If you’re like me, you’ve been accumulating online passwords for fifteen years or more. Things started out so simple – the Internet was young, and signing up for an Amazon account was so cool. And over the years, you signed up for dozens of other online services and used that same password. Over and over and over. It turns out this was unwise, and it’s a problem you need to deal with. It’s time to fix your password mess.
Don’t beat yourself up too much. We all did it. You have a cute, memorable password that made you smile every time you typed it in. It was yours and yours alone, and no one could ever guess it. You’re right about that: no one could guess it. No person, that is. But computers can guess it, and that’s where things go wrong – hackers use computer programs to guess passwords thousands of times faster than a human can do it. If your pet password contains actual words or phrases, it’s easier for machines to guess than if it’s a random pattern.
According to the website have i been pwned? my email and password had been swept up in the massive breach of Adobe’s user accounts (38 million users) in 2013. My account was inactive, but it did use my old, original happy-place password, so that’s now out on the Internet. Fortunately, I had already phased that password completely out of my online world.
Yes, you need to fix your password mess. Right now. Please stop pretending this doesn’t matter. It’s very important. It’ll take some time, but keep in mind how much time it would take to fix your online world if you get hacked.
Step 1: Get Some Help from a Password Manager
You have probably realized by now that you’re going to need a lot of new passwords. The point of having a password manager is simple: use it to generate random, difficult-to-guess passwords and then use it to remember them so you don’t have to.
To do work for clients, I have dozens of server logins, ftp accounts and VPN accounts. Plus I have my own personal online accounts. In all, I have over 500 logins to keep track of. There is just no way I could keep all this in my head and use a different, random password for each. Several years ago, I enlisted the help of a password manager. I use 1Password for Mac by Agile Bits, but there are many options for Mac, Windows, iOS and Android.
This article by PC Magazine has a good roundup of password managers for Windows. Here’s a similar roundup of password managers for OS X by Macworld UK.
I’m not endorsing one password manager over another – find one that feels right for what you need. I find these features to be essential:
- Web browser integration/autofill/autosave
- A secure, configurable strong password generator
- Companion mobile app, library sync between desktop and phone
- A wallet feature for credit cards and forms of ID
(Recently, 1Password has added features to help me identify sites where I’ve used the same password, and also sites that have had recent breaches or attacks. This is great for ongoing management of site passwords. Also, password manager LastPass was itself breached last year. Do your own due diligence when selecting a password manager.)
Step 2 – Triage: Start with your financial sites
The first and best thing you can do, is go right now and make sure each site you use that involves finance (banking, credit cards, PayPal) has a different password. Use your password manager to make sure each site’s password is different from each other and different from that one you’ve been using over and over on every site.
Why start with finance? Hackers are not going to crack your bank’s web site, right? Probably not. They’re going to crack some easier web site, like your account at Joe’s Popsicle Delivery, get your username and that cute password, and then go try it at all the bank and credit cards sites. So start with your finances.
Visit every web site you can think of where you have an account (starting with your bank) and follow these steps:
- Log into your account
- Your browser will prompt you to save the login to your new password manager
- Locate the web site’s area for account management and use the password manager to generate a new, strong password (I’m using Amazon below, because you don’t need to know where I bank)
- Save the new password online
- Your browser will prompt you to update the login in your password manager
Repeat these steps for everywhere you can think of where you’ve used that same password. But start with your finances. Build your first firewall there.
Step 3 – Two-Factor Authentication
Also known as two-step verification, two-factor authentication uses a second method to verify you after you enter your username and password, but before they let you in. The most common way this works for websites is the addition of a second login page – after you’ve entered your username and password. You’ll receive a code by email or text message. Type the code into the second login page and the site knows it’s you. (Don’t wait too long; most of these codes have a life span of five minutes or less.)
The website twofactorauth.org excellent roundup of popular sites that support this added layer of protection. Use it as your guide for setting up two-factor auth for as many as you can.
It’s worth noting that even though this seems like a huge amount of extra work, most sites let you “approve” a computer or phone so you don’t have to do two-factor auth every time you log into Facebook. If you log in from a friend’s computer, you’ll need to type in the extra passcode the site sends you.
Step 4 – Get the Hell Scared Out of You
Conclusion – Fix Your Password Mess Now!
It’s time to fix your password mess. Start with the purchase of a password manager and learn how to use it. Then start changing all your online account passwords and activating two-factor authentication. Do a little bit every day, and you’ll soon have your online world well under control.
Keyboard photo by succo
Locks photo by StephenRMelling
Scared photo by Pezibear
