I’m guessing you don’t leave all your bank statements in the front garden. But how easy would it be for someone to access them online? And what would a villain learn about you if she gained access to your Amazon account? At the very least, she’d know where you live and work and how much you’ve spent on gadgets in the last year. That’s bad enough. What if she discovered the same password unlocked your Gmail account, too? With access to your email, dodgy types can recover your password for many other websites, including pension and investment accounts.
You might be thinking, “Ha, but you need other information to access financial accounts – my mother’s maiden name, my hamster’s favourite colour, and my auntie’s inside leg measurement.” This is true, but have you shared that information elsewhere? Consider social media profiles and those pesky Facebook quizzes that were doing the rounds a few years ago.
Although there’s been a grudging recognition over the last few years that we need to try a bit harder with passwords, most of us reuse them across multiple sites and simply don’t change them often enough. If you’re in any doubt, take a look at haveibeenpwned.com. Type one of your favourite passwords, and it’ll tell you how many hackers have a record of it. You can also use this site to discover whether your email account has ever been hacked. It probably has.
The solution, as you might’ve guessed, is to use a unique and unguessable password for every website. Of course, few of us have the mental capacity to remember a tricky phrase for longer than five seconds. And we need dozens of passwords to navigate the 21st century. The answer is to use a password manager. In this post, I’ll explain how password managers work and how you can use them to make your life easier. I’ll also share an action plan to help you get started.
What is a password manager?
A password manager is a virtual vault where you can store login details. With the help of a browser extension, the password manager automatically fills in your username and password for websites so you don’t have to remember them. Most will generate a complex unique password and then save it for you. You can often specify the number of characters and whether it can include special characters. This is useful for institutions, such as banks, that have very specific requirements. If a website requests only certain characters from your password, you can look it up in your vault. Or you might ask your password manager to create a unique phrase that you’re more likely to remember.
Password managers make it much easier to use unguessable passwords (and you don’t need to write them on a Post-It note). They’ll also prod you if you’re using the same password across multiple sites. You’re usually prompted to login into your password manager every few days to ensure it’s still you. Naturally, this master password needs to be super secure and also something that you don’t need to write down. It’s a good idea to choose a phrase that’s meaningful to you, but isn’t obvious to anyone else – ProcrastinationIsTheThiefofTime, for instance (no, that’s not mine). You want a phrase that you can type reliably. Don’t forget, it shouldn’t be visible to anyone but you.
The two most popular password managers are 1Password and LastPass. The functionality is broadly similar, but only LastPass has a free version available. I think LastPass is easier to use and it takes just a few minutes to get everything set up on both your desktop/laptop and phone. With the paid version of LastPass, you also get 1Gb of secure storage space where you can safely stash important documents such as wills, passports, and birth certificates. You can also nominate a person who gets access to your account if you’re ill.
For me, one of the best features in LastPass is the ability to share passwords with other people. They can log in as you, but can’t see or change your password. This is handy if you want to give someone temporary access to your website to fix a problem (it’s never wise to email somebody an important password).If you’re comparing password managers, here are the three key features you’ll need:
- Save and fill passwords across all of your devices
- Secure password generation
- Alerts for insecure or duplicate passwords
How can you make your login even more secure?
A password is only one half of your login – anyone who has your email address is already 50% there. You don’t want 35 different email addresses, so what can you do to make them more secure? Well, it’s surprisingly easy to generate unique email addresses that all point to the same account.If you’re a GMail user, you can create infinite variations by adding a +. For instance, if your GMail address is MsMoneybags@gmail.com, you can also use MsMoneybagsemail@example.com. It’s a different email address, but it still lands in your usual inbox. This means you can easily use a unique email address for every website and your password manager will remember it for you. Most major email providers work in the same way, so give it a try.
This approach should also work if you have your own domain name and email address such as firstname.lastname@example.org. You could use email@example.com and firstname.lastname@example.org, without the need to tinker with your email settings.
Your Action Plan
Let’s put this all together in an action plan. It might feel overwhelming (and tedious) to change all of your passwords and email addresses right away, but here’s a plan to get you started:
- Choose a password manager (take a look at this review to help you choose)
- Install it on your computer and phone
- Generate unique secure passwords for your three most important accounts – for instance, this could be your email, Amazon, and your ISA.
- Once you’re used to your password manager, set yourself a target of updating at least one password each week, till they’re all secure.
- BONUS: Use the trick above to also create unique email addresses for your most sensitive accounts.
Using a password manager will probably be a bit irksome at first, but it’s much less annoying than dealing with the repercussions of a hacked account. Cybercrime is on the rise and we all need to make the effort to protect ourselves. An hour spent on setting up a password manager is an excellent investment of your time. Stay safe.