Does using one of these managers make you even more vulnerable, in that anyone who hacked your master account would get all your passwords at once? Well-run sites, like the ones mentioned above, should reduce rather than increase your risk. Partly that is because of a human-factors bet: that users will do better thinking up and remembering just one very secure password to guard all the others, than they will trying to juggle dozens of passwords on their own. It's also due to a technical arrangement: your passwords are stored at the master site in a gibberish form that can only be deciphered in combination with info that you enter each time, or is on your local machine. See this explanation of LastPass's approach to this problem. So, things could go wrong, but on balance they seem safer. And the more you worry about this, the greater the incentive to switch to "two-factor" system like the one LastPass has just introduced.
One more point, particularly significant to those who travel overseas or otherwise do a lot of work from "public" computers. Very often when using internet cafes in China, I would worry about "keystroke loggers." These are devices that can track everything entered on a computer and thereby get any username/PW combo that you type in. Manager programs enter the passwords without your doing anything on the keyboard and therefore avoid this vulnerability.
3) Via reader BW in Washington state, this Computerworld story on a free service, to all appearances legit, that offers clues about whether your email address has been compromised. It is called PwnedList.com, and if you merely enter an address it tells you what it has founded on data bases of compromised sites.
This is not a perfect guide to whether you'll actually have trouble. My wife's Gmail account, which was the object of a devastating hack about six months ago, comes up clean on the PwnedList -- whereas my address, which to the best of my knowledge has not been compromised, gets a warning message. (That warning comes from last December, when I was out of the country. I've changed the password several times since then.) Still, worth a look.
After the jump, a couple of reader testimonials on other tips and tricks.
From a reader in Massachusetts:
I'm writing because there are several good personal security options that you (and others) should consider.
1. Throwaway email accounts. You attribute all this trouble to password reuse between important sites like Gmail and unimportant, throwaway sites, possibly Gawker (google "aaron barr anonymous"). You didn't give this advice, but someone should: whenever you're asked to register with an email (and password) for some throwaway account (like Gawker), ALWAYS use a throwaway email account supplied by a site like mailinator.com and a unique, throwaway password. Once registered, the original email account is unnecessary, and your personal identifying information is never used for Gawker-like sites.
2. Personal clouds. You quote, "Where the sensitive information is concentrated, that is where the spies will go. This is just a fact of life." So stay away from highly concentrated sensitive data stores like Gmail and Yahoo! Tools to set up and host your own personal cloud services are becoming increasingly easy and inexpensive. This is also easily done with virtual servers sold by Amazon, Rackspace, and others. Apple OS X Lion Server costs $20, once.
The security issues associated with having your computer online (which it already is and always will be) must still be addressed, but the likelihood is miniscule that intensive hacker resources will be used to catch a tiny guppy. And when you backup your computer, you also backup your cloud. Finally and perhaps most importantly, you protect your personal privacy by not using a "free" cloud service that has the ability to scrape, use, and sell personal information about you from email and other accounts.
The theme for both approaches is that looking out for your privacy on the web provides greater security, unlike the traditional false "privacy versus security" dichotomy.
Along these lines, one could add a third point about always-on encryption. Gmail does this well, but not Yahoo or others. I tell my family to avoid any site that accepts personal information without providing a secure HTTPS link. The EFF's Firefox plugin HTTPS-Everywhere make this easier.
The larger societal issue is that it's the Wild West right now for nearly everything that involves cyber privacy and cyber security, and like the wild west of old (or at least of film), your only protection now is to take care of these issues yourself because no one else will.
I've added emphasis to that last sentence because for me it's the main lesson of this whole hacking episode.