I’ve been improving the way I manage my passwords recently. In light of the recent LinkedIn Password Snafu, I thought I’d share my approach.
- Using a weak password. When something like LinkedIn’s data breach occurs, your password will be the first to be cracked.
- Using the same password for each site. If I were a hacker, I’d be trying each one of the LinkedIn passwords against gmail, facebook, yahoo. Your entire online security only becomes as strong as its weakest link.
- Using an obvious system. If you were being targeted, and your LinkedIn password were “L1nk3dIn” or “linkedin%hb2″, I can start to work out what the password on other sites might be.
What should I do?
Use a unique, strong, non-systematic password for each site or service. Duh.
Except… I forgot my postcode the other day. I can’t hold all that in my head. So, instead:
Use a password manager
I’m a big fan of Lastpass. Forget trying to remember all of these passwords. Just create and remember one absolute beaut of a password, and then use Lastpass or an equivalent to generate and manage strong, unique passwords for all of your sites. As one of my colleagues said: “I don’t even know my gmail password any more”.
Start by downloading the Lastpass extension for the web browser on your main computer. It’ll create an account for you, and import all of the saved passwords from your browser. It’ll analyse the strength of your passwords, and you can then start working your way through your most important websites, changing the passwords to strong ones generated by Lastpass. The great thing is – you only need to remember one password – your Lastpass password.
Then simply install the Lastpass extension on all of your other computers. Log in to Lastpass on each, and all of your new strong passwords are available everywhere.
The whole process will take you between half an hour and an hour, and yes, it’s a pain in the backside. But you only need to do it once. So JFDI.
Lastpass has mobile clients for most devices, although they require a premium account to use them ($12/year).
Use two-factor authentication to secure both your Lastpass and your gmail accounts. This uses the Google Authenticator app which provides a PIN which changes every few seconds. This means that someone needs both your Lastpass or gmail accounts and your phone to break into your accounts. I no longer use Facebook, but when I did, I set it up to text me a PIN whenever I logged into it from a new device.
Lastpass works well with web-based passwords, but you can’t use it with computer system logins, like your work or university Windows or UNIX accounts. You’ll need to create and maintain a strong password for those – Lastpass can create and store them, but can’t automatically fill in the details for you when you log in.
You’ll need to choose whether to continue to save passwords in your browser, but you should never do this on a computer you share with other people. You’ll also need to decide whether to save your Lastpass password on your computer. Although you’ll still get protection against someone hacking remotely, you’re vulnerable if someone steals your computer.
Maybe. But since I bit the bullet and moved, it’s now no slower for me to log in to web systems than it was before. Only this time, whenever LinkedIn or last.fm expose passwords, I can quickly change them, reasonably confident that nothing else is affected.