The questions we get are usually asked with genuine curiosity, but sometimes there’s a sense of exasperation in the asking. Such is the case this week when we tackle how to keep track of your ever growing list of logins and passwords.
As with most questions there’s a quick answer, for those of you in a hurry, and a longer answer. The quick answer is to start using a piece of software called a password manager. This software will encrypt, organize, store and recall any login, password or secure information you feed it. The best ones will even sync across your devices or let you share with a team. All you need to do is remember the key. Now, let’s dive deeper.
You may think that your passwords are all tucked away nice and secure. They could be in your head, in a word document, on a Post-It attached to your computer monitor, or written in a notebook. But something you need to realize right now is that every password you use is also somewhere else... the place you use it.
It makes sense, right? In order for you to check your email, post a status update on Facebook, check your bank balance, pay a bill, book a flight or shop at Amazon, each of those places has to have your password as well. And that's the unknown variable: how are each of these places protecting your information?
If you do anything online, you are often required to create an account. You probably have dozens of usernames and passwords. Our owner, Brendan, counted 407 unique login credentials in his files! Further, if you're like most people, at a certain point you settle on a few passwords that you like and then use those for most everything. After all, who's going to guess that your password, Jam@ica1586dcbc, is some abbreviated version of your honeymoon location + home address + kids initials?
Fact is, someone who obtains your password won't have guessed it at all. They'll have found it by hacking in a poorly secured website that you bought a dog costume from 3 years ago. Darn, now that adorable dog-o-saurus costume has become something really scary. With your favorite password in hand someone can troll around behind your back to see where that password works: GoToMyPC, online banking, Amazon.com, and so on. It could unlock lots of things. If your email account is compromised, the perpetrator can also reset your other passwords and unlock your entire digital life, just like this epic hack.
What’s scary about security breaches today is that nobody guessed your password. An employee didn’t steal it, it wasn’t obtained from your office password list, and you certainly weren’t tortured. Your login credentials, or other sensitive information, are found at the other end of things — sitting on the internet, poorly protected — because the fifteen year old who created dress-your-dog.com didn't think about encryption, or because a security engineer at a bank made a poor decision about database architecture, or because a contractor for a health insurance company lost a laptop with decrypted client files.
Here’s a really interesting report summarizing data breaches in 2014. It’s a mere 192 pages, but worth a skim to drive home the point that you need to be cautious online.
Now that you know how your login credentials get into the hands of someone else, you need to adopt habits that minimize the damage for when — not if — this happens to you. The big rule to follow is this:
Only use a password in one place, never recycle or use it anywhere else.
Then, when the place you have an account is hacked, you don't have to worry about your other accounts that share that same password being compromised. The damage is limited to that one place.
In addition to unique passwords, you should do your absolute best to follow the advice you've heard many times before. Passwords should be at least 10 characters long, and combine upper case letters, lower case letters, numbers and symbols. Up until yesterday, this was Brendan’s email password: Qr?7uRgYCK8LGEbn>wf. Remembering 100+ unique passwords like that shouldn't be a problem... yeah, right!
At The Modern Firm we use a piece of software called a password manager to keep our individual and client data secure. The manager we use is called 1Password and is made by www.agilebits.com. This software allows us to create a very unique password for every place that requires a login. It then keeps those passwords stored in a highly encrypted database on our computers. That encrypted database is then unlocked by the one password that we have to remember, hence the name 1Password! Using a password manager allows us to use completely secure and nonsensical passwords like 4]Q}Wo2c)9v6q6QM[t and 7?8Q^btn%h%)@,DsB3}N.
Most password managers integrate with web browsers to make creating, storing and retrieving passwords super easy. For instance, when creating a new account, in just two clicks 1Password will create a very secure random password and fill it in on the sign-up form. When submitting the form, it will automatically detect that a new account is being created and prompt you to label and save the information.
Developers of password manager software know that people are always on the go and are collaborating with other people. The most popular managers include options for syncing your password vault with your mobile devices. You’ll also find options for collaborating and sharing passwords with your team, which is way more secure than a shared Word doc, Excel spreadsheet or emailing them back and forth.
Based on our research there are five password manager software packages that are definitely worth checking out. Give them a shot and start enjoying the peace of mind that comes with knowing you've taken a big step toward protecting your identity, clients and data.
Most of these software packages are quite easy to use, but there is some learning curve and it's a change to your usual habits. If you have a computer consultant that helps you with tech issues, it would be a great idea to get them involved with the setup.
1Password by Agilebits - $49 one-time cost after 30 day free trial
Windows, Mac and Mobile
Note: Syncs with mobile devices via iCloud, Dropbox or local WiFi.
LastPass - Free plan or $1/month plan
Windows, Mac and Mobile
Note: Has its own syncing service built in. LastPass was actually hacked in June 2015, but due to their security architecture, no secure content from user vaults was compromised.
Dashlane – Free or $39.95/year for premium
Mac, Windows and Mobile
RoboForm - $9.95/year for first year
KeePass – Free/Open Source
An additional way to secure an account that is especially important is something called two-step authentication or two-factor authentication. This means that there is a second step, beyond knowing the password, that is required to access the account. With Google and some services this may be a special code that is sent to your mobile phone to verify your login. Other places may require security questions, like the name of your 3rd grade teacher. If an account is accessing especially sensitive information, and has an option to enable two-step authentication, do it.