Would you stay at a hotel where every room could be opened with the same key? Or would you smile at the desk agent, get back in your car and drive to an inn with at least a basic sense of security where you could feel safe staying the night?
If you’re like most people, you have one — maybe two — passwords that you use across all of your online accounts. One key to rule them all!
Oh sure, sometimes you make slight variations to add numbers or capitals as each site requires. Your password “bumblebee” becomes Bumblebee, Bumblebee123, or bumb1eb33. You’ve also got it all written down on a piece of paper taped to your monitor or under your keyboard. Rock-solid security!
The Equifax breach got everyone all excited about security. But there’s another glaring problem most people overlook. What happens when one or more of your accounts, say like Yahoo, LinkedIn, or Adobe, is compromised and your user name and password are sold along with millions of others on the dark web? How many doors can that key open, and what’s behind them?
It’s time to get serious about basic security
For starters, let’s find out whether you’ve already had an account compromised. Visit www.haveibeenpwned.com and put in your email address. The site will search more than 4.5 billion compromised accounts to see whether yours was among them and in which breach it showed up. Don’t forget to check all of your addresses — personal, work, old work, old personal, etc.
If your email wasn’t listed there, congratulations! You’re still not safe. Breaches sometimes aren’t detected for months or even years. Just because your information hasn’t turned up for sale doesn’t mean it hasn’t been stolen.
To truly protect your accounts, you need a unique, difficult to crack password for each and every account. That quickly runs into the dozens of secure passwords for our banks, credit cards, social media sites, email, etc. Let’s be honest, you aren’t going to be able to remember that many secure passwords and where you used each one.
You need a password manager.
A password manager is like a safe for all the keys in the hotel. There’s a master key or combination that unlocks the safe, and then all the individual room keys are inside.
By choosing one really secure password that you CAN remember, you can then allow the password manager to create dozens of ultra secure passwords you can’t remember for each site you use. If one of those accounts is compromised as part of a breach, you can simply change that single password and have no worries about what else bad guys might be able to get into.
Choosing a password manager
There are many password managers to choose from, and I’m not going to go through all the features of each one. Instead, I’ll just point you to this great breakdown by PC Mag for free password managers and this one for paid password managers.
What I will say is you will want to think through how you want to use the password manager now and in the future, and think of some worst-case scenarios that you can walk through in your head. What happens if you’re incapacitated and your loved ones need to get access to your accounts? What happens if you lose a device? How many ways are there to access the passwords stored in the manager, and how comfortable do you feel using them?
I have been using the paid version of LastPass for more than a year. I had been reluctant to adopt a password manager, thinking it was going to be a pain to use. Then I started to think about how much of my financial life was being protected by my “important account” password — essentially the same password, which also happened to be my email password. In effect, if someone got my email password, they could change that, lock me out and start changing all of the contact and routing information in my various financial accounts to siphon away my money.
We’re not talking “Ocean’s Eleven” heist planning here. A kid in Romania could probably clean me out in an hour. Don’t believe it? Check out this feature from Wired on how quickly password crackers can figure out average passwords.
That’s not to say password managers are fool-proof, either. LastPass had its own hack in 2015. Like I said, you have to have a strong master password protecting all those really strong passwords generated by the app. That password should be long, like more than 16 characters, and you shouldn’t base it on anything that someone could guess just by following you on Twitter or Facebook. LifeHacker has some good tips for creating a strong password here.
Going the extra mile
Once you’ve got a password manager set up, then you’ve got to go replace all the passwords in your various accounts. This actually took me far less time than I thought it would. I started with an account I wasn’t too worried about losing so that I could test how the password manager worked. Once I felt confident using it, I changed my email password, then my financial accounts, then my social media, then shopping, etc.
I have more than 60 accounts stored in LastPass, all with a unique password that should be all but impossible to crack. I set the password generator to create the maximum length allowed by the site, which can be 32 random characters!
But there’s still one more step to add an extra layer of security: two-factor authentication, or 2FA.
There are three kinds of ways, or factors, you can use to verify you are the account owner. The first is something you know, like a password or answers to personal questions. The second is something you have, like a trusted mobile device. The third is something you are, a biometric like a fingerprint or retina scan.
Two-factor authentication in the consumer space typically asks you for something you know and to prove something you have. So after you enter your password, you’ll get a notification on your cell phone saying someone just entered the correct password to a website, do you want to approve the log-in? If you just entered the password, you would approve the log-in on your cell phone. However, if someone else entered the password, you could deny the log-in on your cell phone and prevent the attack.
Many websites, financial institutions and applications allow for a two-factor authentication. You simply have to turn it on. Like password managers, there are multiple options in this space. While 2FA may be overkill for some of your accounts, it’s a good idea for the major ones you really want to protect.
So there you have it. Once you get over the initial fear of changing all your passwords, it’s really a simple thing. An hour or less of work to save weeks of headache after a hack. As a bonus, you’ll sleep much better at night knowing your financial life is so much more secure.
Do you use a password manager and/or two-factor authentication? Tell me what’s working (or not working) for you in the comments!
I am so horrible about this. And it’s not like I don’t know better. My former employer had multi factor authentication products. You’re right. I can’t afford for some kid in Romania to clean out my accounts. Let me go get myself a password manager.
Thank you for this post. It’s timely, informative, and very well written. Plus I appreciate your judicious use of gifs.
If only a hacker would have as much trouble as I do remembering my own bad passwords! My wife keeps telling me I need a password manager and while I believe her (and you), I have been very reluctant to do anything about it. Thanks for the kick in the pants that I needed.
Totally worth it, Gary! You’ll wonder why you didn’t do it sooner.