Finally using a secure password system.
Gawker, a large blogging network, recently had a security breakin and over 1/2 million users passwords were compromised. If you're like me, you re-use the same password on multitple different sites. That would give hackers access to multiple web sites by getting one password (Facebook, Twitter, your bank, Amazon, etc.).
While I used a "more secure" password for some sites, I did not have a systematic way of dealing with managing a unique password on multiple systems.
So, last night, I finally bit the bullet and installed a (free) password manager - Last Pass. Last Pass will do two things for you. First, it created a cloud-based secure storage location for all of your passwords. They are available from any web browser. Second, you can install a browser plugin that will auto-fill your username and password into any site you use regularly.
So, now, I have the freedom to create a unique password on every web site I use, AND I can choose something that is much harder to guess - like a string of 12 randomly chosen letters and digits. Since my password is not in any dictionary, the only way to steal it from a web site (that stores passwords as cryptographically secure hashes), is to to brute force guess all possble 12 character strings. That's over 60 bits of random information - or over a quintillion (10^18th) combinations.
It feels a little odd not even knowing my passwords anymore (I just have to remember a single secure password to log in to the Last Pass site). But I feel much better knowing that my data is not vulnerable to the kind of security breach that happened at Gawker this week.
The only downside is that I now have a single point of failure in LastPass. If they loose their database, I could loose my passwords I haven't backed up locally. And if THEY have a security breach, I could loose all my account information to hackers. But I would rather put my faith in one company, dedicated to protecting security, than to distribute that obligation among lots of individual sites around the web. Since my Last Pass password is also a random string, it's very difficult to decode on a trial and error basis. I believe Last Pass also goes out of their way to use an encryption algorithm that is intentially slow. Making a brute force attack that much more difficult.
If all sites supported a distributed authentication system, like Open ID, or oAuth, it would be even more convenient to use just a single authentication provide you trust, to gain access to every service you use.