Its Time To Simplify Your Password Game
Text passwords might be dying, but they aren't leaving anytime soon. You can now use your fingerprint to unlock your phone, your face to login to your computer, and eventually your biorhythms to login to virtually anything. Over time, these physical attributes will replace text passwords and directly login to digital services. In the immediate future however, these biometric logins are really a facade on top of the old school text password. For example, you can use your phone's fingerprint reader to login to your Bank of America account, but this convenience only exists when you choose to use your fingerprint on an approved device. Using a fingerprint has made it easier for you to securely access your bank account on your phone, but it hasn't made your BofA account any more secure. I can still login to your account on the BofA website with your password if I can guess or steal it.
For those well versed in password managers, 2 factor authentication, security questions, and email recovery, the TL;DR for this series of posts is:
- Use some sort of well reviewed password manager to generate and manage all your passwords. There are only 3 'complex' text passwords you NEED to remember in your life: the master password for your password manager, the password for your main computer, and the password used for your email provider account (especially if you use iCloud with an iPhone or gMail with an Android phone). The one 'non-text' password you have to remember is a complex pattern/PIN to login to your phone. Everything else should be some long ridiculous password stored in your password manager.
- Stop using security questions with easy to guess answers. Almost any account can be logged into if the security questions (e.g. What was your high school mascot?) used to give you a new password are easy to guess. Most of the answers to these standard questions about you can be found on the internet with your name and LinkedIn, Facebook, or any of these annoying online people directories. While you might be careful with your own personal information online, your partner, parent, or sibling may not be equally as careful. If I know where your sister attended to high school or what city she grew up in, I can probably guess what your high school's mascot was.
- Enable two factor authentication everywhere possible. 2FA is a fancy phrase to achieve the following when you login: allow companies to recognize the devices you own (your phone, your laptop, but not the public computer at the airport) and/or prove you are carrying a special keepsake with you. In the past, this special device might have been some sort of electronic device you kept on your keychain, but now your phone substitutes as this device since companies assume everyone owns one.
- Think of your email account's password as the lock to your digital safe; ensure your email account has an especially strong password. Almost all password recovery links will end up here, so if I can gain access to your email account I can now change your password at many websites you frequent. In addition to being a password recovery tool, your email account (especially if you use an web based email such as Gmail, iCloud, etc.) is a treasure chest of all your online activity, accounts, trusted contacts, and even personal information (have you ever sent a rental application or received health test results back by email?).
Text Passwords Still Suck But It Doesn't Matter Anymore
Usability and security are consistently pitted against each other in technology and nowhere is this more apparent than the traditional text password. Complex passwords offer theoretical security but are frustrating in practice, whereas short passwords are easier to use without offering any practical security. Unfortunately, there hasn't been any meaningful compromise between these two extremes. What has improved in the last decade are the technologies that solve all the annoying logistics for managing, storing, and accessing your passwords. Gone are the days of keeping a list of complex passwords in a Word doc or a USB key with passwords managed by a proprietary app. With services like Dropbox, LastPass, mobile phones, and apps that work on each of your devices, the logistics of passwords have become much simpler.
A good password manager application should:
- suggest complex passwords for you
- store all of your passwords
- warn you of weak passwords you have
- be available on all major platforms you use (PC, Mac, your phone) and be synced across all your devices
This blog post isn't a password manager review, so simply choose your favorite from here. Personally, I chose KeePass because it is well reviewed, available on the devices I use for free, doesn't rely on storing any information about you in the cloud, and can be used with Dropbox to sync and backup your password database. For most people, I would recommend LastPass because the initial setup to sync across devices is easier. Whichever password manager you use, make sure to use the most complex password possible for every website. If you have to update your passwords at several websites do them in this general order:
- Your online email provider
- Banks and Financial Institutions (I even store my debit card PINs here in case I forget them)
- Healthcare websites
- Government websites
- Personal and digital money management websites (Venmo, Paypal, etc.)
- Utilities (water, cable, etc.)
- Social websites (linkedin, facebook, etc)
- Your home router's/modem password
- Any website or app that stores payment information (Amazon, Lyft, Netflix, etc)
- The rest as you get time...
Tip: Make sure to use the max number of characters and character types allowed by a website, but no more. If a website says passwords can be 5-15 characters in length with numbers, spaces, and punctuation, generate a 15 character password, not a 16 character one. Many poorly designed websites will silently chop off characters after the limit and not tell you. When you try to login next time, your 16 character password won't work because the website stored it as a 15 character password. Annoying right?
First and foremost however, you will need to choose strong passwords you can remember for your password manager application's master password, your main computer, and your email account (especially if it is associated with your phone, like Gmail for Android and iCloud for iPhones). If you backup your password manager file manually with Dropbox, time machine, or some other service, then you will need to remember the password for this service as well. The best suggestion is pronounceable jibberish, such as 'brefflix28Huana4delpton' (don't use this example of course). This password feels like you are only remembering 3 phrases and 2 numbers, yet it is actually 23 characters long! Most password managers have tools to create this type of password for you:
The 4th and final password you need to remember is the PIN/pattern used to unlock your phone. It should be random if using a PIN or complex if using a drawn pattern. If you have a newer iPhone or Android phone and with a fingerprint reader, skip using the PIN /pattern unlock altogether and instead use a long pronounceable password as described above. You only need to enter it when you restart your phone.
Write these 4 passwords down and keep it with you in a safe/wallet for a few weeks. After entering these passwords multiple times a day, remembering them won't be hard and you can eventually choose to shred/burn the written backup or keep it in a safe. Enter the passwords for your main computer and phone in the password manager for a worst case scenario backup, but there is no point entering your master password in the password manager for obvious reasons. Armed with strong passwords for all your devices, now is the time to make sure encryption has been enabled for them as well.
All done! Once you have set up your chosen password manager you should be able to download the password manager application or browser extension for all your favorite devices and access your passwords from anywhere. No more remembering endless numbers of passwords, just the 4 we discussed above. The next step is to fix your security question answers and enable two factor authentication.