Over the holiday break, I managed to get one of my passwords stolen. Since then, I’ve decided to take matters into my own hands with a password manager.
Table of Contents
Upgrading Your Security
If you’re like me, you sign into several accounts every day: Gmail, Facebook, Battle.net, Twitter, Instagram, YouTube, etc. The list goes on and on. It becomes very tedious to remember passwords for all of these accounts. In fact, you’ve probably settled on one or two strong passwords that you use across all of your accounts.
Even worse still, that’s the same password you’ve been rocking for months or even years. At this point, what’s the issue? You haven’t been hacked yet!
As soon as one of those accounts is compromised, you put all of your accounts at risk. If you’re lucky enough to find out as soon as it happens, you still have to run through all of your accounts and change the passwords. If you’re not so lucky, you might be out of a lot of money. The best solution? Get a password manager.
Now, there are several solutions to this problem, and I’ve probably tried them all.
Maintaining a Private List of Passwords
One option is to create unique passwords and record them somewhere safe. For instance, you’ve probably seen the little password areas in the back of a planner. This strategy can really help to protect you if one of your accounts is compromised. This strategy, however, has a couple major drawbacks.
First, if you lose the hard copy, you lose your passwords. This is a major inconvenience which brings you back to making new passwords for everything again. However, this time you might have to fight through the dreaded security questions.
Second, you run the risk of someone gaining access to your entire collection of passwords. You can mitigate this risk a bit by locking up the list in a safe. Or if your list is digital, you can password protect it. However, you still run the risk of having all of your passwords stolen.
Generating Passwords Using an Algorithm
Another option is to generate your passwords using an algorithm. This is far less complicated than it sounds, and it saves you from writing down your passwords.
Start by coming up with a solid password that you can remember. It might be the master password you’re using now. Then, alter that password slightly for every website in a predictable way. For instance, you could try changing the last two letters of your password to match the first two letters of the webpage URL you’re currently visiting:
Master Password: therenegadecoder Generated Password: therenegadecoderFa (Facebook)
With this solution, you end up with mostly unique passwords for every one of your accounts. Of course, you can still run into reused passwords with your algorithm. In this example, we might end up with duplicate passwords if two sites share the same first two letters.
The other advantage is that nothing is recorded. As long as you remember your algorithm, you’re covered. However, you might have to adapt your algorithm for sites that have strict password rules like requiring symbols.
Playing it Safe with a Password Manager
The problem with both of these methods is that they require a lot of personal management on your part. That’s probably why most people have settled on a master password in the first place.
Fortunately, there are tools that can make your life more secure without all of the overhead. They’re called password managers, and they exist to help you take control of your digital security. I bring this up because I was recently a victim of debit card fraud. Luckily, my bank notified me immediately, but I still don’t know how it could have happened.
The whole event led me to start securing my accounts. The first step I took was to enable two-factor authentication on everything. This forces me to enter a code from my phone or email every time I login somewhere new. The second step was to look into password managers.
I’ll be honest: the whole concept of a password manager freaked me out initially. They aren’t really that different from our first method. You just record your password in the tool, and it saves it somewhere safe (we hope). It wasn’t until I started doing some research that I realized the true powers of a password manager: convenience and security.
Optimizing for Convenience
Most of the time improving security means introducing everyday inconvenience. A perfect example of this is the CAPTCHA box that makes you click on pictures like suspects in a lineup. Fortunately, password managers both improve security and provide additional convenience. For instance, you only ever have to remember one password which is used to login to the manager.
Once the password manager is authenticated, you can set it up to automatically fill in account information for you. In addition, some of these tools will even generate random passwords for you when you register at a new site. If you choose to use a cloud-based manager, you get the added benefit of being able to seamlessly use your passwords across multiple devices.
Optimizing for Security
If you’re like me, however, then you kind of gave up on convenience just to protect your own sanity. You want to lock down your accounts for good. Luckily, password managers provide just the level of security you need.
For starters, these managers typically encrypt password data and save it either locally or in the cloud. This means that even if your data gets stolen, it’s unintelligible. In fact, a lot of these tools offer no support if you lose your master password. This means you don’t even have to worry about prying eyes on the developer end.
For cloud-based managers, the encryption protects your sensitive data both on the server and during transmission. This means you don’t have to worry about your passwords getting intercepted on their way to and from the cloud.
In addition, you can usually protect your master password with two-factor authentication as well as a whole host of other tools. You can even protect each account during autofill by prompting for the master password.
Once you start to fill up your database of passwords, these tools will often give you an overall security rating and offer suggestions for improving your rating. If that isn’t enough, these managers can even protect you from phishing because the autofill feature only works on the correct URL.
Picking a Password Manager
With all that in mind, I’d like to recommend a password manager that I’m currently using. It’s called LastPass, and it integrates with just about every browser and operating system. Once downloaded and installed, LastPass will try to pull in all of the passwords you have stored on your system. These password records are insecure, so LastPass will offer to delete them for you. Then you’re done!
LastPass will ask to record data every time you log into a new site, so you never have to remember that password again. You can configure all sorts of settings which offer trade-offs between convenience and security.
For instance, you can bulk up on security by enabling features like logging out every time you close your browser. Likewise, you can boost the tool’s convenience by choosing to opt out of features like two-factor authentication.
In addition to passwords, LastPass offers support for form fills. You’ll never have to fill in credit card or address fields again. I actually use this features because LastPass offers free protection from identity left. You can find a list of all of the features on their website (see the link above).
Of course, there are plenty of other options. You’ll have to do some research to figure what you’re comfortable with using.
For cloud-based tools like LastPass, the main security risk is the fact that all off your data is saved on external servers. If theses servers are hacked, you run the risk of having all of your information exposed to criminals.
Personally, I’ll take the risk with LastPass. Here’s a response from the LastPass team the last time their servers were hacked in 2015. As you would expect, security of your data is their number one priority. Their business depends on it.
Disclaimer: The Renegade Coder is not partnered with LastPass in any way. You can choose to use their services or not. It’s just a suggestion.
As we roll into 2023, I wanted to take a moment to celebrate my most recent milestone in academia. I'm a PhD candidate!
Foo, bar, and baz: what do they mean and where do they come from? Let's find out together.