Zach Posten - 2020 Feb 04
Using a password manager
For those who don't know, my full time job is to sit in front of a computer and write code. That means I spend a lot of time in and around the internet.
I've recently had some personal experience with the dark side of the internet and the people on it. That experience made me want to share some of the things I've learned about how to keep yourself safe in the digital era that we are all living in.
I intend for this to be a multi-part series on steps that everyone can take to improve their online security. I want to help make sure that you are not the low hanging fruit for some bad actor thousands of miles away to take advantage of.
My primary audience for this post is my friends and family who don't necessarily sit down every morning and wonder about how safe they are online. I hope to both illustrate to you why it's important to think about these things, and provide some easy steps that you can take to help.
This is part 1 of the series, so you're in the right place!
I'll link to the other parts below once they're written:
How many online accounts do you think you have? You should actually try to count, I'll give you a moment
How many did you get? I bet you underestimated it. Think of every old social media account (did you have a MySpace?), every site you ever bought some trinket off of (I have three accounts I used just to get cheap books in college), every app you ever used that required an account.
Just for a ballpark number, I have about 390 online accounts.
Now, think about how many times in the last year you used the "forgot my password" feature of some site. Isn't that annoying? You swear you know what the password is but the darn site just disagrees with you.
A password manager is tool that you can use to store all of your passwords. I have all 390 of those accounts in my password manager. Having one place to store all your passwords means that will never forget and have to reset another password.
Using a password manager also means that (for the most part), you can avoid typing out any of those passwords in the future. But I can already hear you saying..."but Zach, Chrome saves all my passwords!" Chrome can save your passwords! But what about when you you want to access one of those passwords on your phone to put in some app? Or on someone elses computer?
The good password managers all have browser extensions, apps for your phone, and websites. So no matter what computer or device you're on, you will always have access to your passwords.
I've been preaching this whole "use a password manager" thing for years now, and have talked to a number of people about what their current password strategy is. By far, the most common practice is for people to use a few different passwords for every site they sign up for. Usually there are variations on those passwords by tacking a number or a few
!s on the end.
When they need to sign into a site that they haven't used in awhile, they just cycle through their passwords until their log in is successful! Occasionally they'll fail to find the right variation, and just use the "Forgot your password?" link to reset their password to the one they have been using most frequently lately.
As it turns out, that this strategy is really, really insecure. The reason for that boils down to a hacking technique called "credential stuffing". What you have to understand is that websites get hacked alllllllllll the time. According to a 2019 study, on average there is an attempted hack on a website every 39 seconds. While not all of them are successful, plenty of them are. Sometimes when a website gets hacked, the hackers are able to steal user information from that site, including usernames and passwords.
Hackers take those stolen username/password combinations and "stuff" them into all the popular websites (e.g. Google, Facebook, banks, Twitter). Because of how common it is to reuse passwords, that technique is often successful. Because some crappy little website that you signed up for one time got hacked, the hacker now has access to your banking information because you used the same login!
Password managers solve this problem by making every username/password combination that you use for every site completely unique. So if one site gets hacked and your credentials stolen, those credentials won't get the hacker into any other site.
In addition to reusing passwords, many people tend to use very weak passwords passwords. The weaker (i.e. shorter, less complex) a password the more easily it can be guessed by a computer. Computers often guess by starting with common passwords and trying variations. If that fails, they can just try every combination of letters and numbers. If your password is relatively short, it can be "brute forced" by a computer in seconds if there are no other constraints or delays.
Password managers solve this problem by generating long, complex, and random passwords that cannot be guessed or brute forced1.
When you sign into your password manager, you do so using a "master password". This becomes the only password you have to remember now. It should be long (more than 15 characters), complex, and completely unique from anything you've used online before.
Password managers work by encrypting your stored passwords using your master password. This means that even the password manager company themselves cannot access your stored passwords, because they don't have your master password! So if someone hacks the password manager, all they get is a bunch of encrypted, meaningless text that is in no way helpful to them in accomplishing their nefarious tasks.
I would personally recommend one of two password managers to you.
These password managers are both well known and very secure. You can read feature comparisons between them if you would like. Honestly no matter which one you choose, you'll be far better off than you were before using one.
I personally use LastPass though, so I'm more familiar with it. Because of that I'm going to talk about some of its features here.
LastPass has a free tier so you can get started without spending anything, but the free tier is somewhat limited. It has browser extensions for all the major browsers, as well as mobile applications for both iOS and Android.
To get started with a password manager, I would recommend starting with your most important accounts first:
To add a site to your password manager, make sure you have its browser extension installed and do the following:
Then copy the generated password (you can click the multiple squares icon to the right of the password, or select the generated password using your mouse, right click, and choose copy).
Use the change password feature of the website to change your password.
Use LastPass' autofill feature to fill your current password by clicking the little box that appears in the text field. You could also just type it in if you already know it.
Paste (right click, choose "Paste") the random password you generated into the new password field
LastPass should prompt you to update your stored password, choose Update.
That might sound like a lot of work, and it's definitely a bit laborious. But when you weigh it against getting your bank account emptied because someone hacked your MySpace account, the scales are pretty heavily tilted.
That's it! In short, please consider using a password manager. There is a real possibility of one of your accounts getting hacked at some point, if one hasn't already.
If you found this article helpful, or have additional questions, please reach out to me!
Stay safe out there.