It’s a trial for me to listen to people complain about privacy on Facebook or anonymity on the Web.
Don’t get me wrong; you aren’t going to find a bigger defender of anonymous speech than me. The same way a secret ballot preserves the integrity of the plebiscite, anonymous political speech protects republicanism.
But there’s a difference between standing up for the right of someone to publish an anonymous blog and listening to people carp about whether some stranger can see pictures of his kids.
In the case of the former, the author wants to be heard, but to protect himself from the repercussions of speaking. That’s a tradition as old as politics itself, albeit that in time, anyone who makes an impact with anonymous speech is exposed.
In the case of the average Joe bitching about his boss via a tweet, there’s a far simpler point to be made: If you put it on the Internet, it’s not private. Period.
When we waste time debating whether it’s right for some potential employer to use a five-year-old drunken tweet against you, we don’t focus on the real things people should be doing to protect their Internet identities. For example, using strong passwords.
I’ll bet a dollar to doughnuts that the average person who worries about Facebook privacy is using his dog’s name as his Facebook password. And not only that, but using that same password for every Internet site he visits, including Amazon.com, online banking, travel sites, etc., etc. And not only that, but has been using the same password for years.
I’m willing to make that bet because that described my password strategy up to about a week ago. Until I discovered, and started using, LastPass.
“LastPass is a password manager that makes web browsing easier and more secure,” says its inventors. What LastPass does is collect and store all the passwords you have for various Web sites; and, through Web browser add-ons, allows you to fill in those passwords without having to remember what they are.
What that means is, you can create a hard-to-remember, and thus more secure, password for each Web site you visit. LastPass stores that information on its servers, so you can access your login information from anywhere and any device. You need only remember one “master” password in order to be able to access the service.
Better Than The Alternatives
Now, some people will likely take umbrage at my painting this as inherently secure.
After all, once you give your login information to LastPass, you theoretically lose control of it; in theory, LastPass could collect, use or sell your information. Or allow it to be compromised by a third party. Or fail to properly protect its own systems and allow hackers to get that info.
All of that is true as far as it goes. The same is true, however, of the sites with which one has created a user account. What value would there be to LastPass in destroying its business model by compromising user information?
One might also note that the built-in password managers of modern Web browsers can allow the same flexibility of LastPass. If you only use one computer and one Web browser, then by all means, use its built-in password manager.
But I don’t know of many people who only access the Web from one device and browser; most people use at least a PC, and probably a cell ph0ne, and maybe a laptop, and probably two or more browsers. For most people, having a central password collection point makes sense.
Finally, LastPass says that every bit of information is encrypted with your master password, which they don’t store, and all traffic is conducted over SSL, meaning that even if hackers could compromise their systems and get your login information, it wouldn’t be of any use to them.
I don’t know if that is 100 percent true, but I have no reason to doubt what they say, and if what they say is true — which appears to be the case — then they’re right: so long as you have a strong master password, there’s no chance hackers will get any use out of stolen data.
Anyway, the summary is, I understand Web security pretty well, and I believe LastPass is secure. It’s certainly far more secure than using the same Web password for two different sites.
The Good, The Bad And The Ugly
The best things about LastPass, in addition to providing a central repository of Web site passwords that you can access from any place and any device, is:
- It is remarkably good at finding login forms and properly filling them out.
- It will generate secure passwords for you.
- You can use it to fill out forms, such as order forms, with name, address and other information; you can even have multiple profiles, to fill out forms for business, personal, kids, etc. Again, all this is stored securely.
The things I don’t like about LastPass are:
- It sometimes doesn’t properly record passwords, especially if you are changing a password. I highly recommend that you copy the password for a site, and test logging in for every site you add to LastPass. Trust me, I learned this the hard way. Copy your password, test logging in with LastPass, and make sure it works before you discard the password.
- Its AutoLogin feature — which, as it suggests, will log you in automatically to a Web site, if you opt to set up a site to use it — works well some places, but wreaks havoc on others. For Facebook, Twitter and most Web forums, AutoLogin works great. For shopping sites or other places with lots of forms, it’s a major pain in the butt, and you should opt against using it.
Some hard-to-use / hard-to-understand parts of LastPass are:
- The vault, where passwords are stored, is a bit cumbersome. While I like the ability to group passwords together, there are so many settings and so many things you can do with a password that it can be overwhelming to manage them.
- Using LastPass with a mobile device requires a $12 per year premium service. Actually, I’m OK with that; others might not be, but I like and support the freemium model, especially when the free services work so well.
It took me the better part of a day to visit all the Web sites for which I have login information, generate, record and test new passwords.
But I know now that my online identity is far more secure than it had been; if somehow, the login information I have on a site is compromised, I know that the trouble probably can’t extend past that site, whereas before, a compromise of one site was pretty much an open invitation to compromise everything.