Did you know that your LinkedIn password is on display in a German Museum? Is your password “123456?” How’d I guess? Well, it’s the most common password in use today. Scary isn’t it? Here’s something truly terrifying: for 20 years, the US secret nuclear launch code was “00000000.” Even if you aren’t launching nukes, your passwords are important. Why are they important? Unless you want someone you don’t know to have access to your Facebook, Gmail, and Twitter accounts, you need to care about your passwords.
People typically only ever hear the phrase “password policy” at work (if their IT department is good), or when they’re trying to remember their bank password. But having a personal password policy is the best way to ensure your data isn’t stolen. The best way to manage and maintain a personal password policy is using some kind of password manager. There are lots of options: I strongly recommend Keepass, but there’s also LastPass and 1Password, just off the top of my head. It’s much more important that you use a password manager, rather than which one you use. They each have certain features which make them unique, but they will all make your personal password policy easy to implement. In terms of a personal password policy, the absolute most important rule is this:
Use a unique password for each and every site you visit.
Your LinkedIn password should never be the same as your Facebook password, which should also be different from your Gmail password, etc. This is a very important point that people often don’t think about. We assume that the service we’re creating an account on is going to be good about managing our password on their end. It is NEVER safe to make that assumption. Every single time you create an account somewhere, you should assume that the password is being stored in a plaintext notepad.exe file. Why? Because someday, you’re going to sign up for a service where that’s actually true. On top of that, most people assume that if a password is stolen from website A that they are still safe on site B. But, if you used the same email address to sign up, and you used the same password, whoever took your credentials for site A can now gain access to your account on site B and any other site where you used those credentials. Now, if site A is Twitter, and site B is Pinterest, maybe this isn’t a big deal to you. But what about your bank? Did you use the same password there, too? What about Turbo Tax? Your 401K? What’s the password on the website where you pay your mortgage? Every website must have a unique password. The purpose of a password manager is to keep all of these passwords in the same place, and keep them safe in that place.
How many times have you loaded up some site’s login page only to panic because you can’t remember the password? It’s usually one of those sites that has specific requirements for your password. For example, it has to have numbers in it, so your usual password you use everywhere else doesn’t work. If you’re using a password manager, you’ll only ever have to remember one password: the password that unlocks the password manager. Any password manager worth its salt will be encrypted, which means you can’t get at any of the passwords stored in it without a master password. BUT, if you know the master password, you have access to all your other passwords, which means you only have to commit that master password to memory. So when that site with the stringent requirements makes you log in, it doesn’t matter that you can’t remember the password. That’s what the password manager is for.
That pain in the ass site with its complicated password requirements. Do you remember when you signed up for it? How many tries did it take you before you submitted a password that it accepted? Often, password managers will include password generators. So, when you’re signing up for a new site, if it has specifications for what kind of passwords are valid, you can very easily click some checkboxes and maybe change a number or two, and the password manager will automatically generate a password that matches those requirements, and store it in the password manager’s database for any future uses. Now it doesn’t matter that your bank requires you to have an 8 to 10 character password with at least one special character (but not a ! or a $), and two non-consecutive numbers. You just use the password manager, and it figures all this crap out for you. And, next time you try to sign in, you won’t care that you remember they had weird requirements, because you know your master password, and your password manager knows the rest.
Here’s one last super-pro-tip: never use real answers to security questions. A lot of sites make you pick some pre-selected questions and then answer them. For example “what is your mother’s maiden name?” or “what street did you grow up on?” There are several problems with these. First, the odds are pretty good that the answers to those questions aren’t treated as securely as your password is, so they are likely stored in plaintext on the server. Second, those questions can usually be answered with a little research. The answers to those questions are all-around less secure than the passwords you choose. But, often they are required. We’ve already established that if you’re using a password manager, you don’t need to worry about losing a password. So you might as well use the password generator to create nonsensical answers to your security questions, too. There’s no way someone trying to break into your account is going to guess that the street you grew up on was “089u34;jsdf*^%$^%TJhgiug:.”
If you are using a password manager, and using it well (a unique password for every site), you’re about as sure as you can be that your account won’t be accessed without your knowledge and approval. Unless that site supports Two-Factor Authentication. If it does, you should absolutely enable that as well. I won’t go into the details here, because I’ve already written about it.
Now that that’s all set up, you’ve done your part. But you have to trust that the service you’ve created an account with is doing everything they can to make sure no one gains access to your data. As you can see from the links above, that isn’t always a safe bet. So what do you do when a site you have an account with is compromised? You change your password. And this is the best part: because you’ve already painstakingly changed your passwords everywhere when you started using a password manager, you know that the password at the site that was compromised is not in use anywhere else. So even if those folks have your email address and password, they can’t get into anything else with it. And changing your password is easy as pie, because you just hit the “generate” button in your password manager.
If you still aren’t convinced that you should care about your passwords, and use a proper password manager, read about how Mat Honan’s digital life disappeared because of his trust in big tech companies and their security services.
Everything in this post up until this point has been about using any password manager. But as I said, I prefer Keepass. I think it’s worthwhile to explain why. First, Keepass is open-source. That means the odds are better than the code has been vetted by security professionals and is less likely than a closed-sourced product to be crackable. I don’t actually know if Keepass has been through any security audits, but at least it could be. That can’t be said of closed source products. It also means that a Keepass password database can be read on Windows, Mac, Linux, iOS, and Android. Second, when you use Keepass, you just get a file. It’s an encrypted database file, but it’s just a file, none the less. Now, this means that it isn’t backed up anywhere, unless you do it manually, BUT, it also means that you aren’t putting your faith in an extra provider that your data is safe. LastPass is a service where your password data is stored with them. They say that the passwords are encrypted on your computer before they’re uploaded to their servers, but there’s no way to know that for sure (because their product is not open-source). And even if that’s true (which I think it actually is safe to assume), if I were a hacker, I’d be going after LastPass more than anybody, because if I can crack LastPass, I get the keys to all kingdoms. To reiterate an important point that I sort of glossed over earlier: Keepass is just a file, and it isn’t synced anywhere unless you sync it. You could save the file to Dropbox (I wouldn’t, though), or SpiderOak, or BT Sync or just manually do it, but one way or another, you absolutely must back it up somehow. If you lose your master password or the password database file, you’ve lost all of your passwords. One last great thing about Keepass: It has an autotype feature. It can detect the password you need to enter based on the name of the window you are in. I don’t know if 1Password has that feature, but I know LastPass does. However, since LastPass is designed speficially for browsers, it only works for websites. Keepass, on the other hand, can enter your password in any window; a browser, an email client, a terminal window, or anything else. As long as it can figure out the name of the window, and it is the same as the name of the title you stored the password under. Unfortunately, it’s a little complicated to set up, but you should be able to find a guide if you search “keepass auto-type.”