CNN Money doesn’t know squat about computers or security, but they know how to how to incite fear (and boost web traffic).
For example, below is the opening section to a recent article about hackers (always a good topic for fear mongering).
“No one’s safe from hackers — not even LastPass, a company that stores people’s passwords.
LastPass lets people store passwords online so they can access them all with a single master password.
On Monday, LastPass announced that hackers broke into its computer system and got access to user email addresses, password reminders, and encrypted versions of people’s master passwords.
So keeping all your passwords in a single place on the Internet might not be such a great idea.”
This article is a case study in simplistic misinformation and fear-mongering.
First, the statement that “no one is safe from hackers” is a truism (i.e. a common statement that is obviously true.)
CNN’s writer suggests that, despite this truism, it’s somehow ironic that LastPass got hacked. Why? Because LastPass sells a password manager (i.e. product designed to help people avoid compromising their passwords).
A company that sells a helpful security product got hacked. Wow!
Okay, let’s delve into CNN’s infantile statement and see just exactly how “ironic” this event is.
First, EVERYONE is a potential target for hackers. Has CNN not taken stock of this fact? Apparently not.
Here’s another key fact to take stock of: most people are not specifically targeted. That is, most people who get hacked are not individually targeted.
Most people get hacked as part of automated attacks initiated by hackers who are only marginally tech-savvy. Google the term “script kiddies” and you’ll see what I’m talking about.
So if you want to be afraid of something here’s what you should focus on: you are highly likely to be attacked by someone who is simply using an automated tool to attack lots of people’s accounts en masse.
LastPass sells a product called a “password manager” that helps prevent those kinds of attacks, or at least minimize the damage. I’ll explain how that product works in a second, but back to the problem with LastPass getting hacked.
LastPass was not the target of a mass automated attack. They were specifically targeted by bad guys with sophisticated computer skills.
Okay time for another “non-ironic” fact: if a company or person is the specific target of sophisticated hackers who are hell bent on getting into your system then the odds are pretty good that you’ll have data compromised.
For example, First Lady Michelle Obama’s email account was recently hacked.
Oh, and the NSA had its most precious data compromised by a low-level contractor named Edward Snowden. How ironic is that? It’s not ironic. It’s the norm in our modern cyberworld.
Irony is a cute word overused by news organizations to get your attention and lure you into reading an article that misinforms you of a common threat, and then supplies no helpful information. In fact, they dissuade you from using a tool that is actually your best defense against automated attacks by unsophisticated hackers.
CNN cavalierly suggests that people shouldn’t use password managers like LastPass because they centralize all of your passwords in one place that hackers can supposedly get at.
Pay attention now, because I’m going to point out something important.
The hack of LastPass didn’t compromise customers’ encrypted passwords. CNN glosses over that point, which is crucial.
So how does LastPass’s password manager protect customers like you from hackers?
Well, most people use the same password for all their online accounts. You probably do too, but why? Obviously, because it’s hard to remember more than one or two passwords. And most people who use one password for all their accounts face a greater risk from an automated hacker attack.
Here’s how password managers work, and how they eliminate
(or mitigate) risk from automated attacks.
LastPass and other similar password managers (1Password and Roboforms) let you use one password to access an encrypted database that only you have access to, and only you can decrypt.
In that encrypted database you can store passwords for all your online accounts (and any other confidential personal information). This allows you to have a different password for every online account.
But wait, it gets better…
LastPass will detect when you are on a website for which it has stored a password, and alert you that it is ready to fill in the password by you simply clicking on the browser button that it installs in all your web browsers.
LastPass will only detect and auto-fill passwords after you have logged into your encrypted database.
If you use a strong password for your LastPass database then only you will be able to decrypt the database and use LastPass. If you use a simple password for your password manager that any hacker can guess, or use brute-force methods to decipher, then you’re probably in CNN’s target audience demographic (i.e. happily clueless).
Obviously, you have to use a strong password for your most precious trove of online passwords.
LastPass will generate strong passwords that hackers can’t easily guess, nor easily decipher using brute force methods. For example, here is a password that I quickly generated using LastPass’s password generator tool: !xtytwMLKyTfh3Km.
Can you remember that password? Can you easily type that password? No, you can’t.
But you don’t have to remember it, nor type it, if you use LastPass (or the other similar password managers).
Oh and by the way, a brute force attack to guess that password would require 25989271 centuries. I know this because I entered into an online tool designed to test how long it would take to crack a password.
How long would a brute force attack take to guess the password for all your online accounts? Go to the online site and enter it and see. Maybe you’re afraid the site is run by hackers. Okay, you’re starting to get properly paranoid.
So I’ll help you out.
I tested this non-simple password on the online password analyzer: bohe37mian. Note that I put a 2-digit number (37) in the middle of the word bohemian.
This password is certainly more complex than most people use. But guess what? The analyzer indicated it would take about 1 day to crack that password. Hmmm, not so good.
Did CNN’s article teach you about these more common threats from hackers? No, they did not.
So let’s review the most common hacker threats, and consider how a password manager can help you.
1. Most hackers use automated attacks designed to guess passwords, and if they guess one of your passwords they’re pretty confident that all of your online passwords are the same.
2. Most people have weak passwords. They could have stronger passwords, but then they’d have trouble remembering them, or typing them.
3. Password managers allow you to have strong passwords (and they’ll generate them for you on the fly, and then remember them for you.
So, to complete our education let’s zero in on what actually happened with the hacker attack on LastPass (which remember was a specific attack by sophisticated hackers). What did the hackers get by hacking into LastPass?
The hackers got access to LastPass’s database. But they can’t access LastPass’ users passwords because the users are the only ones who can decrypt their passwords. Unless…
If someone is using LastPass (or any other password manager) and they use a simple password for their master password, then the hackers can brute force attack those passwords. So, LastPass users should have used strong passwords, and if they haven’t up to now then they should change their master password into something hard to brute-force. If they don’t they’re idiots.
And what about the person who wrote the article for CNN?
He might be an idiot, but he’s good at his job. Remember CNN (and similar news outlets) are in the business of getting attention so they can monetize serving up ads.
The easiest and most reliable way to get attention is to stir up fear. When stirring up fear you can’t afford to mistakenly supply thoughtful information.
And CNN never makes that mistake, from what I can tell.
But if you want some free, helpful information, here it is: start using strong passwords, and have different ones for every important online account.
If you want to memorize and type out those strong passwords, be my guest.
But I’ll bet you’d be better served by using a password manager. Here are the Top 3 I can safely recommend:
UPDATE: Here are some other sensible articles on password managers and online security.
- Lastpass Was Hacked: Here’s What You Have To Do by Glenn Fleishman
- Hackers Are Hacking; You Need A Password Manager by Jeff Richardson of iPhone J.D.
- Chinese Breach Data Of 4 Million Federal Workers by Ellen Nakashima
- Canadian Government Websites Under Attack from Hackers by Jason Fekete & Ian MacLeod, Postmedia News