Why do I love LastPass?
- I’m able to have a unique password for every website I visit
- My passwords can be long with high entropy (I cannot remember 90 percent of my passwords)
- I runs on most browsers and operating systems
- Even LastPass cannot decrypt my database of passwords, even if ordered by a court to do so
Easily the most important feature is that it makes it easy for me to have a unique complex password for every website I visit. Every week I read about website databases being compromised. If I used the same log in credentials for every site, one leak of my username and password would in effect be a leak of my uname and pword for all websites I’ve visited.
Rumor has it that some banks will receive extra attention from hacking groups Lulzsec and Anonymous this week. This was as good of an excuse as any for me to change my financial passwords. So I paid a visit to my online banks.
Frustratingly, all of my online financial institution limit my passwords to an abysmal 12-characters. One of them doesn’t even permit me to use special charters (punctuation).
Sure, a 12-character, mixed-case, alpha-numeric password like P2e4rubusW2C would take 408,000 years for a desktop PC to crack (according to www.howsecureismypassword.net); I’d like to enter a 64-character password with even higher entropy, which would take 717 quattuorvigintillion years to crack.
Thanks to LastPass, password length and complexity does matter at all to me — and it shouldn’t matter to my banks either.
If my banks were salting and hashing my passwords, it wouldn’t matter to them how many characters I wanted to use for my password. By limiting me to 12 characters, I fear that my passwords are being stored in plain text in a database that is configured to accept no more than 12 characters.
Concerned, I emailed each of my banks asking why they limit my password to just 12 characters and if my password is being stored using encryption that is non-reversible. I’m not very optimistic that I’ll hear what I’m hoping to hear.