The security methods you use are like the design of your own personal fortress. Do you have protections like a mote and drawbridge or are you out in the open, vulnerable to attacks? If you’re in the latter camp, I’m here to help.
Do you use the same password for everything? Do you store your passwords in a document called passwords.doc? What do you do when a site you use has their user database compromised?
In the past few years, millions of sensitive user account information has been compromised from major sites like eBay, LinkedIn, Adobe and Sony. You can’t control how companies manage their security, but you can lessen the impact it has on you. If you use a different password for every site, then you can simply change that password and carry on.
The ideal password management solution should satisfy the following criteria.
- Unique password for every site
- Long and complex passwords
- Only accessible to you
- Passwords are easily changed
- Can be used wherever you are
Unfortunately, security often comes at the price of convenience. In order to get better security, you usually have to give up ease of use. Using the same password for everything is convenient, but it’s not secure. Using a different password for every site isn’t convenient, but it’s far more secure.
First, let’s discuss common solutions for managing passwords and their pitfalls.
If you had a fantastic memory, this would be very secure, but it becomes harder and harder to keep them all straight, and when you have hundreds of logins it’s nearly impossible.
Plus, what happens if you get hurt or, heaven forbid, shuffle off this mortal coil? A spouse or loved one would need to handle your affairs and would have a hard time doing so. And memorizing often leads to simpler passwords, because they’re easier to memorize.
Methods where you combine a base password with a site-specific element like the domain aren’t much better. If you don’t know what that means, some people use a base password like
password (please don’t ever use password as you’re password - it’s one of the most commonly used passwords) and then add on the domain, like password-google and use that for their password at Google.
But problems arise when password requirements don’t accept your generated password, forcing you to alter your method for certain sites. How do you remember those exceptions? And what if your password is compromised and the password reveals your method? The attacker could then use your base password and generate passwords at other sites.
A text document on your computer
This is better than memorizing them, because you can use different, complicated passwords for every site. It isn’t good if someone else uses your computer, because they could see all your passwords, and it’s not accessible if you’re at a friend’s house and need to login to a site.
Storing passwords in your web browser
If you don’t have a master password, it’s similar to storing passwords in a text document. Anyone on your computer can see all of your saved passwords. It’s a little more convenient than a text document because it autofills them, but it’s not great.
Using a master password is not a bad way to go. It’s still relatively convenient, and passwords are only accessible to you. With built-in syncing solutions this can give you all of the ideal criteria. Be sure to set master passwords on all devices.
A potential negative is when you’re using a different web browser. You can manually copy the password, but it’s not as convenient.
A password safe
This is my preferred solution. A password safe works like a real safe, where you have a secure combination to get into the safe, with all of your valuables (passwords in this case) are stored inside. I recommend LastPass or KeePass.
LastPass is a free browser extension as well as a web site. It’s user-friendly and works similarly to having your passwords stored in the web browser. LastPass has add-ons for all major browsers.
The encryption is performed in your browser, meaning LastPass doesn’t have access to your passwords. They have passed third-party security audits, but you still are placing your trust in them. Their premium service costs $12/year, which lets you use mobile apps to access your passwords.
KeePass is a free, open source desktop application that runs on Windows, Linux and Macs. I store my KeePass safe in Dropbox so it’s available everywhere I go. I also use KeePassDroid on Android and MiniKeePass on iOS (for iPhone/iPad/iPod). Mac users can use this installer, which is easier to install than the default installer.
Using a password manager is like having a secure, battle-hardened fortress protecting your logins. In another article I’ll show you how to make your logins even more secure with two-factor authentication.