Have you been meaning to set up an online password manager but just haven’t gotten around to it? Take my five minute LastPass challenge! Not convinced that you need an online password manager? Read on!
Last week, I received a weird email from a friend. The subject was “From John Doe” (not my friend’s real name) and the content of the email was just a single link. I’m not going to print the link here, let’s just say it was x-rated.
Has this ever happened to you? Even more embarrassing, have your friends told you that you sent them such a link? How did this happen?
It sounds like your password was hacked — someone figured out your password and is using your email to send spam.
How to prevent this?
1. Use a different password for every site.
Otherwise, it’s like giving a thief a skeleton key – they potentially have access to all your social media, credit card, bank accounts, and wherever you have used that password.
When we set up our passwords, we tend to use passwords that are easy to remember – and then keep using them. My cat’s name is Sylvester. That would be an easy password to use – and to hack. Now you can all go to my bank and try to log me in with Sylvester as the password – good luck:)
2. Don’t use passwords on an open public wi-fi.
“Open” meaning no password on the wifi. Still, proceed with caution if the network is password protected. Not to seem paranoid, but, well, you should be paranoid. It’s really easy for someone to intercept your password. Instead, use your phone’s 3G or LTE connection as a hotspot or stick to surfing on sites that don’t require passwords.
3. Don’t give your password to anyone you don’t know — by phone or by email.
You might get calls or emails offering you a loan or from someone claiming to be your bank or from one of your other accounts, asking for your password. This is always a scam. Your existing accounts won’t ever ask for your password.
4. Don’t send passwords by email.
If you need to share a password, do so by phone. You have other options, such as creating a separate account for the other user (so you can delete it if needed) or using a password sharing app like LastPass (read on).
5. Use strong passwords.
There are two basic schools of thought about passwords, length vs entropy.
The length argument has to do with choosing longer phrases that will statistically take more time to guess in a brute force attack, once you rule out single words and common digits (ahem, 123456 anyone?).
The entropy, or random and unpredictable, argument has to do with mixing upper and lower case letters, numbers and symbols.
My rule of thumb is a combination — long passwords with entropy:
Start with four common, unrelated words
One upper case letter (or more)
One lower case letter (or more)
One number (or more)
One symbol, such as !@#$ (or more)
16 characters (or more)
Of course, having more than one password with this mix of characters would be impossible if I had to remember them all.
6. Use an Online Password Manager
I have seen some low-tech ideas for remembering passwords, but they all feel less secure than an online password manager. Writing passwords on a piece of paper, even if you lock the paper in a physical safe, quickly loses its appeal when it’s impractical to retrieve – most notably when you’re traveling, but also just the frequency in which you would need to refer to it given how many passwords you are likely to have. Putting passwords in a text file on your computer is also dangerous, if you lose your computer or the file, and is inconvenient if you use multiple devices.
The best solution I have found for keeping track of passwords is LastPass.
LastPass is an online password manager that allows you to store passwords in your “vault” so that you only need to remember your Master Password. No one else can get into your vault unless they have the Master Password, not even LastPass. But, you can share your passwords with friends or colleagues easily. LastPass also:
- Logs you in when you visit a website that is in your vault, including handling multiple logins on the same site
- Fills forms on websites
- Saves passwords when you visit a site
- Saves form data when you fill out a form
- Logs off when you are inactive
- Creates new passwords for you with a length and special characters that you choose
- Has an audit feature, where you can check the strength of your password and make sure you aren’t repeating any of them
- Can automatically change your password on a site
Each of these features can be configured, so if you’re thinking “I don’t want my computer to do that,” you can set it up so that it doesn’t.
However, I think it’s worth paying for Premium (just $12/year) in order to sync across multiple devices. Premium also offers a “family folder” that lets you share passwords with up to five people and more multi factor authentication options (like Touch ID on iOS),
Of course, no solution is perfect. LastPass has been compromised three times, twice in 2011 and once in 2015. Each time, their response was to alert everyone about the possible implications of the problem, make upgrades and in some cases require all users to change their Master Password as a precaution.
LastPass is not able to share your information, even if they are “hacked” or subpoenaed. The key to your passwords, your Master Password, resides in your head. LastPass doesn’t have this key, so they can hand the database holding your passwords over, but no one can read them without the key.
And, if your device gets stolen or hacked, the thief doesn’t have the database. As long as you set up your computer to log you out of LastPass when you’re idle, the thief won’t have the key to your database.
(And it’s likely to be better than whatever you’re using right now)