Blogs

Technology Blog: Password Security

By Tony Novak, CPA posted 10-03-2012 10:41 AM

  

Technology Product Review: LastPass
Reviewed by Tony Novak, CPA

What It Is

LastPass is a software service that addresses the weakest link of online security. The cloud-based security service prevents us from using insecure passwords and repeating the same password over and over again for multiple accounts. The service is accessible across all our devices (PC, notebook, tablet and smartphone) at a cost of $12 per year. LastPass is reported to hold the largest market share in this class of software that has over 500 other providers.

How It Works

When you first install LastPass it removes all of the passwords from your browser cache on your PC and relocates these to a secure online server. When you need to create a new password or change an existing password Lastpass offers the option of creating a random secure password that mixes letters, numbers and symbols. For example, it might choose “cX4#nJ2e” instead of “tony1234”. The username and password can be automatically looked up and entered whenever you visit that Web page. Typical users (myself included) will not understand the technical details of the underlying security algorithm that makes LastPass work. That’s OK as long as the third party reviewers who do understand it continue to validate that this security verification process really works. It is clear that this system is more secure than any manual system a user could devise.

Whenever you start your browser, LastPass starts simultaneously and it runs in the background ready to complete Log in information as you work and browse. I’ve used it with equal performance on Internet Explorer, Chrome and Foxfire.

LastPass includes other features like automatic forms completion (with the information stored securely rather than on your browser) and notification is security of a Web site has been breached. It allows for secure backups to be made and downloaded for offline storage.

Pros

·         Generates a different secure password for each Web site account.

·         No need to manually type usernames and passwords every time you log in to a Web site.

·         Speeds us daily Internet use through automatic sign-in.

·         Automatically makes passwords available to all your devices (PC, notebook, tablet, smartphone).

·         No need to change passwords on each device separately.

·         Email notification if an account is known to have been compromised.

·         Overwhelmingly strong third party reviews.

Cons

·         Slows down page load time by about ½ second. But it is still faster than manually typing a username and password.

·         Blackberry application has limited functionality in the current Android-based version.

·         Passwords are not available if you are not online.

·         User must still remember one password for occasional account management tasks.  

Overall Recommendation

Password security management is a “must have” for everyone today. After about 1o months of use, I remain completely happy with LastPass with the sole exception of the Blackberry platform. It is safe, secure, reasonably priced and easy to use.

Tony Novak CPA, MBA, MT is an independent fee-only financial planner serving wage–earners in the Philadelphia area. Contact Tony at tonynovakcpa@gmail.com.

--------------

The NJSCPA Technology Interest Group is pleased to bring its Technology blog to NJSCPA members. Our goal is to provide commentary and reviews tech products/gadgets and technology issues that may be useful to CPA's from both a professional and personal perspective.


Have a topic you'd like to see addressed? Send your suggestion to Victoria Kosuda, CPA, CITP at
vicki@beyondfinancialsconsulting.com.

2 comments
265 views

Comments

04-10-2014 05:30 AM

This topic has renewed relevance in the wake of the Heartbleed password security risk uncovered this past week. See ABC News coverage at http://abcnews.go.com/Technology/wireStory/passwords-vulnerable-security-flaw-found-23247031 . If you are not going to use a password service like Lastpass to generate and manage random passwords then see Business Insider for tips on generating secure passwords manually at http://www.businessinsider.com/how-to-create-strong-password-heartbleed-2014-4 . But more than ever before, I consider a password manager like this essential for very person.

10-24-2012 02:49 PM

Ironically, only three weeks after this blog was published, my LinkedIn account was hacked and spam went out to many contacts in two email accounts associated with the Linked In account. I am pretty sure that all affected accounts are secure now. But this experience pointed out one additional shortcoming of LastPass: it does not recognize when the user imports an older insecure password. It might be better to offer to replace and update all passwords at the time of installation.