Getting your online security in order
The LastPass data breach should be a wake-up call for all of us, but simply advising people to use a password manager isn’t enough
The readers of this newsletter are significantly more security conscious than the average consumer.
That’s not just my opinion; it’s a verifiable fact, confirmed by the results of last week’s poll.
In all, 305 people responded to that post (thanks!), and 75% answered yes to the question, “Do you use a password manager?” By comparison, only about 39% of people who responded to a 2022 survey by Consumer Reports said yes to that question.
Just under one-third of you use 1Password; another 20% use the open-source Bitwarden program. LastPass came in a distant third with 13%, and a hodgepodge of other products collectively make up the remaining 10%, with Dashlane, KeePass, and RoboForm each accounting for a small but loyal following.
Those figures seem to be more or less in line with the market at large. I was slightly surprised to see the onetime leader, LastPass, approaching a single-digit percentage share. But maybe I shouldn’t have been. The company really has damaged its reputation beyond repair, I think, judging by the number of comments I received from people saying that they had either recently switched from LastPass or were planning to do so.
Even more telling is the company’s own approach to communicating with customers and prospective customers. The LastPass blog hasn’t been updated since November 21. In the four months before that, the company published one or two new posts every week. Since then, it’s been absolutely dark. And LastPass management’s official post on its “security incident” hasn’t been updated since December 22, more than 60 days ago.
That silence is deafening. It should tell you everything you need to know about the company and its flag ship product. In fact, I can boil it down to one word: Leave.
If you’re still using LastPass, stop. If you have a LastPass account and haven’t yet changed your passwords for crucial sites, now would be a good time to do so. (But don’t save the changed passwords in your LastPass vault.) Export your data in preparation for moving to an alternative, and then delete your account. (By the way, 1Password will give you credit for whatever time is remaining on your subscription if you decide to switch.)
For this week’s newsletter, I was originally planning to write about my recommendations for password managers. But that article has been done a million times already; at this point it’s almost a paint-by-the-numbers exercise. And as I slogged through those endless SEO-optimized variations on the same theme (spoiler: pretty much everyone, including me, recommends 1Password for people who are willing to pay and Bitwarden for those who want a free option), I realized that simply advising people to install a password manager and use it isn’t enough.
Online security is a process, not a product. Even the best security software is more difficult to use than it should be. Understanding why you should use a password manager is every bit as important as knowing which one to use, and learning how to use that tool is even more important.
So instead of writing Yet Another Listicle outlining the pros and cons of a half-dozen security programs, I’m working on a series of articles that will address the larger topic of online security and how normal people who don’t have a computer science degree can keep themselves safe online. In this series, I plan to address four topics:
Getting your passwords organized (in 30 minutes or less)
How to choose (and use) a password manager
Multi-factor authentication: It’s easier than you think
Do you need advanced security options?
These are cross-platform topics that apply to anyone, regardless of what kind of devices you use. Windows or Mac, iOS or Android, doesn’t matter. If you use Linux, I presume you already know all about this stuff and will use the comments section to tell me why I’m wrong about everything. (I kid, I kid.) More importantly, I want this advice to be something you can share with your friends and family who don’t read this newsletter and are overwhelmed by technical discussions.
All of these posts will be free. I’m planning to offer paid subscriptions to this newsletter, and I may turn on that option soon for those who want to support this work. (Thank you to those who have pledged support already.) But all of the posts in this series will be available for free subscribers.
I am sure you have questions that you want me to answer in this series. Please feel free to leave them in the comments below, or send an email to firstname.lastname@example.org. (If you choose the email option, please use a real return address. Those emails come only to me and I won’t use your contact information for anything except maybe asking you a follow-up question.)
Let’s do this.
I bet the security officer of a large brewing company (I was the IT director there) that I could get the president's salary within 24 hours. he said "impossible without physical access, all that stuff is on a spreadsheet on a pc disconnected from the network, etc" I assured him there would be no physical access and gave him the president's salary the next morning. I phoned his administrative assistant to check on the pc because I needed the exact number for a presentation I was working on.
Potential question for your upcoming writing:
Are there any bad (defined as "worse than having no 2FA") options for two-factor authentication (2FA)? (SMS text, email, dedicated app, dongle, built-in to password manager)?