DashLane - the eye candy - best looking password managers that will most likely meet all your needs (even if its functionality is more limited than LastPass'es one). Cons: more expensive than LastPass, more restricted development (not able to deliver new features improvements as frequently as LastPass), ocassional glitches. Noticeable pros: in terms of usability, integration & ease of use - not that far from perfection.

Hopefully I've convinced you already: getting a Password Manager is the best thing you can do to help your personal information security. It brings some new risks, indeed (single point of failure, relying on Password Manager which is still a piece of software) - but I prefer to rely security-related concerns on one supplier that excels in this very area, instead of trembling about my data leaking to the internet without me even noticing it.

Share this post