HiddenText Ltd

I’m OK, but Graham Cluley made me do it

/

, , , ,

This is a story that has been playing out for about a year.

Where it all came from

Do you remember the NCSC posts about passwords? That one about password lengths, about how often we should/shouldn’t update them.

After that was the flurry of Twitter posts about encrypt everything, VPN everything, HTTPS everything.

I remember making a post on my blog about Passwords, creating a unique tough password and making unique URL adjustments for the different websites I visit. Use Chrome to remember your passwords – Google spends enough money on securing

The meeting

I then met Graham Cluley and Jenny Radcliffe in Manchester at Manchester City’s ground where they were both were doing talks. We sat discussing all sorts and I mentioned about the passwords thing and Graham mentioned password managers.

Personally, at that moment, I still thought he was mad. What if my password manager was compromised? What if someone gets my master password?

I mulled it over for a while, perhaps about a week, maybe longer. It niggled away at me until I thought … go for it. Why not. Take the opportunity to investigate my passwords, see if anything was weak or re-used.

I spent a while looking at the different options, 1Password, Keepass and Lastpass. All seemed much the same and not a lot between them. What I knew was that I wanted:

  • something that was free
  • secure
  • works on all my devices
  • backed by decent money
  • some kind of transparency

I selected Lastpass

  • It had a decent free option
  • It doesn’t store the database in the clear, it downloads a fresh copy each time
  • It works on Android, Kindle, PC, and the kitchen sink
  • It has LogMeIn behind it, which is decent enough money
  • Transparency .. well I struggled with all three there.

And so I created an account, I uploaded all my passwords and then deleted them from Chrome and turned off Chrome storing them. I am not afraid to say it .. I was very nervous and very worried that I may have just created a massive issue for myself. What if this didn’t work and I just lost every password.

So I then used the security tool built in Lastpass to find duplicate passwords … It was then the shock hit me … 549 passwords. Whuh ?! How can I have so many?

I had a few duplicates and some easily guessable ones but nothing on a site that would have worried me.

I was secure, I had a good view of all my passwords, the duplicates and easily guessable ones were done and I was happy.

Smashin my dreams

But then Mr Cluley started that podcast Smashin Security – yes no G on Twitter, G everywhere else. Great podcast by the way, you should have a listen. It was one of the early ones where I suddenly realised .. If someone knew my phrase they literally had everything but 2 characters of my password. Man, I could have cried. I mean, 549 passwords were now worthless.

Time to start again. I literally went through every password. Every website and changed everything. I also took the opportunity to remove some sites, change some data – and wow what a hard day in the office that was!

Was it worth it?

And after a year, life is so much easier. 35 digit passwords everywhere, everything is unique. Banking and sensitive sites all now have proper unique email addresses to protect them. Registered with Have I been Pwned for each account.

And …

Once I started down the path, I knew I would be a user of the platform. I understood its value, I understood the additional benefits it would bring. But what about the rest of my family? What about my friends?

Well, I am proud to report that all my kids have accounts and have fully migrated to password managers. My friends use it and then … well the full acid test … the wife.

Yep, she’s a convert too.

So Mr Cluley, hat’s off to you … you were right. Password managers really are the right way to go. Thank you for sharing that advice and making me think about the way I secure myself.

Final Thoughts

So my thoughts for you.

  1. Think about your current passwords
  2. Check yourself on HaveIBeenPwned.com are you in there?
  3. Are you thinking that you should be doing something different?
  4. Pick a password manager
  5. Upload your passwords into it
  6. Run the checker to see how well you fair
  7. Correct your mistakes
  8. Remove yourself from sites you don’t use
  9. Stop using your browser to store your passwords
  10. Show your families how easy this is and spread the word

Have a great day – and once again, thank you Graham.

2 responses to “I’m OK, but Graham Cluley made me do it”

  1. HRM42 avatar
    HRM42

    Yep, because lastpass has never been breached.

    Reply
    1. HiddenText avatar
      HiddenText

      Correct and I mention that in the post. One of my concerns is the Password Manager being compromised. It was actually a reason I went to LastPass. With LogMeIn behind it, they are going to fight harder to make sure it doesn’t happen again.

      Thanks for the comment though – do you use a Password Manager and if so which do you recommend?

      Reply

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.