September has been a fun month to have a password. Two major data breaches were confirmed: First, Dropbox disclosed that nearly 68 million accounts were compromised in 2012; more recently (and even more scarily), Yahoo admitted that 200 million accounts were breached in 2012 and a half billion more in 2014, possibly by a “state-sponsored actor.”
This is not the first time this has happened. You can head over to haveibeenpwned.com, and chances are — unless you haven’t signed up for any online service ever — at some point your info has been part of a data breach. (I’ve been pwned on my primary email address six times. At first I was ashamed, but it’s time to let the healing begin.)
The danger doesn’t really lie in someone worming their way into my LinkedIn or long forgotten Last.fm account (embarrassing as my musical tastes in 2007 may be). The real danger is that I’ve reused the same strong password for multiple accounts, and I had to keep changing up those passwords every time a breach was reported.
I got a little bit better over time — I started using unique strong passwords on accounts that really mattered, like my primary email account, my bank account, and a few others. But the truth is I can only keep about four strong passwords in my head at any given time. And there are some really sensitive accounts (my 401(k) plan or my health insurance comes to mind) that I don’t log into that often, which means I either reset my password every time I do need to log in, or I just use the same strong password on a bunch of accounts.
After the latest LinkedIn breach this year, I got a rash of attempted log-ins on my Gmail account from someone in Guadalajara, Mexico, and I started doing what I should have done years ago: using a password manager. In my case I went with LastPass, and overall it’s pretty painless! (There is the troubling fact that LastPass has been hacked before, but I have multi-factor authentication turned on.)
How to set up LastPass.
Getting LastPass up and running is the biggest hassle you’ll face, but once it’s over, it’s remarkably easy to use. To get started, head to their Downloads page, and install the LastPass plug-in. You’ll need to create a unique strong password here, and the usual rules apply: Use a mixture of uppercase and lowercase letters, numbers, and punctuation marks, and try to avoid using only words you can find in a dictionary, even if using a number replacement (yes, a brute-force attack could eventually figure out “M00ns0verMyHammy”). Make it something memorable — if you blank on this password, you’re kinda up the creek.
Once you’ve created your account, you’ll need to start importing all the passwords you currently use. Most modern browsers already store some of your passwords for autofill purposes, so use LastPass to import them. If LastPass misses anything vital, go to that site, enter your credentials as you normally would, and when you see the three red dots for LastPass, hit them and then select “Save My Credentials.”
Once you’ve got your main sites in, go to your vault in LastPass, and hit Security Challenge. If you’re like me, LastPass is gonna say a lot of your passwords kinda suck. Some sites will let LastPass automatically update your password for you, but for some you’ll need to launch the site, log in per usual, and head to the change-password screen, and then hit the three red dots and “Generate Password” for a new password. Again, if you’re like me, there’ll be a hefty number of sites here. This is probably the most laborious part of the process — it’s mindless but takes a while, so maybe catch up on some podcasts (The Vulture TV Podcast is pretty okay, if you like that sort of thing).
Next up, go to Account Settings and hit Multiform Authentication. You may have used some form of this in the past — it will essentially require another form of identifying yourself if anyone tries to log in to your LastPass account from a different IP. There’s a variety of options to pick from. Whichever one you choose, print out some one-time passes and keep them somewhere handy — nearly all of these require your smartphone, and you don’t want to be out in the wild with a dead phone and unable to log in to anything.
Finally, you should upgrade LastPass. The free version of LastPass will only work on your desktop; it’s worth it to upgrade to Premium ($12 a year) so you can sync across to your mobile devices and any other computers you may use on a different OS as well. (Update: LastPass has now ditched the subscription fee to sync across devices, though there are still some premium features for $12 a month. Personally, I can live without them, so I look forward to really enjoying that extra $12 a year — look out, Atlantic City.)
Once you’ve got this all set up, you may want to go into your browser and disable the autofill option — LastPass is going to be doing all your autofilling for you, and you don’t need the two programs conflicting with each other.
I’ve fiddled with a few other services as well: Dashlane, 1password, and Sticky Password are great alternatives. All offer a free (or trial) version and a premium version, and it’s worth trying one or two to see what’s easiest for you to use before settling on one and upgrading to premium. Regardless, here’s what a good password manager will give you:
A vault for all your passwords.
This is the key (sorry) thing: You now have an easy way to have all your passwords in one place, the ability to change them when you need to, and the option to have the password manager fill in the passwords for you. This radically increases the ease of using strong unique passwords across pretty much any site you use.
The ability to set up unique and very strong passwords for every site you visit.
That means my password for Facebook might be “X4myx6YP1D9r” while my password for Twitter might be “d^&gfYRV4W8y.” The services will autogenerate these passwords for you, and you can usually fine-tune them if whatever website you’re logging into has weird requirements (plenty of sites still don’t allow anything besides numbers and letters in your password). Or you can set up your own unique strong password yourself, as long as you don’t reuse it on any other site.
Syncing your passwords across multiple devices.
Setting up incredibly difficult to crack (and incredibly difficult to remember) passwords doesn’t do you a ton of good if you’re trying to log in to your Instagram account on your phone and your password is 12 random characters. This varies a bit from service to service, but all premium versions will allow you to sync across multiple devices, and use an iOS or Android app for mobile log-ins.
Automatically changing your passwords.
Of the four password managers I’ve mentioned, this is currently only available on Dashlane and LastPass, but both allow you to switch up your passwords constantly. Dashlane has a button to automatically generate a new password for the sites it supports, while LastPass lets you click a button that will automatically change the password for select sites each time you enter it. Ideally this shouldn’t be a huge issue — if you’re using a password manager across all the sites you use, even if one site were to get breached, none of your other accounts are in danger. But it’s good for peace of mind, especially in cases like Yahoo’s breach, where the hack is only revealed years later.
Using a password manager can come with occasional headaches — if you need to log in to your account on a friend’s computer, you’ll have to either install a plug-in on their browser, or go to your password manager’s website, log in, and copy and paste the password manually. And keeping all your passwords in one place does carry a certain amount of risk. (If you want truly secure password management, KeePass is an offline, encrypted password manager that lives on your machine and nowhere else.) But massive data breaches are unlikely to stop anytime soon, and for now, password managers are the middle ground between convenience and security when yet another service you signed up for gets hacked.
