Apr 26, 2013

For the Love of Security: Happy Birthday LastPass & End-of-Week Link Round-Up

The LastPass team has reached another milestone this month - our 5 year anniversary!

What an incredible 5 years it's been. As always, we want to thank all of our loyal users who found us, supported us, recommended us, and have continued to provide valuable feedback - we're working hard to improve the service for you and make your online life easier. And of course, we want to acknowledge all of the folks on the LastPass team, for everything you do to make LastPass the wonderful company and product that it is - including the insane number of hours you work to make it all happen.

Here's to many more!

Articles that caught our eye this week:
  • CBS affiliates see Twitter accounts hijacked; password security in focus << The accounts of 60 Minutes, 48 Hours, and a Denver news affiliate were hacked and suspended last weekend. The article highlights the need for a password manager to create unique, strong passwords, and the renewed discussion on two-factor authentication for Twitter accounts. We agree that laziness and friction are two of the biggest obstacles to changing online security behaviors, but increased education and awareness in the media will help significantly.
  • UK adults taking online password security risks << Although not a surprise, UK communications watchdog Ofcom published a study that showed 55% of adults admit they use the same password for most if not all of their online accounts, and 25% report they have trouble remembering passwords. However, there are positive trends of increased awareness of security features and products- which we believe will continue to improve, given the increasing number of online accounts the average internet user has, as well as the visibility of hacks and security issues in the mainstream media.
  • Twitter Two-Factor Authentication is Obvious - and Necessary << A great op-ed from Lance Ulanoff at Mashable that argues for better protection of Twitter accounts through password management and the use of two-factor authentication. With hacks of accounts like AP that have shown how damaging the repercussions can be, we agree with his points. Given the positive improvements we've already seen from Twitter, we hope they continue to set a precedent in their approach to security.
What caught your attention recently? Share in the comments below!

Enjoy the weekend,
The LastPass Team

Apr 22, 2013

How to Create a Secure Master Password

One of the greatest benefits of using LastPass is that it remembers all of your passwords for you, so you can generate strong, unique passwords without the hassle of recalling or typing them. Because you are storing all of your sensitive data in LastPass, though, creating a master password that is rock-solid while still being memorable is even more important.

We recommend a simple strategy for creating a long, non-dictionary-based, difficult-to-crack master password: use passphrases.

What is a passphrase?

A passphrase is typically a sequence of words or text strung together to create a password for logging in to an account. The difference between a passphrase and a password is that a passphrase is typically longer and uses whole words or variations of whole words to create nonsensical sentences or phrases that are easy for you to remember, but hard for someone else to guess or crack. 

How to create your strong passphrase:

The key to creating a strong passphrase is to pick a string of words that's easy for you to remember but is not just a famous movie or literary quote, song lyric, piece of personal information, or a single word straight from the dictionary. The best passphrases will also include a mix of capitalization, punctuation, and numbers.

Given those parameters, let's look at an example, choosing words at random that don't really have a relation to each other but that hold meaning for you:


That's a 27-character nonsensical phrase that will still be easy to remember. Now if we really want to increase the strength of the phrase, we can then add a better mix of character types:


So now, we have a 28-character master password, with lowercase, uppercase, a number, and some symbols.

Of course the longer and more complicated you make the passphrase the more carefully you'll need to type, and the harder you may have to work at memorizing the master password at first. Even using "volkswagensummeryellowtulip" is far better than using "password" or one of the other common passwords or single dictionary words.

XKCD's now famous comic about password entropy drives the point home:
Ready to update your master password with your new passphrase? You can do so by opening your LastPass Vault and clicking the "settings" menu option on the left, then submitting your changes.

What are your strategies for creating a strong master password?