Online account hacking is a growing problem — and you may be making it worse.
According to an online survey of more than 1,000 U.S. consumers, 59 percent said they used the same password across all their accounts, making them easy pickings for programs that can test more than 100 million passwords a second, looking for one that works with a stolen username.
If you use the same password for all your accounts, that’s the only one a hacker needs to get into everything.
The solution, of course, is to have a different username and password for every online account. But that’s easier said than done, because keeping track of them all is nearly impossible.
LastPass — the company that conducted the opt-in survey — believes it has the solution: a password manager that allows users to store all their password information in one place and seal it in an encrypted vault. Using a single password — the only one you have to memorize — you can access all your accounts with just a few clicks.
“LastPass uses what we call your master password, and it’s one password that you should never reuse anywhere, and it allows you to unlock and lock your digital vault,” said Steve Schult, LastPass’ senior director of product management.
“So you don’t have to worry about giving your master password and having it go through the Internet and it getting intercepted somewhere.
“We are basically handing you your digital vault. You unlock it on your side, use what you need, lock it up and hand it back to us.”
LastPass also enables you to have a long stream of random text for your passwords that you won’t have to remember. In other words, if your password is always “CluelessOnline,” LastPass can change it to a different lengthy stream of random characters for every site you visit.
“Without a password manager, it’s almost impossible to keep secure passwords and unique passwords for every single site that you visit,” Schult said. “It’s impossible to remember 20, 30, 40-character passwords that are all unique and have uppercase letters, lower case, numbers, special characters, etc.”
Another way hackers can steal information is by “phishing” — sending an email that appears to be from a bank or credit card company that tricks recipients into handing over their information.
“People still get spammed or spoofed into going to sites and giving their credentials away,” Schult said. “It still remains one of the most common ones, no matter how much education happens around the subject.”
LastPass does have its critics, though. Last year, security expert Sean Cassidy told a security convention that the password manager itself was vulnerable to phishing attacks. An attack could occur, he said, when a LastPass user visited a malicious website within the Chrome browser. The site would create a fake logout notification and ask for the user’s LastPass password. This never happened “in the wild,” though, and the company has changed its software to prevent it from happening.
LastPass also recommends two-factor identification, not just for its password manager, but for any site you use online. For example, if you sign in to your bank account, it will send a short string of numbers or letters to your smartphone that you must type to log in. That way, even if a hacker gets your password, he won’t get the numbers that were sent to your smartphone.
With hackers constantly finding new ways to steal online account data, people need all the help they can get to avoid becoming another statistic.
“It’s important to be proactive with online security, because you never know when the next attack is going to come,” Schult said. “This type of stuff happens every day, and if you’re reactive, you’re just waiting for your stuff to get hacked.”