Protecting Your Accounts With a Secure Password Manager
If you’re the kind of person who constantly resets passwords and usernames, recycles the same password you’ve been using for the past seven years, and struggles with tracking password changes on hand-written notes or spreadsheets, then it’s time for a serious upgrade. You need a password management tool.
Why? Because password reuse is a serious problem due to the large number of the many password leaks that occur each year, affecting even big companies such as Amazon, Comcast, and Spotify. When your password leaks due to a data breach, malicious individuals have an email address, username, and password combination they can try on other websites.
If you use the same (or similar) login information everywhere, a leak at one website could give hackers access to all your accounts. If a hacker gains access to your email account in this way, they could use password-reset links to access other websites, like your online banking or PayPal account.
To prevent password leaks from being so damaging, you need to use unique passwords on every website. These should be strong passwords – long, unpredictable passwords that contain numbers and symbols.
But how can you remember so many different passwords? The answer: you can’t! But you can (and should) let a password manager remember them for you.
Benefits of Using a Password Manager
There are so many advantages to using a password manager, but let me point to three.
First, password managers save you from having to remember your passwords. When you try to remember your passwords, you end up using some of the worst passwords imaginable. Don’t do that.
Second, because you don’t have to remember your passwords, it’s possible to have strong, unique passwords for every single one of your online accounts (for example, a password with a minimum of eight characters containing upper and lower-case letters, numbers, and symbols). Good thing with a password manager, you only have to create a password once (the master password that unlocks the password manager itself). After that, the password manager can generate all your other passwords for you, taking strength into account.
Third, password managers fill in your usernames and password automatically when you go to your account websites, which means you waste less time typing them. With a password manager, you can easily and securely log in to your favorite sites with just a few clicks.
Which Password Manager Should I Use?
Now that you understand why you’re doing this, here’s are some good options that are free that you should try. There are many available, with both browser-based and desktop app-based tools that are popular.
I personally use LastPass as my user-friendly and powerful password manager of choice, but other cloud-based tools like Dashlane work just as well.
For users who are ultra-conscious about security, the open-source tool KeePassX comes highly recommended – but it is not as easy to use as it’s commercially-developed cousins.
How Do I Implement a Password Manager?
With LastPass, you start by creating an account with a super-secure “master password” to access your vault (before long, this master password will literally be the last password you’ll have to remember!)
Then, install the browser addon, and start adding a few accounts to your secure vault. Begin with a relatively unimportant “second tier” account like your old Earthlink email account, in order to get the hang of adding the account to the LastPass vault.
After adding a few accounts to LastPass, change the passwords of those accounts to something unique, long, and complex. I recommend a length of 10 characters consisting of uppercase/lowercase letters and numbers as a general password complexity rule (LastPass can auto-generate these for you).
Once you’ve become a pro at adding accounts to your vault, the next step is to add your primary accounts – NOW.
Protecting Your Accounts
Your primary Gmail account, your Chase bank account, and your Amazon account would all fall under the category of “first tier” primary accounts, so get them into your vault ASAP.
Then, change those passwords to something unique, long, and complex. The same rules about password complexity apply, but for important primary accounts you should up the character length to 15, and use symbols in addition to uppercase/lowercase letters and numbers.
Protecting your online accounts with a password manager involves repeating the steps listed above with ALL of your accounts. It’s a tedious process, especially if you have dozens (or hundreds) of accounts, but it is essential to minimize your risk of data breaches and password leaks.
If you’ve followed the steps above, congrats! You’re now using complex and unique passwords for all of your online accounts and storing them in your password manager!
What Happens If My Password Manager Gets Hacked? (Hint: use 2FA)
In June 2015 password manager LastPass was indeed hacked. The good news is that no accounts were compromised, and attackers didn’t gain access to encrypted user vault data (which would include all users’ individual account logins and passwords stored by LastPass).
Security researchers generally approved of the way LastPass handled the breach, and folks that had enabled two-factor authentication on their LastPass account (like myself) were not particularly concerned. (If you are wondering about the details of LastPass security, you can read more about exactly how they do it.)
You may also be wondering: what is two-factor authentication (2FA)? Essentially it’s a very effective extra “layer” of protection that keeps the bad guys out.
You’ve probably already used 2FA when making a change to one of your primary accounts: big companies like Google, Amazon, Microsoft, and Apple will often require you to enter a special, one-time 6-digit code that is sent to your phone any time you make a change to your account. This is a common example where your phone acts as a second factor of authentication (your username and password are your first factor of authentication).
The point is that if your primary username/password is compromised and an attacker attempts to access your account, he will be stopped from gaining access after failing the second authentication request (because he doesn’t physically have access to your phone.)
Start Using a Password Manager Today – It’s Easy!
After the initial set up and tedious process of adding accounts to your vault is completed, using LastPass is a breeze. You can (and should) protect your LastPass account with 2FA, and install the LastPass app on your phone. Accessing your vault (and logging into your favorite sites securely) is as easy as pressing a finger to your phone’s touch reader, or clicking a button in your desktop browser.
Once set up with a fully-audited and 2FA-secured password vault, you’ll feel better knowing that your online accounts are protected with a password management solution that is easy to use. You can even set up “shared access” to your vault just in case something happens to you, and you want your loved ones to be able to gain access to your stuff in times of emergency (I call this part of my “hit by a bus” action plan)
Start using a password manager today, before the next newsworthy data breach and password leak occurs and your online accounts are compromised as a result! Of course, if you’d like some assistance with setting up a password manager or anything else related to cyber security, please feel free to contact us.
Additional references: Wired, HowToGeek, PC Magazine