Many thanks to Leigh Honeywell and Alex Gaynor for their comments, questions, and guidance, which greatly improved this piece.
At this point, if you haven’t had a password leaked as part of a hack, you probably know someone who has. (And if you don’t think you have, look at haveibeenpwned.com to check that assumption.) Most transactions online require a username and password to do business, which means that most people have, at least at some point, gotten into the habit of using those trusty old passwords that you only use for your most important stuff - you know, the complex ones that were just for important stuff, like your bank, email, and credit card. The danger this creates is that, if one reused password is discovered via a hack, your go-to email/password combo can let intruders into other accounts throughout your digital life, possibly expanding the damage beyond a single breached site. If you’ve ever used the same password for, say, your bank and LinkedIn, you have an idea of the risk here.
The best defense against these kinds of breaches - lengthy, complex, and (most critically) unique passwords - goes directly against the default human mode of using a go-to password whenever you need to open a new account, something you know you’ll remember, especially if it isn’t for anything really serious. And this can seem just fine - until you’re part of a breach, and someone has the opportunity to see if the password you used for JoesDiscountGarlicDepot.biz is the same as (or even just similar to) the one you use for more critical accounts.
So - considering human behavior and the limits of the human memory, what should you do?
What you will learn:
Don’t rely on trusty, easy-to-remember passwords - they’re easily hacked.
Use a password manager (we like 1Password and LastPass) so you can use complex, unique passwords for every account.
Use randomly created answers for those “mother’s maiden name”-style questions that are sometimes part of identity verification when logging into an account.
It’s worth the time to go back to old, existing accounts and change reused passwords to longer, unique, more secure ones.
Use a password manager and keep it updated
A good password manager creates lengthy, complex passwords and stores them for you, making them accessible on your computer, via browser plugins, and on your smartphone or tablet. (At Truss, we use 1Password because we believe it to have the most relevant and robust feature set. If you’re constrained by price, LastPass is a worthwhile free alternative, although we believe that good security is worth investing in. Note: all software has vulnerabilities, and no password manager will be exempt from this.) Replace “fluffykins75” with “pond-trout-buoy-negative” or “robbery-stuff-smuggle-escape-petite” (two passwords I just quickly created via the 1Password Chrome plugin), use a different long password for each account, and the next inevitable breach will be much easier to handle.
This helps you out in a few ways.
The harder and less common your password is, the harder is it is to guess.
If a stolen password is only used for the hacked website, you only have one password to change to regain your security.
Easy-to-remember passwords, unless made deliberately difficult (more on that in a minute), are almost always weak.
If you accidentally click on a phishing link, your password manager will not auto-fill your password – keeping you safe from a whole class of attacks.
And you only have a single complex password to remember - much better than scrambling to match new, longer passwords to your old browsing habits.
If it seems onerous, think about the last time you or someone you know had to scramble after spotting a surprise fraudulent charge on their credit card or discovering that they appeared to be the author of a few hundred spam emails. Using different passwords for your many online accounts ensures that one compromise does not unlock your entire digital life.
A password manager frees you from having to remember all of these long, unique passwords - instead, you can just remember a handful of sufficiently complex ones, and use the password manager to remember the rest of them and automatically fill them in for you. Be sure to accept updates to your password manager when they come out, as accepting updated software, which often includes security updates, is a vital part of keeping your information secure.
Your list of passwords to remember just got very short:
The password for your password manager (with the emergency key stored somewhere else safe, in case you need to restore access)
Passwords for your phone and computer
If you’re afraid of forgetting one of these master passwords, you can write it down and keep it secure with your other important documents. You can also give it to someone you trust to store in their password manager, a la giving a neighbor a spare key. Just make sure they also follow the directions in this post so you won’t be affected by someone else’s weak passwords or other unsafe security practices.
There are a couple of schools of thought on what makes a password strong enough. Typically, people choose from two types of passwords: the strings of words like the examples above or long nonsense globs of characters full of symbols and numbers, like “dT42RPzcFG.krLA%x}Xqo7B;”. Both can offer sufficient complexity, but only one is borderline impossible to enter manually if you’re in a situation where you can’t paste the password from your password manager.
We like XKCD’s advice on passwords:
Master passwords constructed this way are secure, relatively easy to remember, and easy to type on your computer and your phone. 1Password can generate those kinds of passwords within the app, as can this website. “*sN^XQ;kUkpmBV2PU68P” certainly feels secure, but “indent-diarrhea-disperse-grid” is memorable, secure, and poetic. Some well-meaning form validation may require that you still include a number and a capital letter in your password; if that’s the case, just add “1A” or something similar and consistent in front of your varied, unique passwords and ensure your password manager is updated to store the augmented version.
You’re right, though: these are likely more difficult to type than your old standby passwords, particularly on a phone. (Though we’d argue that it’s not that painful, considering what’s at stake. After all, you probably type several words at a time in a text message pretty often.) Fortunately, many apps, including 1Password, integrate with the iPhone’s fingerprint sensor, so you don’t have to thumb-type the whole password very often once it’s initially entered. This alone is a good argument for getting a phone with a fingerprint sensor, as it enables you to use more complex passwords without the temptation to cheat with shorter ones here and there. (It’s also a good argument for apps and websites to enable pasting into password fields by default, but that’s a fight for another day.)
Unfortunately, this recommendation is confined to the iPhone at the moment, as Android’s fingerprint technology is weaker than that offered by iOS. Right now, security comes at a premium. We hope that won’t stay the case, but it’s where we are as of this writing.
Once you’ve moved all of your logins into the password manager (which is easy to do through regular use - 1Password, for example, prompts you to save any logins you use that aren’t already stored), an audit is simple, since you have a fully stocked bank of passwords ready to review. 1Password’s full version includes a Security Audit option, which will list any logins with weak passwords, duplicate passwords, or passwords that have been in use for an extended period of time. (The first two are what we recommend focusing on, though.)
This makes it easier to set aside some time to review any flagged accounts and change your trusty old passwords to something unique, random, and secure. Thank your old passwords for serving you well and then release them from your life. Do the same for browser-based password storage; you can find instructions for disabling password managers in Safari, Chrome, Firefox, and IE here.
Once you have your password manager integrated into your habits, it’s easy to act more safely in the future. When you create new accounts, use your password manager to generate a fresh, new password for it - and immediately store it. All done.
Top tip: if you’re just getting started with a password manager, focus on the most important passwords: email, social media, and financial sites. If you use Google or Facebook credentials for other sites, change those first, as the damage from a pilfered password on sites like that can be pretty broad.
Your mother’s maiden name is fibrosis-exterior-markup-monaco
Some websites, in an attempt to mitigate exactly the kinds of threats we’re trying to avoid, have added secret questions as an additional way of verifying your identity. The “mother’s maiden name” question is the old problematic classic, but others include your birthdate or place, questions about your high school or college, or details about spouses or siblings. Many of these answers can be found through research or social engineering, so other sites have gone even deeper, asking questions about your favorite movie or sea creature or pizza topping (yes, I have had to answer those questions before).
These can raise questions about what to do if you have more than one answer to a question or if the answer is one that varies by day. (My least favorite subject - another real question I've seen in this kind of form - certainly shifts with my mood, and there are other problems with asking these “neutral” questions in forms.)
There’s an easy way to deal with this: consider these answers one more place to put randomly generated snippets of text. Your college? Fabulous highbrow-charger-babylon-shill University. Your childhood best friend? pilot-circus-utah-hardhat. 1Password has a Notes field and customizable fields as part of every record, which is a great place to put questions and answers, recovery codes, and any other information that goes beyond a username and password.
Sufficiently complex passwords also enable you to rest easier and rotate passwords less often. This Wired post goes into greater detail of the reasoning behind this, but the short version is that using long, complex passwords that are harder to guess are less subject to the vulnerabilities of shorter, simpler passwords, so this workaround isn’t as important. Every six months to a year is plenty if your passwords are strong to begin with.
Top tip: any “maiden” names, pet names, first addresses, sea life preferences, and touchy subjects are your business. Use a random series of words as an answer whenever possible - and keep tabs on them via a password manager too.
1Password, many devices
This wonderful stash of passwords would have pretty limited use if it was only accessible via a single device. Instead, 1Password makes it relatively simple to add access to your account to other devices, including other desktop and laptop computers and both iOS and Android devices. You can do so using your email address, master password, and secret key, which is created when you first make an account. 1Password gives you a few ways to save it and makes it clear that this is an important step to take at precisely that moment.
Another easier way, if you have access to a device you’ve successfully logged into, is to have the 1Password app create a QR code to scan with the new device you’re granting access to. You can learn more details and find the right option for you via the 1Password documentation on granting a new device access to your vault. This is both more economically and organizationally sound than creating a new vault for every device, allowing you to have access to the same, consistent set of passwords rather than trying (and likely failing) to duplicate.
Top tip: whatever your preferred password manager is, use one shared vault across devices, to ensure that all of your information is one place and that it’s all accurate, rather than having several vaults that may conflict with each other.
In case of misadventure…
It’s somewhat inevitable - phones take a walk, credit card companies get compromised, and suddenly your data (to say nothing of your bank account) is out of your control. Fortunately, password managers make these situations easier too. Here’s how to deal.
Recovering from a device theft
Sometimes, terrible things happen: your phone gets lifted. Your computer vanishes from a coffee shop table. Your tablet ends up staying in Hawaii even after your vacation is done. This is always annoying, but fortunately, a password manager can help you with this too. 1Password has great instructions on how to recover after losing a device or experiencing a theft. The short version is this:
You don’t need to reset your master password.
You should reset your other passwords, though, because other apps and programs on your device may not store your password as securely as your password manager does.
Erase your lost device, if you can.
Deauthorize your password manager on your lost device.
Install and authorize your password manager on your replacement device.
So long as your master password and key are stored somewhere separate and safe, you’ll be able to move on from the lost device more simply than you would have otherwise. Another perk of using a password manager is that you don’t have to guess at your inventory of passwords. Instead, you can methodically go through the list of stored credentials and reset them.
Recovering from an account breach
Sunrise, sunset. Swiftly fly the years; another hack, another breach, and your passwords fly beyond your reach. What do you do if one of your passwords is compromised? Or, worse still, what do you if all of your passwords are compromised?
Let’s deal with the smaller situation first. If you learn that one of your accounts has been compromised, congratulations! If you’ve already made all of your passwords unique, you have but a single password to change. Change it, save the change, check for damage, and then celebrate. It’s that easy.
But what if your password manager of choice gets breached and all of your passwords are exposed? As of this writing, 1Password is still unbroken, but we don’t assume this will continue to be the case, because most password managers have been breached by now. However, if the worst thing happens, and all of your passwords are exposed, your account also provides a convenient log of the passwords you need to change. Once you know that this has happened, set aside an hour (sooner than later, of course), pour yourself the soothing beverage of your choice, and start working through that list, saving the changes.
Top tip: make sure your master password and key (the latter of which is provided at the time you create your account) are available to you, even if your device is compromised. This could mean storing it in the password manager of someone you trust or keeping a hard copy somewhere safe.
This will all be worth it. We promise.
Changing your online habits to use randomly created, unique passwords and answers to secret questions will probably feel strange at first - what do you mean, you don’t have the password to your credit card’s website memorized? But the next time there’s a big hack and you know that, at most, you’ll have to change a single password to regain control of your digital life, you’ll feel how worth it the effort was. Without a password manager, it’s incredibly difficult (if not outright impossible) to maintain effective password safety across the many, many online accounts that most people have now. Questions? Ask us in the comments or come find us on Twitter.
Here’s a little more information about password complexity. Those long, unintuitive passwords are a good replacement for shorter, less-complex ones because they’re unique - but they also protect you from having your password guessed.
Imagine you had a four-digit numeric passcode (like most people have on their phone). This means that a computer only has to guess 10,000 different combinations (0000, 0001, 0002, …, 9998, 9999) to find your password. A six-digit, alphanumeric password with symbols in it is one in 700 billion possible combinations. Computers today can guess two billion combinations a second, so just by guessing every possible six-digit passcode it could guess it in eight minutes. Those 20-plus-character passwords may look thorny and difficult, but they’re one of your best defenses to keep intruders out of your accounts.
Considering the numbers you just read, you might be thinking now of the four- or six-number passcode used for many smartphones. (You do have a passcode for your phone, right? Right?) It’s possible to use a longer alphanumeric code on an iPhone, but you have to opt in (and iOS makes it difficult for people to test a lot of passcodes on a stolen phone, adding more time between each failure, up to several minutes after enough incorrect passcodes). On iOS 10 and newer, you can find it under Settings > Touch ID & Passcode > Change Passcode > Passcode Options (on the screen where it asks for your new passcode). And on older iOS versions, you should go straight to Settings > About > Software Update > Download and Install. But we’ll get into that more later in our security series.