I used to use the same password everywhere. In 1993, I crashed a Clinton inauguration party at a restaurant in DC, and for years my password was a derivative of that restaurant’s name. I’d read somewhere that it was a good idea to include numbers in your passwords, so I picked a number and my “standard” password became “restaurant#name”. Sometime a few years later, I read that symbols were good too – so the stand-by became “restaurant[number]name[symbol]”. Every time I set that as my password, the password strength meters measured off the charts: it used a number and a symbol, wasn’t in the dictionary, and I was probably the only person in the world with that particular password.
But things began to get messy. Some sites didn’t allow symbols. Others had a max character limit. As sites got more serious about security, some required mixed cases (some capitals, some lower case). Inevitably, my “standard” password became more like a template, with a half dozen derivatives. And it became increasingly hard to remember which site had which derivative.
Several years ago, I realized that one password to rule them all was probably a bad idea. After all – if someone got ahold of my nytimes.com password, they’d probably be able to log into Amazon, Gmail, PayPal and any number of other sites. I resolved to use a pattern that was site-specific. That was marginally better, but anyone who got ahold of my password at one site could probably figure out my password on other sites.
Then in December of 2010, Gawker was compromised, and the hackers didn’t just publicize that they’d breached Gawker’s servers, they published a file of all usernames and passwords. I had an account at Gawker, and as a result my password – and the simple pattern used to construct it – was available for the world to see. I’d read about password managers at the time, but thought that since I’d been able to survive for 15 years without one, I’d be OK just hardening my “standard” password. My new pattern incorporated the year, but now I had an even worse mess on my hands: I had dozens of accounts, and depending on when I’d last accessed them, a password that followed one of three possible patterns (with any number of derivatives). My method was falling apart. When 2012 arrived, it was clear I was toast. I couldn’t have a year-dependent password pattern – did I open that account in 2011? 2012? Did I update it in 2010?
This weekend, Zappos’s 24 million customer accounts were compromised (I was one of them). Though we don’t yet know how broad the breach was, or whether the attackers will publish an account list like the Gawker attackers did, I didn’t need another reminder. It was time to get serious about my passwords.
I asked people on Google+ and Twitter what they used to manage their passwords, and people overwhelmingly recommended two services – LastPass and 1Password. LastPass had a few more recommendations overall, so I started there.
First off, a quick summary of what LastPass is: you create a username and password with LastPass, and as you log into websites it asks whether you’d like to store those in your LastPass “vault”. Once stored, each username and password is available to you wherever you can access LastPass – whether on your computer, on a guest computer, on your mobile device, etc. If you’re creating a new account, LastPass can generate a very secure password – it won’t be memorable, it isn’t guessable, and it’ll be unique to that site and your username. (I just asked LastPass to generate a new password, here’s what it came up with: “kkVUI8nZ”.)
With that in mind, here’s what I did to get serious about my passwords. I’ll warn you: this took a fair amount of time – easily 6+ hours in total over a couple days, and I’m not actually done (I keep thinking of more accounts to upgrade). That said, I am much happier with my overall security than I was going into the weekend, and as an added benefit I have a master list of every account I use on the Internet.
1. Set up a LastPass account. This username will be your master login for LastPass, and the password should be very secure, but one you can remember – if you lose it, you’ll regret it. (It’s not necessarily an “abandon all hope”moment, but it’s close.)
2. Download LastPass Chrome extension. I use Chrome exclusively as my browser, and often jump from my MacBook Air to my Chromebook. LastPass has a Chrome extension that makes LastPass completely integrated with the browser, which made the next several steps much easier. (LastPass has integrations with IE, Firefox, Safari and Opera, so you should be good to go regardless of which browser you use.)
3. Install the Android app. The core LastPass service is free, but the premium service – for a whopping $1/month – means I can use their Android app to access my password vault directly from the phone. That’s handy – especially with a number of mobile apps I use for banking and the like – and well worth the minimal cost.
4. Clear cookies and saved passwords, set Chrome to never remember passwords. This avoids me automatically logging into any site I visit (which is a nice forcing function to upgrade the password as I’m prompted to log in) and avoids Chrome and LastPass fighting over who gets to save the username/password when entered (I want LastPass to do so).
5. Upgrade passwords. I started a Google Spreadsheet to list all the accounts I could think of. I got to 30 pretty quickly, and after a few more minutes added another 15. But I knew there were more. I’ve used Gmail for all e-mail for the last six years, so I headed over to Gmail to find all the accounts hidden within. Here are some Gmail searches I used to find little-used and long-forgotten accounts, some of which had saved credit cards stored in them and other data that I’d like to protect:
- to:me “new account”
- to:me “new login”
- to:me password reset
- to:me receipt
- to:me account confirmation
- to:me username