How To Improve Your Password Security

How to stay afloat in a sea of passwords

We’re drowning in passwords.

Slowly – slowly! – we are moving out of the Age Of Passwords. Better alternatives exist. Apple has integrated fingerprints deeply into iOS and fingerprint readers are turning up on many Android phones. Microsoft has built Windows Hello into  Windows 10 to authenticate you with fingerprints, iris scans, and facial recognition – right now to log into a computer, eventually to log into websites. Google is working on a new initiative that will authenticate you by evaluating the way you use your phone – “the phone might analyze your face, your voice, how you type, how you swipe, how you move and where you are,” according to The Independent. “The idea is to make devices more secure. Someone could easily steal a password, but it would be much harder for them to mimic the unique way someone else uses their phone. Google believes a login system based on a combination of these factors could be 10 times more secure than a fingerprint scan.”

In the next few years, then, we’ll have alternatives to simple passwords.

But not now. Today we’re drowning in passwords – and they’re crucially important. Everything important on your computers and online is secured by passwords. Your passwords are your defense against identity theft, financial loss, compromised computers, and breaches of confidentiality and privilege.

Some of your passwords have probably already been hacked. Tap in your email address at https://haveibeenpwned.com to see if you have an account that was compromised in one of the big breaches from the last few years. (Don’t panic.)

You have no choice: you have to develop good password habits. The bad guys are constantly inventing better ways to crack your weak passwords and steal from you if you use the same password repeatedly. You can count on more hacks revealing more passwords from more big companies in the next few years.

Here are some practical tips to help get your passwords under control.

•  Use LastPass!

•  Create unique passwords that you can remember

•  LastPass – use the password generator

•  Use spaces in your password

•  Never type a useful password hint

•  Never answer a security question directly

If you’re like many people, then you’re hoping you can skip this article because it seems so overwhelming. See the second tip about “creating unique passwords that you can remember”? Scroll down and read that one and figure it out and put it to good use. It’s a great tip. Everything else is good advice too, but that one is just killer. In my house it earned a Spousal Seal Of Approval, which is hard to come by.

 


Use LastPass!

Use LastPass to memorize your passwords

All the password tips in the world won’t help if you don’t have an easy way to look up your passwords when you need them. Use LastPass!

LastPass is a free program that memorizes each password typed into a web site and automatically fills it in when you return to the same site. Once it’s up and running, the master password for LastPass is the only password you have to remember. Here’s the info to help you get started.

It can also be used as a digital encrypted notepad to record other private information – bank account numbers, credit card information, Social Security numbers, locker combinations, and anything else you need to remember.

LastPass syncs your passwords with all of your devices. There are versions of LastPass for all major browsers on Windows, Mac and Linux. For $12/year, LastPass Premium lets you run its app on all mobile platforms – Apple iOS, Android, and Windows. When a password is memorized by LastPass on one device, all of your other devices immediately know the same password.

LastPass is safe to use. As long as your master password is private, no one can get into your LastPass Vault. The company never has your master password in any form and never has a decrypted copy of your data. If the bad guys or the NSA got into the LastPass servers, they would not be able to decrypt your data. And yet all your computers can open the vault in seconds. It’s a very clever, very safe system.

There are other password managers but LastPass is the best known and most widely used. You’ll spend some time learning it, but trust me, it will take less time to learn LastPass than it will take to recover from having your identity stolen by bad guys.

Do not forget your LastPass master password.

 


Create unique passwords that you can remember

If you’re not using LastPass, realistically there’s no way you’re going to create complex passwords (the ones that look like brKcV3apY9 or worse) for every web site. If you’re like most people, you use the same password all over the web.

Let me suggest a simple trick – not foolproof but it will help.

Take that password you’ve been using everywhere and add something to it. Say your standard password is Swordfish!

Add the first letter of the web site to the beginning and the last letter to the end. Example:

•  Apple: ASwordfish!e

•  Google: GSwordfish!e

•  Amazon: ASwordfish!n

See how it goes? Each one is unique but you can remember how it’s done.

Invent your own pattern. Use the first two letters of the website at the beginning and the end (ApSwordfish!Ap, GoSwordfish!Go). Add a punctuation mark in the same place in each one (A%Swordfish!e, G%Swordfish!e). It doesn’t matter what the pattern is as long as each password turns out to be different and you can remember how you did it.

 


LastPass – use the password generator

LastPass users should have complex passwords. That’s the point of using it, after all.

Whenever you need one, click on Generate Secure Password on the LastPass menu. A window will appear with a few options and a suggested alphanumeric string.

LastPass - generate secure password

In the Advanced Options, choose 10-12 characters and at least upper and lower case and numbers. Add “Special” for punctuation marks. (I don’t use them myself – too painful when it has to be typed in.) By all means check the box to “avoid double meaning characters” so you don’t get tripped up by I and 1 and l and 0 and O and the rest.

Then follow this process very closely.

You’re on a web site changing a password. You’ve clicked on LastPass / Generate Secure Password.

•  While that window is open, copy the password somewhere – highlight it and click Ctrl-C and paste it into a note, or write it on a piece of paper.

•  Then click Accept and see if LastPass pastes it into the two places for a new password on the web site. It frequently doesn’t do that correctly. Type it in manually if you have to.

•  After you log in, LastPass should ask about updating its stored password for the site. After you do that, open your LastPass Vault and see if the new password is stored correctly. Put in the updated password manually if necessary.

It’s extra work, I know, but that’s what it takes to be sure LastPass got it right.

 


Use spaces in your password

You can put a space in your password at almost every web site. Put two or three words together with spaces and you’ve made it far more difficult for a hacker to crack it by brute force. Bugblatter Beast! is a better password than Hitchhiker! *

 

(*According to The Hitchhiker’s Guide To The Galaxy: “The Ravenous Bugblatter Beast of Traal is a rather large creature that likes to eat things. It is so mind-bogglingly stupid that it thinks that if you can’t see it, it can’t see you. Therefore, the best defense against a Bugblatter Beast is to wrap a towel around your head.”)

 


Never type a useful password hint

If you are asked to type in a password hint as part of the process of setting up an account, never ever type something that would allow the password to be guessed. Don’t try to be clever. If you need that hint to remember a password, then you’ve chosen a weak password; you don’t need a hint, you need a better system to manage your passwords.

The best password hint: “Look in LastPass.”

 


Never answer a security question directly

Many online accounts include a security question that is used to authenticate you if your password needs to be reset. The answer does not have to match the question. Think of something that you will use as your security answer going forward – words that you will remember but that no one will guess that you chose. Use those words to answer security questions consistently, with the same capitalization and spelling every time. First pet? “Inigo Montoya”. Mother’s maiden name? “Inigo Montoya”. Street you grew up on? “Inigo Montoya”.  Elementary school? “Inigo Montoya”.

No one is fact-checking those answers. When you call in to reset your password, the tech support rep types in what you say to see if it matches. The rep doesn’t care if it makes sense. The only crucial thing is that you have to remember what you chose. Make a note of it in LastPass.

Be careful out there!