Create a Password Management Plan!
Project # 2, on our journey through the six most common projects people avoid, is rethinking the management of all your passwords and log-ins. This is the time to create a solid, reliable strategy that will keep others from acquiring your email, or accessing your personal, professional, financial, or customer data. A good plan will also reduce the frustration of constantly forgetting your passwords and having to reset them.
Why you need a password plan
Password protection is a critically important aspect of your overall security plan. Using the wrong password is equivalent to leaving your front door open and unlocked. Attackers can use breached personal information for highly effective and targeted phishing attacks. We all need complex, strong passwords to keep our virtual world safe. Let’s look at some options for storing your passwords, their associated protocols, and how to keep your passwords secure.
Storing passwords on paper
Keeping your login information written down on a physical sheet of paper or in a notebook can be a viable option. For those who find technology challenging, this very basic method works well. Of course, it needs to be secured properly, out of sight – not a post-it on your monitor. The paper method is not recommended in a home with frequent visitors, and never in an office setting.
The major downside to a paper password document is the ability to have it with you at all times. A paper copy of passwords should never leave the house. There is also the chore of updating it with each password change. But if you only have a handful of accounts that you mostly access when you are home, this simple approach could work for you.
Storing your passwords in an electronic document such as Word, Excel or a Google spreadsheet can make it harder for others to see, and easy for you to locate and update. But these electronic files need to be secured with their own long and complicated password. If someone gains access to your computer or online accounts, they will have access to that electronic password file. Personally, I use an electronic document as my secondary back-up, secured with a long pass-phrase.
Using an electronic password manager
An electronic password manager is an encrypted digital vault (high-security cloud storage) that stores the login information you use to access your apps, websites and other services. They allow you to securely retrieve your data from any of your devices. A password manager can also generate and store all those long, unique passwords for you.
There are many options for password mangers, including Lastpass and 1pass. I’ll use LastPass as an example, because I’m a fan of the paid version ($36 annually) and have used it for years.
So, what is the downside? You’ll have to memorize a single master password; and you must never forget the master password! However, I find remembering one strong password or pass-phrase easier than remembering 100 simpler ones. (And if I do forget, it’s still in my secured spreadsheet.)
How safe is it to keep all your passwords in one electronic basket?
LastPass encrypts all the secure information on your computer, using your “master password.” Then it transmits the encrypted data to the LastPass online servers. LastPass doesn’t know and can’t decrypt your data. If LastPass is hacked, you’re safe because the hackers would only get heavily encrypted data that they couldn’t decrypt. Click here to read what Last Pass says about its encryption.
It is NOT recommended that you allow your browser (Chrome, Safari, Internet Explorer) to store passwords, or sensitive data like credit card information. Yes, it’s very convenient; but it’s not completely secure! I highly recommend you delete anything confidential stored on your browser. Here’s an article from Boston University explaining how to delete saved info on your browser.
Don’t recycle your passwords
Reusing your favorite passwords across different accounts makes it easy for you to remember—and so much easier for the bad guys to hack you. This practice allows anyone who uncovers your password for one account to have the key to all the other accounts you use that password for. The same goes for modifying a root password with the addition of a prefix or suffix. You need a strong and unique password for each of your online accounts. Here’s an example of some bad passwords I’ve witnessed. (The puppy’s name has been changed to protect his owner.)
- puppylove
- !puppy!
- ilovemypuppy
- puppy123!
How to create a good strong password
Use at least eight characters – but longer is better! It’s also best to mix lowercase and uppercase letters, numbers, and symbols in your passwords. I find using a password generator helpful for this. Here are a few examples of strong passwords.
- qad1F*&51SIji&s!2o0
- 4af$Kt$5F9f!FzRSXiY8
- dECtONdBiliAlExamIna
- $g^4Z!AzC!8FB$#seuryR
I know it’s tempting, but it’s not safe to use your name, nickname, the name of your pet, your birthday or anniversary, your street name, or anything that someone could learn on social media.
Why you should create a pass-phrase
Develop a long “pass-phrase” or sentence for accessing accounts like LastPass or a password-protected spreadsheet. The more characters your passphrase has, the stronger it is. These are much easier to remember and type, but still hard for cyber attackers to hack. Here are examples of a few pass-phrases:
- reBeccAmakestheWORLDsgreatest!!!c00kies4us
- @woRk4the$$$2take!AvaCatiOn:–)
- mYpushYboSSmakesMEwork4my$$
- RUleaViNoNthemidNighttraiN2georgIA?!?
Using two-factor authentication – now with a twist
It’s become common practice to use two-step verification, a safeguard requiring you to enter a one-time code before the app or service logs you in. You’ve likely been asked to verify who you are when logging in from an unrecognized device. It’s become routine and convenient to receive a two-step verification code in a text message or to a landline phone, but criminals are always evolving. Lately, hackers have been known to steal your phone number through SIM swap fraud to divert your verification code. So now what? A more secure way to receive verification codes is for you to generate and fetch them yourself using an authentication app such as Authy or Microsoft Authenticator. Once you’re set up, you can choose to register your device (or browser) so you don’t need to keep verifying it each time you sign in.
A master list for you and access for others
Using whichever method you’ve chosen, be sure you have a complete lists of your online accounts and virtual assets. Remember to include the access information – website address, log-in ID, passwords and answers to secret questions. You’ll need to update it any time you add an account or make changes, so start that habit right away.
Make sure a family member or other trusted person can access your document or electronic manager if we are incapacitated or deceased. This could save your loved ones a lot of time and frustration during a stressful time. Most attorneys now include online accounts as part of estate planning.