In 2022, LastPass disclosed a breach of the data in their password vault. Since that time, many LastPass users with weak passwords have experienced their LastPass data accessed by brute force, their password vault unlocked, and their crypto accounts stolen.
This is one of the reasons we recommend using a local password vault such as KeePass, which is stored on your local computer, and backing up your password vault on a thumb drive. If you do elect to store a back-up on the cloud, pick a spot which is not a target for hackers.
Regardless of the security assistance you use, we recommend you utilize long complex passwords.
Hive Systems has a table which calculates how long would be required to hack a password using a brute force methodology. This table is updated annually based on the expansion of computing power.
Each year, the amount of time it would take decreases. This means that the number of characters a password needs to be considered safe is always increasing. Currently, assuming that you are using numbers, upper and lower case letters, and symbols, having a password which is the typical 8 to 11 characters is not safe.
Additionally, this assumes that your password is truly random, as random as picking the eleventh card from a shuffled deck. Passwords that are meaningful or typed on the keyboard from the home position are not truly random.
When asked to pick a playing card from memory, over half of people choose one of just 4 cards : The Ace of Spades (25%), Queen of Spades (14%), Ace of Hearts (6%), or the King of Hearts (6%).
In the same way, people tend to pick memorable passwords, and these passwords are known to hackers. Rather than trying every 8 character combination of upper and lowercase numbers, letters, and special characters, hackers try just 1,000 of the most common passwords, the most common of which includes “123456” and the first letters of the Bible verse John 3:16.
Many people think that they are being clever when they create a password they can remember. But 8 characters which represent any date within the last 100 years, can be created with just 36,500 different combinations. This is like picking the Ace of Spades as a card. Meanwhile, eight random characters of upper and lowercase letter, numbers, and special characters provides over a quadrillion different combinations of characters.
Alas even for a quadrillion different combinations, a super computer can brute force hack that password in about 1 second today.
Current recommendations suggest using a password of at least 15 to 20 characters and having that password randomly generated with a combination of upper and lowercase letters, numbers, and special characters. Randomly banging on your keyboard does not produce a random password.
KeePass can make the process easier by providing a 20-character randomly generated password for each new entry automatically. With a local password vault, every login can have a random password and you still only need to remember one password: the password used to get into the KeePass password vault itself.
While you want a long somewhat random password in order to secure all the other passwords, you also must remember this password. However, you can take comfort that if you use a vault stored only on your local computer (like KeePass), a malicious hacker would need access to your local files before they can even get a chance at hacking your vault.
With one memorable password protecting a vault of random ones, you can increase your security immensely while only mildly complicating your access.
Photo by FlyD on Unsplash. Image has been cropped.