The idea behind password storage systems is to have someone else safeguard all your pa$$words and $ign0nphras3s from loser hackers with nothing better to do than make your life miserable.
So what happens when your password manager gets hacked, and your deepest, darkest secret passwords (b00b00kitty, Studmuff!n, h0tl0vinmama) — the ones to your bank accounts, your photo cache, your email, your Facebook page, even your online dating profile — are suddenly at risk?
One of the Internet's most popular cloud-based password managers, LastPass, announced on June 15 that user emails, password reminders and other customer data were compromised by hackers. LastPass, in a blog post to users, claims that the most sensitive data was not exposed.
Still, the episode spurred another round of eyebrow-furrowing among Internet users who are constantly bombarded with news of hackers stealing personal information.
The Sony hack. The Celebrity iPhone Nude Photos hack. The Target hack. The federal government's Office of Personnel Management hack. News broke recently that the St. Louis Cardinals baseball team was hacked — allegedly by the rival Houston Astros.
Password managing software is supposed to help. And, clearly, it's better than going with no protection at all. Or using the same, stupid, worn-out passwords. (The most popular password of 2014? 123456.)
But is it enough?
How they work
Password managers like LastPass are designed for security, with the added benefit that users must remember only one password — the master password to their account. All the other passwords in your online life — to bank accounts, photos, email, Facebook and that online "h0tl0vinmama" dating profile — are changed into something much harder to crack and stored in the service's vault. (Master passwords and the information in user's vaults were not compromised in the LastPass incident, the company says.)
In these systems, all passwords are sent through numerous mathematical algorithms that scramble and encrypt them. According to this Macworld article, when you type in a password, services like LastPass don't check it against a password stored someplace in cyberspace. Instead, they "hash" it up with a proprietary algorithm, come up with something else entirely and check that against the first time you signed on, when that same algorithm was run on the password. If, after all that hashing, they match, you're good to go.
Most services have other layers of security — some, several layers — that make cracking passwords and getting sensitive information extremely difficult. Still, critics point out that hunting down passwords and bowling past security is what hackers do. They live for it.
And, they say, anything that is stored in the cloud — anything — is a target.
What you can do
Many critics of cloud-based password services advise, first, to get off the cloud. They favor services that store all that critical information locally, on your computer or, say, your phone. It's harder to steal.
Whether you do that or stick with the cloud, another important step to take to protect your passwords is called two-factor authorization (alternately, two-step verification). Many sites now employ this security method, and the list is growing. It works, simply and generally, like this:
You sign on with your username and a password. The site you're trying to sign onto sends you a text message with a unique code. You type in that code. You're in.
It can work other ways, as with a built-in code generator on your phone. In any case, two-factor authorization (2FA) adds that critical second step. It's increasingly recommended because you not only need a password (which is hackable, you need to have something else, like your phone (which hackers probably won't have).
Google has a simple video explaining its two-step verification process.
Other steps to take
Security experts say never use the same username and password at more than one account. If a hacker cracks one, others are in danger. Many password managers will take care of this for you, generating a unique code for each site.
If you don't use a password manager, make sure you vary your passwords, and make sure they're strong passwords — random strings with added characters and symbols if possible. And find a safe way to remember them. There are sites that will generate random passwords for you. Google has more tips here.
Nothing is 100 percent hack-proof. Crooks, being crooks, will try to steal your identity or info — or money — any way they can. But if you're careful, if you're vigilant, if you're nimble enough, you can stay safe online.
And no one will ever know your secrets, Studmuff!n.
Related on MNN: