I started using LastPass a few weeks ago; it’s a browser plugin that remembers your passwords for you, but unlike the password managers built into the various web browsers it syncs the password database with the cloud, so that the same set of passwords is available on all the computers I use. In order for this to be safe, the passwords are only ever decrypted locally on your machine; when stored in the cloud, they’re encrypted with a master password. The nice thing about this arrangement is that you only have to remember that one master password; all the other passwords can be long, hard-to-remember but secure random sequences of letters and digits such as “hT69xFuEADwdE9be”, because you don’t have to remember or even look at them. This is a big step up from using the same easy-to-remember password almost everywhere like I used to, for two reasons:
- Easy to remember means easy to guess. My password wasn’t quite as bad as a dictionary word, but not far from it. Any competent password cracking program could have guessed it.
- If any one of the dozens of sites I used the same password on had been compromised to the point that the attacker got hold of my password there, they could’ve used it to log in as me almost everywhere.
And now, I’ve replaced my last web password with a secure one that I don’t remember: my Gmail login. I waited quite a while before doing this, partly because it’s the most important one, partly because this is the one password I can’t just reset by asking them to e-mail me a new one. I even tested the function where Google sends a password reset code to your phone via SMS (and was almost convinced it didn’t work, because the message took more than an hour to arrive).