Tuesday, 7 February 2012

Lastpass or Keepass?

At the office today we were discussing which is better - Lastpass or Keepass?

The answer is: it really doesn't matter. Using either is vastly better than what the majority of the population uses for staying secure online.

This point was hammered home in my mind when I got back from work to see a Facebook update which said the following:
some **** in London has hacked into my account and ordered himself a nice new expensive mobile on my account, time to change all passwords I think

Now I don't know all the details, but it's more than likely the culprit was poor password security. The victim was very likely to be using the same password for several or all of their logins, and that password was probably  "easy to remember", exactly the property which makes it easy to hack.

Both of the above solutions allow you to achieve the same goal, which is to stop you having to remember a boatload of passwords, and just concentrate on remembering one strong password or phrase.  From that starting place, every site you visit can have a unique, random, long (>12 character) and therefore secure password.  You don't have to remember all these passwords because the password vault does it for you, even filling it into web pages at the right time.  If one site is hacked, all your other passwords are still secure.

The problem is nicely summed up by what's known as the Dancing pigs problem, which states
Given a choice between dancing pigs and security, users will pick dancing pigs every time
People would rather not care about this sort of stuff, but it's important, because when it goes wrong it will be, at best, a whole lot of hassle.

No comments:

Post a comment