Human memory is a weak point in cyber security. Passwords are an essential part of existing on the internet, and most of them are terrible. But they are terrible for good reason: Passwords need to be remembered and long, obscure phrases built out of letters, numbers, and symbols are hard, so people tend to pick up something basic like abc123, and then leave it alone until they’re eventually hacked and locked out of their email.
Password managers are apps that generate and store unique passwords, matched to the sites that need them, all in encrypted metaphorical vaults. LastPass is just one in a growing field of password manager apps, and yesterday it announced that it was expanding its free service to work on multiple devices. Previously, using the same LastPass account on a phone, computer, tablet, etc, required signing up for the company’s premium service, at $12 a year.
“We can’t expect everyone to have strong and unique passwords for every site and service they use”, says Jeffrey Goldberg who runs security research for AgileBits, the company that makes Password, a different password manager. Security isn’t all-or-nothing, says Goldberg, but instead it is habits that can be improved over time, and password managers are one of those.
Would a free-to-use password manager mean more people adopt the habit? Goldberg is skeptical, and says that it’s more about the habit than the price (Goldberg also notes that 1Password offers free trial months, and other managers do as well, which is one way to get people to learn the habit before hitting the hurdle of cost.
If you’re already using a password manager, are there benefits to you from other users adopting better password security habits? Security expert Bruce Schneier is deeply skeptical;“If you don’t use one, it doesn’t protect you — no matter how many other people use it.”
“In a connected world your security is my security,” says Goldberg, taking a more holistic view. Most serious attacks don’t come directly from the attacker’s systems. Instead they come from systems that the attacker has already compromised. So if you think, “who would want to break into my DVR?” the answer is that anyone who wants to use it as a platform for attacking a more high valued target.”
Earlier this year, the Director of National Intelligence named the internet of things as a major threat to America, and just last month, a massive attack on a domain name server company from hacked, internet of things devices shut down swathes of the internet. Other people putting better passwords, and managed passwords, on their devices won’t make anyone else’s bad passwords any stronger, but it will make it harder to attackers to take over unsecured devices, which makes the internet safer for us all.