For sometime now, I have been using LastPass as a tool to help me remember a lot of my passwords. I can have different passwords for each website I log into, each one long, complex and random, and I don’t have to write any of them down. Even better, the encrypted store of information is automatically synchronised across several devices so I get log into a site from my tablet or phone without having to be sitting in front of my computer. However, although LastPass works well for me at the moment, I do like to keep an eye on other options. Like anything, it may not last forever or may change into a form where I’m not willing to trust it.
Towards the tail end of last year, I came across an Open Source tool called LessPass that sounded intriguing and, yes, just a bit similar. It worked on the premise that you would remember a master password and then generate a password for a given site and user name by following an algorithm.
It sounds a neat idea but discussion in the information security revealed some problems (for example, see Security Now issue 586). The source code, short and readily available used a pattern-based algorithm. As I understand it, the system worked through the generated string and picked out a lower case character, then an upper case one, then a number then symbol before repeating. Unfortunately, even if you don’t know the password, it significantly reduces the potential patterns. Under regular rules, there would be about 95 options per character so a four character password (way too short!) would have 81,450,625 permutations. If you follow a sequence, you only get 223,080 (26 * 26 * 10 * 33) permutations – still a big number but one that rapidly falls short of a truly random pattern. Furthermore, if you decide that one of your passwords has been compromised (for example, you used it on a site that then confessed to leaking its login data in plain text), you can’t change the site address or your username so you have to change your master password and thus your login details on every site for which you used the tool.
Information security is difficult! It is probably best to leave LessPass to the developers for a bit longer and, meanwhile, remember to resist simple, repeating patterns.