My journey to stronger online security
John M. Haddad
Being in the Information Technology industry for over 35 years, I have always been very diligent in information security with applications and websites I’ve developed. I even felt that my personal online security was in good shape … until I really took a look at my security score and ranking for how well my passwords stacked up.
The path I’ve taken has been a journey, with lessons learned with each leg of my journey. There are several circumstances that have caused “an awakening” for me over the years to drive me to continually look at ways to improve my online security. I hope that by sharing my journey, it can help you get your security health in tip-top shape.
My first awakening
About 10 years ago, I had an awakening with Gmail. I had a Gmail account that was “hijacked” because my Gmail password was weak. What transpired for me was 2 days of panic and embarrassment. You see, the hijacker did the typical email blast to all my contacts stating that I was stranded in England and needed people to send money. Not only did my family and friends get this email, but all my clients also received the same email. That woke me up to improve my personal online security.
I immediately began to change all my passwords to be more secure, using techniques that I wrote about in my December, 2013 blog article “New Year … New Password … Make it Strong“. With the recent outbreak of the Heartbleed security bug, I felt pretty confident that I was much more secure, until I recently ran a security check of all my passwords and found that my score was very low.
My next awakening
I had been using LastPass for the past few years, so all my log-in information was stored in LastPass. I had selected to use LastPass as a password manager because all reviews I read put LastPass at the top of the list for secure password managers. LastPass has a feature called a Security Check, where it will look at all the passwords you have stored in LastPass and give you a security score. Well, even though I thought I did a pretty decent job with my passwords, here is what my security check revealed:
Security Score: 32.8%
Rank: 525,900
Wow, another awakening! I thought I had done a pretty good job, but to be ranked so low for a security score really got me nervous. But why was my score so low? Here are the factors:
- Even though I used strong passwords (numbers, letters, symbols), I used the same passwords on many sites
- Because I wanted to easily remember the password and save keystrokes, I made the password only 6 characters long
- I had 320 websites that LastPass found that I logged on to over the past year or so! Do I really use that many websites? That has to be way too many.
Moving to stronger online security
I decided once and for all to do whatever I could to improve my security score and ranking. So over the next several days, I spent the time to do whatever I could to move towards a strongly online security health.
Step 1 – Reduce the number of websites I connect to
So, the first question I had to ask myself is “Why do I have 320 websites that I’ve logged into? As I looked over the list of sites, many of them were sites where I may have created an account, used it for a short while, then never logged into it again. So one by one, I connected to these sites and if I no longer needed that site, I deleted my account. This is an important step in your security … get rid of accounts you no longer use. The great thing about using LastPass over the past years was that it was capturing this information for me, so I was able to see what sites I’ve logged into and when the last time I logged into them.
Results: Reduced the number of sites from 320 to 141
Step 2 – Change ALL my passwords to stronger passwords
This is no easy feat and will take a great deal of commitment, but in the end it was worth it. LastPass has a secure password generator the will generate a random password for you based on criteria you specify. The criteria are things like:
- Number of characters you want in the password (from 4 to 100 characters)
- Whether or not you want capital letters, digits, special characters
- Number of digits you want, requiring all character types … and more
I decided to make all my passwords at least 10 characters in length, require the password to include capital and non-capital letters, numbers and special characters. In researching the strength in this type of combination, I checked a couple of sites that showed that it would take a desktop PC about 58 years to crack that password, since there are 7 quintillion (7,000,000,000,000,000,000) possible combinations. That made me feel a lot better!
So, I painstakingly set out to log into each and every website I have an account with, and one by one, changed the password to a randomly generated password that LastPass gave me. I also had LastPass securely store that password for me so I could easily get it when I needed it. It was a long and tedious process. What I found is that some sites don’t allow special characters, while some others don’t allow more than eight characters, so I had to modify my generated password. However, in the end I successfully changed each and every password to a secure password.
Results
As I went along changing passwords, I continued to run a security check and saw my security score and ranking continue to increase. This gave me the drive to continue forward. When I was done, here were my results:
Security Score: Went from 32.8% to 95.4%
Rank: Went from 525,900 to 8,672
Of course, I was happy, but I still wanted to go higher in the ranking. However, there were several factors that would not let me get a higher score.
- I only used 10 characters for my password. Those who scored higher more than likely used 12 or more characters. As an example, using a 16 character password like 8&*Sybb&$MYSFaq6 would take a desktop PC 12 trillion years to crack.
- I had some passwords that I could not change because some sites assign you a password that you cannot change.
- Greater use of two-factor authentication would increase my score (will be discussed in a future blog article)
No one will ever feel completely secure with online passwords, especially with all the security breaches that have occurred in the past couple years, however, I feel much better knowing that if someone does obtain my password through a security breach on a site, that they will not be able to use that password on any other site.
Summary – Using LastPass
I mentioned extensively about using LastPass. LastPass uses the slogan. “The Last Password You Have To Remember”. Obviously, it is very important to create a very strong master password for logging into LastPass, or the entire security scheme will fail. However, there are ways to ensure you are secure with LastPass. The way I do this is by use of two-factor authentication, which is offered by LastPass. If someone does enter my master password, they will have to also enter a randomly generated authentication code which I possess. I will do a future blog post on two-factor authentication in the future.
Best thing about LastPass … it’s free! It installs as a plugin on any browser you use, both on Mac and PC. For an additional investment of $12 per year, you can upgrade to the Premium account. What the Premium account gives you is the use of LastPass on all your mobile devices, additional lockdown and security options as well as family sharing. If you have accounts and passwords that are shared with other family members, you can specify sharing of these passwords with other family members. I find both the mobile access and family share features to be well worth the $12 a year expense. I also believe in supporting continued development of great products like LastPass.
We will never be completely safe from hackers and from companies we trust with our login credentials. However, it is important that we continually do whatever is in our power to protect ourselves. Online security is not a final destination, but a continued journey that never ends. Take the time starting today to begin your new journey to a much improved security health.