Modern field guide to security and privacy

Opinion: Paper, the least terrible password management tool

With password management app LastPass possibly compromised, a stowed away pad of paper seems more secure than storing sensitive credentials in the cloud.

Ann Hermes/The Christian Science Monitor

Passwords are a bane of modern life. We need them for everything – banks, social media accounts, e-mail, online subscriptions and shopping sites, smartphones, voicemail, and apps. Ugh. And security experts like me are always reminding people to make sure passwords are long, have upper and lowercase letters, numbers, and special characters. Not only that, but make sure to use a different – and equally complex – one for each and every account and website that you visit. And don't write it down – ever. 

Yikes! That’s a lot of passwords to keep in your head. 

So for many of us who can't remember their wife's phone number without writing it down (that's me), the password manager was a godsend. One piece of technology that remembered all of our complex passwords. Simply log in with a master password and all of your other passwords are there. Brilliant. 

But now what seemed to be an ideal solution for keeping passwords straight – and secure – is suddenly suspect. Password management company LastPass admitted last week that it discovered "suspicious traffic" on its network. Though encrypted user data was left untouched, “account e-mail addresses, password reminders, server per user salts, and authentication hashes were compromised,” meaning that some accounts could be vulnerable.

What do you do, then, when one of the most prominent password managers may be compromised? If you use LastPass or other password managers that store information online in the cloud, you may want to switch to an alternative service that stores its information locally on your machine. Or you may want to just keep your data right where it is in the cloud. It comes down to what risks you are willing to accept and what inconveniences you are willing to endure. 

But there's also a low-tech solution: paper. That might be anathema to many security types, but it works. I’m not talking about putting a sticky note on your monitor or under your keyboard. I’m talking about an unassuming pad of paper filed away in a drawer or someplace only you know about.

That pad of paper is just as secure as your house. Unless you have strangers breaking into your home at night and rummaging through your papers, the pad of paper is probably pretty safe. Yes, there are risks to storing passwords on paper, such as the inconvenience of not being able to access those passwords when you are not at home.

I think the perfect solution, though, is a combination of four password storage methods: online, locally on your device, on paper, and in your mind. Use a password manager such as LastPass that stores passwords online for things that you use often but are low-risk such as online cat forums or e-mail accounts for junk mail. 

For passwords to more important accounts, store those in a password manager that saves everything locally. 

For me, the password to my 401K is on paper because I almost never check it. Passwords to my PayPal, bank account, and the e-mail those accounts are connected to are only in my head. 

And just as other security professionals preach, what's most important is using a different password for each and every website and online service. Yes, it's a pain. But with the rate that password databases are being breached, criminals have learned to quickly try passwords on multiple sites until finding one that works.

For even beefier security, if a website offers two-factor authentication, use it. Two-factor won’t make your account hack-proof, but it does add an additional security layer. And that might be enough to make an attacker move on to the next target. 

C. Thomas (aka Space Rogue) is a strategist at the cybersecurity firm Tenable Network Security. You can follow him on Twitter @SpaceRog.

 

You've read  of  free articles. Subscribe to continue.

Dear Reader,

About a year ago, I happened upon this statement about the Monitor in the Harvard Business Review – under the charming heading of “do things that don’t interest you”:

“Many things that end up” being meaningful, writes social scientist Joseph Grenny, “have come from conference workshops, articles, or online videos that began as a chore and ended with an insight. My work in Kenya, for example, was heavily influenced by a Christian Science Monitor article I had forced myself to read 10 years earlier. Sometimes, we call things ‘boring’ simply because they lie outside the box we are currently in.”

If you were to come up with a punchline to a joke about the Monitor, that would probably be it. We’re seen as being global, fair, insightful, and perhaps a bit too earnest. We’re the bran muffin of journalism.

But you know what? We change lives. And I’m going to argue that we change lives precisely because we force open that too-small box that most human beings think they live in.

The Monitor is a peculiar little publication that’s hard for the world to figure out. We’re run by a church, but we’re not only for church members and we’re not about converting people. We’re known as being fair even as the world becomes as polarized as at any time since the newspaper’s founding in 1908.

We have a mission beyond circulation, we want to bridge divides. We’re about kicking down the door of thought everywhere and saying, “You are bigger and more capable than you realize. And we can prove it.”

If you’re looking for bran muffin journalism, you can subscribe to the Monitor for $15. You’ll get the Monitor Weekly magazine, the Monitor Daily email, and unlimited access to CSMonitor.com.