Friday, May 23, 2014

Through with Passwords? Almost.

...if you're like me, you hate passwords with a passion.

They're almost gone from our lives, but it won't happen for some time yet. (Even if it takes another 2 years, that's about a generation and a half in Internet Years.) In the meantime, there is hope!

LastPass Access Manager
LastPass Access Manager
I feel quite guilty about it myself, because I spent years telling people how to create and manage strong passwords.  (You know, have a good standard password to protect your casual assets, a unique strong password to protect your employers' resources, your money and so forth ... and change them periodically to minimize risk of exposure.)

The problem is, that even while I was willing to pass along that "wisdom," I have a strong opinion about locks, security measures, and needlessly intrusive authentication systems. When we talk about security stance, here's mine:

A security system has value in inverse proportion to the difficulty and irritation it presents to the legitimate users of the system it means to protect.


If my security system locks me out regularly, the cumulative "cost" of that exceeds the potential risk of having an intruder compromise my system.

It's clear today that using passwords to access our online assets has become a "lock with too high a price." Almost every single day I find myself wrestling with some system that validates my identity. This one has a password that's expired, that one has a byzantine rule set for how my password can be constructed, this other one has a password that I assigned when it was late at night and I was "highly creative."

While we love the idea of single-sign-on, there is really a federation of sign-on mechanisms, and they don't even work all the time.  (Don't you love the "sign on with Facebook or Twitter" buttons that seem to have proliferated? I do, but sometimes they don't do the job.)

While we wait for a better way to authenticate ourselves online, there is at least some help to be had.  That help comes from a password manager.

There are a number of good choices you can consider. I'll just mention three here.

If you use a Mac and only need to sign in from your computer, you can use the Keychain.  If you use Google Chrome or Firefox, you can allow the browser to manage your passwords for you.  (I don't know about Internet Explorer, I didn't go into the Burger King.) Actually, some of these tools can work on your mobile devices too, depending upon circumstance.

After the recent Adobe compromise (and then Heartbleed, and now EBay), I thought to read up on the matter, and decided to try LastPass.

This is a password manager that is suitable for multiple platform use (I use it on my Mac, my PC, my iPad, and my Android phone).

At the basic level, it's free, but if you want to unlock some of the more sophisticated features, you'll have to subscribe. I use the free level now, but am nearly convinced that the value proposition for the subscription is worthwhile.

It took me just about an hour to do the reading and install the software.  (It might not take you that long, but I recommend doing this work carefully. It's at the heart of your information security.)  I found the tool easy enough to use, to add to my browser, and to get installed on mobile devices. (It's the mobile devices and improved multi-factor authentication that will require the subscription license.)

In the end, I think this is superior to the system many of my colleagues confess to using. (If you also have a spreadsheet somewhere with your accounts and the passwords written down, you might consider this to be an improvement.)

Give it a look and see if it's right for you.