I recently received an email from a friend asking how to get out of “password hell” – i.e., having the same, low-security password on multiple sites, having old and outdated passwords, etc. The following reflects how I manage passwords and the advice I give to all my family members on this issue. You can find other and different strategies online, but this is what I recommend.
Use a Password Manager Like LastPass
I have used LastPass for many, many years and really like it. My wife is also a big LastPass user. I like LastPass for a variety of reasons:
- LastPass will automatically generate secure, unique passwords for you and then store them in a secure, encrypted vault. You don’t have to remember or write down any of these strong passwords. Instead, you remember a single passphrase for LastPass and LastPass will fill in your passwords.
- LastPass will fill in your user id and password automatically on all your devices, including desktop computers and mobile devices. LastPass works in web browsers but also fills in passwords in mobile apps.
To get started using LastPass, visit these links:
Fix Your Most Critical Passwords First
Generating new, strong, unique passwords for all the sites you use may seem like a monumental, daunting task. To tackle it, you need to prioritize. Here is the sequence in which I recommend setting up new passwords:
- Password Reset Vectors: The very first sites you want to address are those that can be used to reset your passwords (or to verify password resets.) If you don’t have a strong password in these locations, you run the risk of a bad actor using them to reset all your other passwords. These include all your email accounts (Gmail, your ISP’s email account, iCloud, that old Yahoo.com email address you no longer use, etc,) and all your mobile device accounts (i.e., your login password at Verizon, Sprint, TMobile, AT&T, etc.)
- Cloud Storage and Service Providers: If you use cloud services (and did not use these services for email – in which you would have already reset these passwords in step 1), do them next: Google, iCloud, Dropbox, Box, OneDrive, etc.
- Follow The Money: Set up strong passwords at all the places you have financial accounts as well as any site that may have the ability to draft money from your accounts. This includes banks, credit card companies, investment accounts, retirement accounts, utilities, cable companies, insurance companies, accountants, Paypal, etc.
- Social Media Accounts: Social media accounts often provide login services to other, third-party sites. They are also a common vector for identity theft. This includes Facebook, Twitter, Pinterest, Twitch, Reddit, etc.
- Online Shopping Accounts: Focus first on any online store that has stored your billing information, then move on to the others. This includes Amazon, Ebay, Wal-Mart, Target, Costco, REI, CVS, Walgreens, etc.
- Streaming Media Accounts: Netflix, Hulu, Spotify, HBO, etc.
Set Up Two-Factor Authentication Anywhere You Can
Two-factor authentication (abbreviated “2FA”) is a system whereby a normal login with user id and password is supplemented by a second layer of security. Usually, this second layer requires access to a physical device like your mobile phone. When properly set up, a person who somehow acquires your user id and password will remain unable to login unless they also have your physical phone.
There are two common approaches to two-factor authentication: sending you a one-time numeric code that you enter after your user id and password, or using a special app that generates a one-time use code.
I use an app called Authy on my device to generate 2FA for those sites that support it, like Facebook, Google, Twitter, PayPal, etc. Not only does this app integrate with and generate 2FA codes for tons of sites, the Authy website also include guides explaining how to set up 2FA at those sites. For example, here is their guide for setting up 2FA for Google and Gmail. Even if you choose to use another tool, these guides on the Authy website are well worth reading.
Eliminate Accounts You No Longer Use
You never know when a site is going to have a security breach. It’s always a good idea to completely close and eliminate accounts at sites you no longer use, to prevent these sites from becoming a source of problems for you. This is especially true for any sites that may have your billing information on file.
Review & Revoke Third-Party Access to Your Apps
Many apps and websites allow other apps to access your data, with your permission (usually.) Over time, you may forget how many applications have access to your data in Google, Gmail, Facebook, Twitter, Spotify, etc. You should periodically review and revoke access for third-party apps you no longer use. The method for turning off third-party access varies from site to site, of course. Here are some guides for the most-used sites and applications:
- Google: Third-party sites & apps with access to your account
- Facebook: Help – App Visibility and Privacy
- Spotify: Link Spotify to other apps and revoke access – Spotify
- Twitter: About third-party apps and log in sessions
- Dropbox: How To Manage Third-Party Apps On Dropbox
- Instagram: More Control Over the Data You Share with Third-Party Apps