About a week ago I discovered that some hacker managed to get a hold of 99Bitcoins’ email addresses and started spamming our mailing list. If you’re on the email list then you probably already received my official apology for this. If you’re not, then this shouldn’t matter to you anyway. Since then I’ve taken measures to secure the email records and now things are back to normal more or less.
However, this whole fiasco got me thinking a bit more about security, and that’s what I want to devote today’s post to. So today I’m going to show you:
- Just how weak your own passwords are,
- How I lost $1500 because I used the same password over and over again (sounds familiar?)
- Finally, review the best password managers around (including a Bitcoin related password manager).
How a weak password cost me $1500
Somewhere around 2010 I was running all sorts of marketing campaigns on Google Adwords, Yahoo! and Bing. I had my credit card on file with each of these accounts, and not being too preoccupied with security I used the same password on all of my accounts.
At the time I thought my password was secure, it was “x9Jevslt” – seems pretty hard to guess right?
However one day I received an email saying that my account was reloaded with funds. Since I didn’t have any active campaigns running at the time I decided to check what was this email all about. When I logged into my account I found out that $1500 were spent from my credit card on Google ads in order to promote some scam website that claims to sell computers.
At the same time, my Paypal account (that of course had the same password) was drained by another few hundred bucks. Luckily enough I was reimbursed for my losses by the credit company and Paypal but I’ve also learned a very important lesson.
Ever since I’ve been taking password management pretty seriously by employing the following methods:
- Use a different password for every site
- Use lengthy passwords with symbols and non standard characters
- Change my most important passwords once a month
Even though it may sound hard to live such a lifestyle so to speak, today’s password managers can easily take care of all 3 tactics for you. But before getting into that let’s see just how easy it is to crack your password.
Is your password good enough? Let’s put it to the test…
Many people out there think that their password is super strong, so did I. Here’s a very simple tool that will show you just how strong (or weak) your password really is. If you try entering my old password (x9Jevslt) you can see that it will take a computer about 2 hours to crack it. Put any password with less characters (mine had 8) and it will take a computer around 7 minutes to crack it.
So does this mean your password is going to get cracked? Not necessarily…
There’s an old joke about two men who are walking through the woods when a large bear walked out into the clearing no more than 50 feet in front of them. The first man dropped his backpack and dug out a pair of running shoes, then began to furiously attempt to lace them up as the bear slowly approached them. The second man looked at the first, confused, and said, “What are you doing? Running shoes aren’t going to help, you can’t outrun that bear.” “I don’t need to,” said the first man, “I just need to outrun you.”
I know, the joke sucks…but it makes a good point. When dealing with password security most of the time your don’t need to have THE most secure password, you just have to be more secure than the guy next to you.
Using a password manager will make sure you don’t have any repeating passwords, so even if one gets hacked all of the others are safe. It will also allow you to generate much more complex passwords than the ones you currently have.
Moreover, password managers have an “auto fill” feature so that you can log into most websites with just a mouse click. This prevents any malicious keyloggers that spy on your keystrokes to know your password.
Now that I’ve hopefully convinced you of the advantages of a password manager, let me introduce you to some of the more recommended ones around.
Roboform – My personal password manager
I decided to start out with reviewing Roboform since it’s my personal password manager which I’ve been using since 2010. As most password managers it allows you to generate different passwords to every website you sign up to, store these passwords in its databases and autofill forms online.
Everytime I want to log into a website I can use the Roboform chrome extension to auto-populate the username / password settings and quickly log me in. Robform is a cloud based solution so you can easily access your passwords from multiple devices.
The way your passwords are kept secure on roboform is through the use of one “master password”. The master password shouldn’t be written down anywhere and should be memorized by heart. This is somewhat of a standard practice with all password managers as you’ll soon see, and it’s also their major disadvantage. Since if someone hacks your master password all of your passwords are basically exposed.
The main downsides to using Roboform is that it doesn’t call out weak passwords and also doesn’t use 2 factor authentication (2FA) on Mobile. The 2FA is an additional security measure that allows you to protect your passwords even if someone got a hold of your master password. In this case after you log into you account you will also need to verify an access code that will be sent to your mobile phone.
All in all I’ve been using it for 6 years now and I’m very satisfied (until I wrote this review).
LastPass – The most popular password manager around
LastPass is probably the most popular password manager out there. It has a very robust free version that will allow you to save all you passwords, autofill forms and also sync password across devices of the same type (i.e. desktop, tablets, etc).
LastPass has some extremely useful features such as password sharing. This means that if you want someone to log into an account you own you can just send them an email that will allow them to log in but not view your actual password for that account. I think this can come handy if you’re working a lot with freelancers who need access to your servers.
LastPass also gives you the protection of 2FA to your account using Google Authenticator, so even if your master password is compromised, the hacker will still not be able to access your account. You can also install a 2FA application to any flash drive and enable authentication only when the flash drive is connected to the computer (similar to how a TREZOR works).
At $1/month this is probably the best value for money password manager you can find.
TREZOR – Using your Bitcoin wallet as a password manager
SatoshiLabs announced TREZOR Password Manager, a new lightweight application designed to store and manage passwords. The Chrome extension is available for public beta testing for all TREZOR hardware wallet owners.
TREZOR Password Manager aims to bring advanced cryptography into the hands of computer users regardless of their skill level. With one click, the user encrypts each password entry with his personal TREZOR device. The Password Manager then automatically uploads the encrypted data to user’s private cloud storage, making them always available when needed.
The most refreshing thing about using TREZOR’s password manager is that it eliminates the use of a master password that can be hacked. Similar to the use LastPass does with a flash drive, the TREZOR device itself can serve as a physical 2FA, unlocking your passwords only when your device is physically connected to your computer.
Also since TREZOR uses a security PIN entry that is protected against any type of malware it’s basically un-hackable. If you want to learn more about how TREZOR avoids the hazard of keyloggers take a look at this video demonstrating the device.
Your passwords will be saved on your Dropbox account and encrypted with a unique encryption key derived from TREZOR. So even if someone hacks your Dropbox account it would be almost impossible to read the stored password.
At the moment TREZOR’s password manager is probably the most secure password manager around but also the most inconvenient for everyday use, since it requires you to physically connect your TREZOR and approve certain actions on it. It’s also currently lacking some key features due to the fact that it is in public Beta, but this will definitely be an application you’d want to keep your eye out for.
Price: $99 (one time payment for the TREZOR wallet)
Dashlane – The password manager I’m probably switching over to
Before writing this review I was pretty happy with my password manager, until I read about Dashlane. Even though it’s not as popular as LastPass (yet), it seems to be gaining traction fast. The things that distinguish Dashlane from the rest of the password managers are:
- It can act as a digital wallet that saves all of your different payment methods. You can then pay with one click.
- It has a password changer feature which is HUGE in my opinion. You see I tend to change my most important passwords every month or so, but at the moment I do it manually. Tech experts at Dashlane have analyzed hundreds of popular sites in order to devise scripts that automate the password change process. That lets Dashlane perform a hands-off password update for any supported site, and with Version 4 the list of supported sites jumps from 200 to 500.
- It has an “emergency contact” feature. So if something unfortunate happens to you, you are able to define who will get access to what passwords.
All of the other features I’ve mentioned in other password managers are also included here, and there’s also a free version that’s pretty robust.
I’ll probably be switching over to Dashlane soon mainly due to the “password changer” feature…
Keepass – The open-source solution for password managing
As always there is the free open-source solution. Keepass is a pretty popular solution that allows you to store your password on an encrypted file on your computer. It has all basic password manager features that include autofill and password generation.
The main downside to Keepass is that it’s pretty unintuitive, but if you’re willing to go the extra mile in order to save a few bucks that’s totally fine. Here’s a video preview of the product (with some annoying music so turn off the speakers):
Nothing is ever 100% secure
To sum up this post let me say this: I AM NOT A SECURITY EXPERT. I’m just a guy who has a lot of sensitive information stored online that’s trying to secure it as much as possible. Nothing will ever be 100% secure and if someone is deliberately targeting your passwords, they’ll probably find a way to get them.
Just to illustrate my point you can read the story of Shapeshift’s hack, which is one of the most interesting articles I’ve ever read about a theft from a digital currency exchange. In this case someone was deliberately targeting a specific site and person.
However in most cases no one is targeting you directly. Hackers are just trying to catch the “low hanging fruit”, the passwords that are easiest to obtain. So making it that much harder for them by using a password manager will probably be worth the investment.
If you are using any password manager I’d love to hear your own experience with them in the comment section below. Stay safe!