Password Managers. Your Secret Weapon

I was recently tagged in a post on Facebook by someone that was hacked. They were looking for information about password managers. It seems they’d been reusing the same password on several sites, one of which got hacked. This is probably the most common ‘hacked’ story I hear these days.

Here’s what happens: you’re careful. You use a separate password for email, banking, social media, etc. but on a bunch of sites, you reuse the same password. It’s just too difficult to remember the myriad of passwords that we all need to know each day. And almost as bad, all your passwords are all variations of the same thing. Again, the limitations of memory come into play.

Then, some website you used, perhaps only once, was hacked. The hackers now have your email and password combination, which they will feed into a program that will start trying them on every website they can find. Over the next 20-30 minutes, they’ll try thousands of websites flagging everywhere your password works. Those websites will then be searched for messages and contacts you’ve made, building a profile. That will then be used to try and trick others with the goal of getting banking, email, shopping, and social media site passwords from you and others. These are then sold on the blackhat market. Then 3 months from now you find out someone has stolen your identity and you owe $60,000 in credit card bills. Not to be overly dramatic or anything, but this actually happens. Identity theft happened to over 9 million people in the USA last year.

Let’s prevent it. The best security you can have on the internet, besides basic common sense, is to use a strong, unique password on every website you visit. The way to do that is to use a password manager. There are several good ones. LastPass (https://lastpass.com), 1Password (https://1password.com/), and KeePass (https://keepass.info/) are probably the most common.

They all try to help you with several things: generating strong unique passwords, storing passwords associated with specific websites, securing those passwords in a database with very strong encryption.

Generating strong passwords is hard. Humans are terrible at random. Computers have a difficult time doing random as well, but they’re still much, much better at it than you and me. Password managers can generate ridiculously strong passwords easily and will either let you copy them or will autofill them on forms when you need them. So, you don’t care how long or complicated they are because you never actually type them.

If you’re using a modern browser it’s likely that it’ll offer you the option of remembering your password for many sites. This is okay if your browser is secured.

Password managers use a database, either on your computer or in the cloud to store your passwords. In this case ‘in the cloud’ is pretty secure as your passwords are encrypted before being copied up and decrypted after being copied down, so they’re never in plain text form online. One of the reasons I like KeePass is its database is pretty free form, so I keep all sorts of private information in there that’s unrelated to the web: MSP number, Passport number, eyeglasses prescription, etc. Because I can access my database from anywhere, I always have this information with me and it’s always secure.

The encryption used by password managers is very strong. With most AES 256 bit encryption is available. This is considered safe enough for Top Secret information by the federal government, so it’s probably safe enough for your Amazon account.

Once in use, you only have to remember one password – the one to open your password manager. Do not lose this password as your information will become unrecoverable. I strongly suggest that you write down the password and put it in your safety deposit box or in with your will so that should something happen your family can get access to your online accounts.

Once your password manager is installed you start using it at every website that needs a password. You may need to download a browser extension to integrate your password manager. This is an extra step but it really helps, by automagically filling in passwords for you right in the browser. This is less necessary if you are letting your browser remember passwords too.

Now download your password manager’s app onto your phone, tablet, etc. With LastPass, once you log into your account you have access to your passwords. With KeePass the simplest way it to store your file in DropBox

Start by changing your passwords on the most sensitive sites. Create a new strong password. Save that site and password. Now the next time you’re going to that site, open your password manager and copy the password and paste it into the browser.

How do you know if a password is strong? Check the entropy. You can do this in KeePass or on the LastPass site. Generally, anything over 60 bits of entropy is strong enough. The defaults for password generation should get you there.

Save the password manager file. Back it up. If you lose it you can’t recover it. (Except that with LastPass, because it’s stored online you can, but with difficulty.)

With KeePass, I use Dropbox for storage and that makes my KeePass database available on my desktop computer, my phone, my iPad, etc. LastPass uses online storage to accomplish the same thing.

If you’re a techy kind of person, I recommend KeePass. It’s extensive and extensible. If you're less comfortable with technology then give LastPass a try. They’re both solid performers.

But whatever you do: stop using the same password everywhere, please.