Our Thoughts on LastPass Breach and Password Hygiene

Today's “always online” world pretty much forces us to have multiple accounts on multiple websites. A proper security policy would be to not use the same password on all of the sites, but then tracking and remembering all of those passwords is hard and that's what LastPass-like solutions are trying to do.

While on one hand using online password storage services makes our lives easier because we only have to remember one master password instead of 30 - there is a single point of failure in case our master password is revealed and this single point of failure is out there on the internet accessible to anyone to try and hack it.

Basically, the whole "password" attitude is very old fashioned - we need to shift to "the "passphrase" approach. Where a password is usually a word or a combination of characters, a phosphorus can be something a little longer than a password, yet easier to remember. For example, a password can be something simple like "FishCake1986$" and a passphrase can be "I lOve fishcake!" The passphrase is easier to remember and yet harder to crack. Passphrases are easier to store in our memory.

While the shift to passphrases is important, another important thing is Multi-Factor Authentication (MFA), which is based on the principal of "something you know and something you have" - a password/passphrase that you know and another temporary password (usually numeric) that changes every time. Google provides a free interface for developers to implement MFA called Google Authenticator. MFA is very popular in the banking industry in the form of a keychain-token with a small LCD screen that displays a series of numbers that changes every few minutes. Those numbers are the second factor of authentication.

My advice would be to keep passwords/passphrases offline on ancient solutions such as a notebook. In case you want to take the passwords/passphrases with you everywhere and you are afraid to lose the notebook, there is always the options to use a flash drive to store the passwords/passphrases on and encrypt them.

Any regular notebook will do - don't be a fool and buy one of those notebooks:

If you are looking for an organizational solution - using biometric data (such as fingerprints) for authentication is a widely accepted solution today in a lot of organizations. Another solution would be to use certificates and secure them with complicated passphrases.