Weekend Project: Fix Your Passwords

Rafe Needleman
·Editorial Director, Yahoo Tech

By now you know that the only thing keeping your online accounts safe is the thin wall known as the password. On most sites, if your password is stolen, your account is wide open. Whoever gets your password can impersonate you, steal money from you and erase your valuable digital assets, like your photos.

It matters what you choose as a password. If bad guys are attacking a site you use, or have gotten a list of encrypted passwords from a site, then the longer and more random the password, the harder it will be to discover. So you want your passwords to be as strong as possible. What’s a strong password? Not “password,” or “123456,” or anything else on the list of dumbest passwords people use; those are the ones hackers will try on your accounts first.

You also need your passwords to be different on each site. That way, if a password to one site is stolen, the damage will be contained. The last thing you want is for one site you use to get hacked, exposing your data to criminals not just there, but everywhere.

The problem, of course, is that while everyone knows what a strong password looks like — a long string of random letters, numbers and symbols — nobody wants to come up with strong passwords, and no normal person could possibly memorize dozens of strong, random passwords for the sites they use.

But doing just that is the only safe thing to do. Anything less — using weak passwords, or the same password in multiple places — is asking for trouble.

So, to summarize: Only absurd, un-memorizable passwords are safe. You can’t write them down. And you need a different password on each site. No wonder nobody practices good password hygiene. It’s just not possible.

At least, not without help. There is a solution, one that we at Yahoo Tech cannot recommend highly enough: Use a password manager. That’s a program that memorizes all your complicated passwords for you.

So let’s get your passwords into shape, shall we? Welcome to the weekend project: fixing your passwords (with a password manager).

image

Step 1: Get started with a password manager.
There are several competing password managers. These apps will create good passwords, remember them for you, store them safely, synchronize them across your computers and mobile devices, and even enter passwords into your login forms so you don’t have to type them. If you need good passwords — and you do — then using a password manager is the best way to fly.

Now, one warning: All the passwords you store in a password manager are protected by … a password. So you have to be sure that the password you choose to protect your vault is a good one. But at least it will be the only one you need to remember. And remembering one long password once is a lot easier than remembering a hundred of them. Or worse, storing them someplace insecure.

There are alternatives to these password managers. In particular, if you use nothing but Apple products, and only Apple’s Safari browser, then Apple’s iCloud Keychain, a part of the latest operating systems for Macs, iPhones and iPads, can do a lot of what a password manager does.

And then there’s the trick that a lot of people use to keep dozens or hundreds of passwords in their heads: They use a cipher for generating their own unique passwords for each account, by combining a strong password with a method of substituting the name of the site they’re visiting into it. For example, let’s say my core password is Fi33ykit10s!, and my cipher is to use the second letter of a site I’m visiting at the beginning of the password, and the number of characters in it as the second-to-last character. So my password for Yahoo would be aFi33ykit10s5!. No dictionary lookup will find that.

The cipher method works — until you come across a site where the password rules obviate your system, like not allowing special characters, or a minimum or maximum password length that doesn’t work for your password.

So use a password manager. Here are some of the best ones out there:

1Password: My preferred system. Nice interface. Remembers credit-card numbers. Auto-enters passwords in websites. Synchronizes a highly encrypted database of your passwords over either iCloud or Dropbox (or some other homebrew system, if you want). But it’s expensive: $49.99 for the Mac or Windows version, plus $17.99 for the iPhone version. Bundles and deals are sometimes available.

image

Password managers like 1Password (shown) will remember all your passwords and automatically put them into Web login forms.

LastPass: Does pretty much everything 1Password does, but it’s not as pretty. Has finer-grained security controls, including two-factor authentication (so even if someone learns your password, she can’t get into your account unless she has your phone, too) and restrictions by country. A good free version, and a decent deal at $12 a year for mobile access.

image

LastPass (shown) and other password managers can tell when you enter passwords into Web sites and will offer to remember them for you.

Dashlane: Probably the most beautiful of the password managers. David Pogue’s choice (he also uses Apple’s Keychain in parallel). Works across computers and mobile devices. Free on one computer, $29.99 a year for syncing across devices.

image

A good password manager, like Dashlane (shown) will look at all your passwords and tell you where you’re reusing them — a very unsafe practice!

Other password managers include KeePass, Roboform, Norton Identity Safe, DirectPass, Kaspersky Password Manager and SplashID. If you have one of these, great. Use it.

Step 2: Set it up with a really, really strong password.
Before you start putting passwords into your new password manager, configure it with a good, strong master password. In fact, don’t think password, think passphrase. More than one word, a few symbols, all strung together in a unique order. “yuMMy(Fuzzy)9&9baconbits” — something like that. You’ll be typing it a lot, so give it a few tries with your fingers before committing (including on your mobile device’s keyboard) to make sure it doesn’t force any uncomfortable contortions.

Alternatively, you can come up with a shorter memorable passphrase that would never appear in a dictionary by using (for example), the first letters of the words in a sentence or title you won’t forget. For example, “IP17KBIMS!” (“I put 17 kidney beans in my salad!”). However, even nonsense passwords can be hacked if they are short enough. Longer passwords are always better.

Either way, make sure you pick a passphrase you can remember. If you don’t, you’re cooked. A good password manager has no “back door” that will let you or the company who made it decrypt your data.

Step 3: Get it working on your computers and your mobile devices.
The idea of having a password manager is that it’s one system that remembers your passwords across all your devices: computer, smartphone, tablet and so on. We recommend that you install it first on one computer, and in all the browsers you use, and set up the passphrase there, and then go to your mobile devices and other computers and repeat the process.

The software should walk you through the process of connecting all your devices to the same password manager account that stores all your passwords. Some systems, like LastPass, keep the passwords in their own system. Others, like 1Password, use somebody else’s system, like iCloud or Dropbox.

Note that in every password manager worth anything at all, the password data you’re storing is highly encrypted. It gets decrypted only on your devices. But you really want to have a good passphrase so your password file is protected when it’s not on your computer. 

Step 4: Start replacing your weak, repeating passwords with new ones.
Most good password managers will tell you where you are using duplicate passwords, which is your biggest vulnerability. Start with those. Look for high-value sites that are using passwords that you’ve duplicated elsewhere, and change them first. Your password manager will be able to come up with strong passwords for you that don’t even look like words. That’s fine. You’ll be using your password manager to enter your passwords into your accounts anyway.

Your most precious accounts are for banks and financial services, along with major sites that have financial data, like Amazon and Apple. Again, make sure you use different passwords for each account. That’s more important than using strong passwords. But as long as you’re using a password manager, make your passwords strong, too. 

Then move on to “gateway” accounts like Facebook and Twitter, where a breach could have other ramifications, like identity theft.

You’ll get tired of this job pretty quickly and probably won’t finish at one sitting (or ever). That’s why we recommend changing your most important accounts first, and especially that you decouple them from potential breaches at other sites by using unique passwords.

Step 5: Start using your password manager.
Try it out. Go to a site with a password you just created and, if you’re logged in, log out. Then either go to the login page again or find the site through the search feature in your password manager. The manager plugin might spring into action and log you in itself, or you might have to press a button or a shortcut key to activate it. One thing you won’t have to do is type in your password.

No password manager works perfectly on all sites, however, so you might have to copy and paste your password from the manager into your site or app. In most apps, there’s a “copy” button that will do part of that job for you. If you have to type in your passwords by hand, then you’re not using the manager to its fullest.

On iPhones and iPads, there is one wrinkle: A password manager can’t enter passwords into apps or into browser fields (except Keychain when you’re using Safari). You’ll be using the copy-and-paste method on apps, and if you want your password manager to enter passwords automatically on mobile websites, then you’ll have to use the manager’s own app to find your site and then have it log you in on its own built-in browser. It’s a drag to remember to do this, unfortunately.

But you are now more secure! Congratulations.

Step 6. Every now and then, change your password manager passphrase.
Just in case.

Reach the author of this story, Rafe Needleman, at rafeneedleman@yahoo.com. You can follow him on Twitter at @rafe.