A year went by since I blogged about “How many of your Accounts have been Compromised in a Data Breach?“. At this time there where ~4 billion usernames and passwords collected on the site “Have I been pwned?” (or short HIBP). Since then, Troy Hunt could add another 1,500,000,000 accounts to the list. That is an enormous number and shows how big the problem of “lost” usernames and passwords is.
This post should help you to minimise the effect of a data breach. They happen all the time and when you reuse your passwords, those criminals cannot only access the site with the leak, but all sites where you used the same password.
This post is part of the Protecting Passwords series. You can find the other parts here:
- Part 1: Do Something Good for You: Use a Password Manager
- Part 2: KeePass – the Cloud-Free Solution to Manage Your Passwords
- Part 3: Use BCrypt to Save Password (Hashes)
- Part 4: How to Find out If Your User’s Password Is in a Data Breach
Don’t even try to remember your passwords
A little exercise: Count all the web sites you use that require you to log-in. Now think about all the web stores you visit and had to create an account to order things. Don’t forget the booking sites of airlines who will only show you the price when you log-in. Before you finish, did you think about all those little games, quizzes and apps that want you to register just for the sake of it? How big is that number? Over 50? Or even over 100? How big this number may be, it is definitely too big to create a unique password for all those sites.
There are many advices on how to create a good password. An often-cited one goes like this: use a sentence you can remember well, take the first letter of every word and replace certain letters like a with @.
The problem with this kind of password is that they do not scale. You can’t remember 50 or 100 of those sentences. Some people add a few site-specific letters, but that isn’t much better. Attackers can figure out this “algorithm” quickly when multiple accounts of a person are part of different leaks – a not unlikely scenario considering all the sites in HIBP.
Passwords are like underwear: Change them often, keep them private and never share them with anyone.
Use a password manager
The only way to use a unique password in all your accounts is to generate them at random and store them in a secure place. There are paper-based solutions like the Password Journal or the Personal Internet Address & Password Log Book. You may laugh, but they are a lot better and more secure than reusing the same password all over the internet. If you can keep those books somewhere safe, they can work very well – especially for older people.
The more passwords you need to manage, the more you need something that can be used on your computer and your mobile phone. You need a password manager that can be integrated in your daily routines and doesn’t add too much complexity.
Those two password managers are easy to use and work on Windows, Mac, Linux, iOS and Android:
Both services cost a moderate sum per month. I prefer to pay for a product than to be the product – especially when I entrust my passwords to those companies.
Trust
Using a service like LastPass or 1Password means you need to trust a company with your most important data: your passwords. They depend on your trust and it is therefore no surprise that both services explain in detail how they protect your data (LastPass / 1Password).
If you don’t trust those companies, then you don’t have to use them. There are alternatives to keep your passwords on your device. One of those alternatives will be the topic of the next blog post.
At the end it is down to how easy it should be for you to work on all your devices. If you just have a computer, you have a lot more options. But most people do not want to live without their smart phone. And as soon as you need to support multiple devices, multiple browsers and different operating systems, you need a holistic solution.
The benefits of a password manager
By using a password manager, you only need to remember the one password for the manager itself. Here you can use the approach with the first letter of each word in a sentence you can remember. All other accounts can have a randomly generated password only your password manager knows. This means you have less mental work to do; you only need one good password and can comply with the security recommendations of your company.
If you integrate the password manager into your browser, you have your passwords just a click away. That alone may be worth it to use a password manager.
An unexpected benefit is that you now can improve the quality of your passwords without much effort. Your password manager knows all your passwords and can warn you when you have reused a password. It can alarm you when your account is in a data leak or when it is time to change some long used passwords. There are even more features:
- 1Password is well integrated with HIBP. Not only can it check your accounts against leaks from the past, it can check your passwords against the ones used by other people in those leaks.
- LastPass has something similar and offers you a Security Challenge for your account. You can measure yourself against all other users of LastPass and you get actionable advice to improve the security of your accounts.
How do I start?
You can start with a free trial for both services and then choose the one you like more. Both are easy to use offer a nice introduction:
I tried both services two years ago and stayed with LastPass. At that time, only LastPass supported Linux. That has changed a few months back and they both offer now a good service on all major platforms.
Choose the password manager you like better. There is no lock-in and both managers offer a simple way to export all your passwords. Moving from one manager to another needs only a few clicks – and a new strong password to access them.
Next
An online password manager is a great help. However, there are situations in which you cannot use them. Next week I explain how KeePass can help you in situations where your passwords must stay on your computer.
1 thought on “Do Something Good for You: Use a Password Manager”