You know how important strong passwords are, but you've got a huge backlog of passwords — some you can't remember, others you've been using for years. Here's how to securely update, create and manage your passwords on any computer.
Image via kobakou.
It's not necessarily a 10-minute job, especially if you've got a lengthy backlog of passwords you've abandoned or rarely use. But it's a multi-step process you can break up, and it's actually pretty simple:
- Set up a smart system for creating passwords
- Recover your old, barely protective passwords in a secure fashion
- Install a single extension/plug-in across your browsers and mobile devices
- Stick with the new system across all websites
It's hard to understate the importance of having uniformly strong passwords that aren't the same on every site. Simple passwords, or those with words in the dictionary, are easy enough to crack on their own. There are, however, seemingly legitimate web services that can betray your password, and if you're using the same or similar passwords on your email, banking or other sites, you're pretty much done for.
The same domino-falling theory applies to sites that email your password back to you when you request it. If you simply archive or let those emails fall into the depths of your inbox, anyone with access to your email can simply search something like "requested password" or "password recovery" and dig a huge tunnel under your entire online life.
So let's set up your passwords so that no person or computer can guess your passwords, no inadvertent password revelation uncovers your entire system, and your secure passwords are still easy to use — you don't even have to enter them, in most cases.
Step One: Create Your Password System
One of the most frequently linked features from Lifehacker's early days is Gina's guide to choosing and remembering great passwords — and for good reason. Gina's system is secure enough that a computer can't break it, but logical enough that a human can remember it.
In a nutshell, Gina suggests coming up with a base password that you use for every site. It can be anything but a simple word, and it should be easy for that person to memorise. If you're a huge fan of The Smiths, for example, you might end up with $ppplmgwiw$ as your root password — the first letters of "Please, Please, Please Let Me Get What I Want", of course, book-ended by or interspersed with non-alphanumeric characters for added security.
The next step suggested is to "combine this base with some extra information unique to the service". In other words:
You may use your base password with the first two consonants and the first two vowels of the service name. Say your base password is "asdf." ... Then your password for Yahoo would be ASDFYHAO, and your password for eBay would be ASDFBYEA.
Something simpler—but along the same lines—might involve the same letters to start (say, your initials and a favourite number) plus the first 3 letters of a service name. In that case, my password for Amazon would be GMLT10AMA and for Lifehacker GMLT10LIF.
It's a smart idea, but I'd add just a little more paranoid security to the mix. Rather than always tacking your site-specific variations at the end of your password, consider adding them in the middle of your base password or using them along with special characters to bracket your base password. So if your base password, as a lifelong Electric Light Orchestra fan, was **elolynne**, and you were creating a password for Amazon.com, you should try something like **amelolynneon**, with the first and last two letters of "amazon" surrounding the password, or **aaoelolynne**, using the first three vowels of Amazon in front of your password.
Why the slightly more paranoid setup? Because we are every so often forced to give up our passwords — either to close friends with our permission, or when it's given up inadvertently by site security mishaps or our own dumb moves. If someone saw that your password for Amazon.com was **elolynne**zon, they'd pretty quickly guess that you've got a common root and a pretty simple last-three-letters scheme going for all your passwords. It's much harder to guess from **aaoelolynne** what's going on, unless someone has heard your in-car rendition of "Strange Magic".
What about sites where special characters aren't allowed? Or sites that cap passwords at a sadly small number of characters? Simply adapt as best you can. Switch in a significant number in place of your special character brackets or fill out the password as usual to the character limit. You'll just rely on your password storage system, detailed below, to remind you of such exceptions to your rule.
So there we go — we know how to create secure passwords for sites, which neither hackers nor overly snoopy friends can hack open all at once. Once you've picked out your password management system, you can start tracking your new logins with ease. But you've already created a bunch of passwords for sites, so let's go fix those first.
Step Two: Recover And Change Your Old, Busted Passwords
Now it's time to do the drudge work. You're going to go back through website usernames, passwords and security questions and clean them up. There is, unfortunately, no magic tool to make this easy or save you the click-click-click work, but we do have some tips that can help.
- First off, clean out your email inbox as best you can, or at least make a note of when you started doing password cleanup. That makes it easy to find and entirely delete the emails you'll receive when recovering passwords you can't remember or authorising password changes.
- If you've got an older, hardly-ever-used email address that a lot of passwords are tied to, it's time to consolidate that email address into Gmail, or use the IMAP settings in Yahoo, Hotmail or your other preferred email client to import that old address. Otherwise, it's probably time to log in one last time, set up auto-forwarding to your newer address that you actually use, then close that account forever — it's nothing but a security liability.
- On those sites where it is possible, change over to a standard username so you can use your new password system without having to guess at the other piece of the puzzle.
- Similarly, protect your accounts from security question hackers by changing up the answers to your security questions. The standard questions — middle names, maiden names, childhood streets and schools — can be researched and discovered — sometimes very easily — so choose your own questions whenever possible, or use commenter Srwight's tip and answer different questions entirely with a translation key.
Now it's up to you to go ahead and change your password on the sites where you can remember your original password and recover your password from the others. The "Forgot password?", "Need help logging in?" and similar links are usually located under or next to the boxes for entering a username and password. Click them, grab the email or text message, log in again and delete the email immediately after changing your password. This is crucial — you don't want anyone who somehow gets into your email knowing how you changed your password to a site, or even worse, recovering an old password from sites that make the dumb move of sending your password to you.
The most important sites to fix right up front are those where bad people could get at your personal life, your work and your money. That means as a shortlist you should prioritise your email, banking, work-related and primary shopping sites. Head to every site you can think of using regularly, recover your password, change it to use your new system, then delete the emails that resulted from your change.
Step Three: Keep Your Passwords Stored And Safe
Every modern browser offers some kind of system for saving your passwords and automatically filling them in when you next visit a page. This is, as you might guess, a pretty bad thing to have enabled if your laptop ever gets stolen, or if the wrong people get access to your computer some other way. Here's a look at a few of your much better options.
Firefox: Master Password, Password Timeout and Sync
If you're a Firefox devotee, you're good to go using Firefox's built-in password saving system. When you enter your new passwords, go ahead and click "Remember" on the drop-down bar that appears. Just be sure to enable the Master Password feature from Firefox's preferences, then use a master password that has more than eight characters, includes special characters and no dictionary words - basically, like your password scheme invented above. In fact, it's not a terrible idea to use the root of your password scheme as your Master Password, as that helps reinforce the scheme in your memory.
Beyond that, you might want to install the Master Password Timeout add-on so that if you step away from your computer or leave Firefox idle for a certain period, your system won't betray your password scheme.
Finally, if you want to ensure that your passwords are backed up and hard-drive-crash-proof, install Firefox Sync. It's a built-in feature of the upcoming Firefox 4, but it works well now to keep your passwords backed up to the cloud (or your own server, if you'd prefer). Using Sync for passwords requires both a standard password and a "secret phrase", so you might want to use your standard password root for the password, then write down your secret phrase on paper and store it secure, just in case.
Every browser: LastPass
If you're on a browser other than Firefox, or use more than one browser, we see LastPass as the best way to store your passwords and easily access them to automatically log into any site. I've previously detailed the winning characteristics of LastPass in a post on the easy, any-browser, any-os password solution. The short version: LastPass offers browser plug-ins for all the majors — Internet Explorer, Firefox, Chrome, Safari and Opera — along with stand-alone apps, portable apps and bookmarklets for use on other systems. You can also just get at your passwords by logging in at the LastPass site, and if you're ever in a cafe or other spot where you're not quite sure about the security, LastPass supports one-time passwords for extra security.
After signing up for a LastPass account and installing a plug-in for your current browser, you can save yourself a good bit of time by importing your passwords from that browser's password manager — look in the Tools section of the LastPass preferences for the option. You can also import passwords from nearly any notable browser or password/encryption manager through your "vault" on the LastPass site. But you'll likely populate LastPass as you go along, filling in your new, stronger passwords and allowing LastPass to save them. Once you're set up and comfortable, you'll also want to disable your browser's own password-saving system, so it stops nagging you, and wipe out any passwords already saved internally through your browser's preferences.
Finally, you'll want to take the same precautions with LastPass as we took with Firefox — set up a kind of Master Password to enable all the handy auto-filling. It's a setting ("Automatically logoff when all browsers are closed...") in the General section of the LastPass add-on preferences, and you should set a reasonable timeout for it — 15 minutes is about fine by my standards.
Other Password Systems
Firefox's built-in password manager and the LastPass plug-ins are far from the only computer tools for managing passwords. KeePass is a reader favourite, and it's a good bit more hands-on than LastPass or Firefox, requiring the user to be in charge of the "vault". But if you like that kind of independence, or want to try something different, check out KeePass or any of the best password managers out there.
Keep the Practice Going
The hardest part of fixing your faulty passwords? Having the will and conviction to recover, change and update your passwords on sites where you still remember your old, cruddy password. Password security is one area of computing where leaving well enough alone is a terrible idea.
My wife once used a simple nine-character password with a cute name involved to protect most of her accounts, including Gmail. After she got hacked and sent every single friend, co-worker, previous co-worker and even long-ago Craigslist contacts a message about "Hot Electronics Deals!3!#", she started gradually updating her web passwords whenever she had the time. You too should keep in mind that while it's an annoying five minutes to click a link, check an email and save a new password, it's an excruciating week of apologies, fixes and account recovery if your web life falls prey to a simple brute force password attack.
How have you fixed up your passwords without too much pain? What tools or tips made it simple to create a new security scheme? We welcome your tips in the comments.