Why your passwords suck, and how to fix them (pt. 2)

Password security is a necessary evil in today’s society. Too many people online have weak (even guessable) passwords. As identity thieves and hackers become more sophisticated, we users need to improve our own security habits.

The first step you should take is to stop using the same username and password for every online service. When you use the same password for “cutekittens.com” that you do for your bank accounts, you are asking for trouble. A security breach at “cutekittens.com” means the crooks now have your bank password, and they can clean you out. The crooks don’t even need to break into the web site: there is an entire market online for usernames and passwords. Hackers do the hard work, and they sell the information to the people who want to steal your money (and more).

But wait, you say, how do the crooks know where I bank? They don’t. They don’t have to. They can simply play the odds that you bank at one of the big banks: JP Morgan Chase, Citibank, Bank of America, Wells Fargo, and so on. The crooks simply try your username and password at the various bank web sites. They find that enough of these efforts work that they keep doing it.

Admit it to yourself: you are vulnerable.

To protect yourself, you have to use different passwords for each online service you have. Yes, it can be a royal pain to keep track of them (although there are some tools for this, which we will look at momentarily). But it is the only way to protect yourself. Think of it this way: would you use the same key for your car, your home, your office, your safe deposit box, and so on? Of course not. Most of us have at least two or three keys on our key rings, sometimes more.

So how do you keep track of these various passwords? One way is old-fashioned yet effective: you write them all down on a single piece of paper, fold it up, and put it in your wallet. We are already pretty good at protecting our wallets (or purses), but there are still pickpockets and purse thieves who would no doubt be thrilled to find a bonus in the stolen item.

The better practice is to use a password manager application. I am most familiar with two of them: Lastpass and1Password. There are undoubtedly others, but they all work in similar fashion. You use the applications by creating a good, solid master password to unlock the app, and then the app can fill in your unique password on the web site. What I like about Lastpass and 1Password is that they work on multiple platforms: Windows, Mac, iOS, etc. Lastpass also works on Linux, if that’s your preferred operating system. Let’s look at this idea in a little bit more detail.

Let’s say you sign up for Lastpass (did I mention its basic–yet feature-rich–version is free?). You create a master password, like round#fa?77 (this example is actually too short, but it will do for now). Then, Lastpass can create a strong, secure password for each web site you use. You pick how long, how many numbers, special characters, and the like, and Lastpass does the rest. It can even fill the password into the proper field on the web site. Save it, and you’re set. Lather, rinse and repeat for each web site, and pretty soon you have a collection of unique, completely unmemorable and unguessable passwords. The only thing you have to remember is round#fa?77.

Whenever you visit one of the sites, like your local bank, you unlock Lastpass, use the Lastpass browser extension to fill in your username and password, and voila! You’re in. It really could not be easier. 1Password works the same way.

The simple fact is that if you’re not using something like Lastpass or 1Password, you’re asking for trouble. Yes, modern browsers have “keychains” that will remember your passwords, but if your computer is stolen (or hacked by malware), the crooks have your passwords. You need a solid password manager to keep your password data encrypted, and all they require of you is remembering one master password.

Given that Lastpass is free for its basic service, you owe it to yourself to give it a try. It may seem like a bit of a headache at first, but it’s nothing compared to the headache of dealing with the police, banks, insurance companies, and so on if your bank account is cleaned out. Lastpass has a premium version that runs $12 (US) per year.

1Password is more expensive, but it operates as a standalone application, meaning you can store plenty of things like Social Security Numbers, credit card account information, software licenses, and so on without having to launch a web browser. 1Password also has a free trial, so it cannot hurt to give both services a look.

Your homework assignment is to start using one or both of these services and use them to create long, impossible to memorize passwords for your various web sites. In the next (and hopefully final) article in the series, we’ll look at how to create a good master password.

Technorati Tags: , , , ,


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s