One of the biggest challenges of living with the Internet is how to maintain the security of your online identity.
Perhaps the hardest thing to manage is passwords. Accepted wisdom is to use a different password for each web site so that, if one of these sites is hacked, our broader online identity is not at risk.
I used to keep details of my web IDs on my Palm handheld. This worked well, as long as I had the Palm with me. Then I moved to using a list held in Google Docs, so I could access it from any computer. Finally, I moved the list to my Dropbox account, with the added benefit of easy access from my Android smartphone. Dropbox uses encryption of your data, so I figure this is pretty safe.
More recently I came across LastPass. This is a free service with browser plugins to automate user ID and password fill-in.
What’s special about that? After all, browsers can save your ID and password for a web site and auto-fill these in when you return. The thing is, the browser does not encrypt the information it stores. Sure, it is held locally on your PC, but does that make it secure? If you were unfortunate enough to have a virus infect your PC, these stored IDs and passwords could be retrieved and sent to fraudsters.
This is where LastPass scores in a really big way. Like any web site, your LastPass account is secured using an ID and password. The difference with LastPass is that it encrypts your data locally on your PC, using your ID and password as the key. Your data is then sent in encrypted form to LastPass for storage. This means you can access the data from any PC, even without the browser plugin installed.
LastPass can also store other information to make online life easier and more secure. It has a form-fill feature, for automatic completion of fields such as name, address and credit card information. You can have multiple identities, each with its own form-fill details. As with IDs and passwords, all of this is encrypted locally on the PC before being sent for storage in the LastPass servers.
As I said at the top of this post, LastPass is free. There is a premium account offering, currently priced at $1 per month, which includes the following benefits.
- LastPass Android app. Allowing you to access all your LastPass IDs, passwords and form-fill data from your Android phone.
- YubiKey security. More on this below.
As I mentioned, you can use LastPass even on PCs that don’t have the plugin installed, such as at an Internet cafe or other non-secure location. The problem here is: how safe is this? Could there be a keylogger running on the PC? LastPass has a neat solution for this in the shape of use-once passwords. These need to be generated before they are required, e.g. when you’re at home. The passwords generated are long character strings and will give once-only access to your LastPass account. This means that, even if someone gets the password after you’ve used it, they cannot access your account.
Another neat solution provided by LastPass is an app that runs on a standard USB stick. This provides an additional security stage during logon.
The solution that I have gone for, and am very happy to recommend, is to use a YubiKey. This is a beautifully simple solution to online security. It works in a similar way to the USB stick application, but is much more elegant and easy to use. After entering my LastPass id and password, I am also prompted to insert my YubiKey in a spare USB slot and to touch the activator contact on the YubiKey. This generates a unique 32-char key and I am granted access to my LastPass account. On computers that I trust and use regularly, I can tell LastPass to allow login without the YubiKey (after the first YubiKey login). If I should lose the YubiKey, there is a procedure for allowing normal account access which involves access to my registered email address.
I really like the YubiKey solution to securing Internet identity. The Yubico web site has product information and you can buy YubiKeys there too. Currently they are $25 each, with discounts for bulk orders. They also have an RFID version for added functionality.
The combination of LastPass and YubiKey authentication is a real winner.
