As a follow up to my Why Use A Password Manager post, here is a guide to show you how to create strong passwords, secure store them in a vault and use them more safely. By the end you will have the following installed and working:
- A password manager installed on your device.
- Your passwords stored in a protected vault.
- Your browser configured to work with your password manager.
- Stronger passwords for all your accounts.
- Two-factor authentication enabled for your secure services.
Doing so will reduce your chances of becoming a victim of identity theft without a bunch of hassle.
Back in 2015, I wrote a short piece titled “How to Protect Your Internet Passwords” to help my circle manage their online identities and limit the blast radius of a breach using a few simple solutions.
However, I recently discovered that most of my circle did not implement any of them. When the stove was hot everyone said they understood the risk, but a majority the same folks also felt unable to use the solutions I provided.
In retrospect, I threw our the right information but failed to help folks that really needed it by not recognizing the type of help they needed.
Meanwhile, breaches continue.
When someone asks you for help with a security breach, remember they are trusting you to help them on what might be the worst day of their life.
First, let me make sure we’re talking the same language…
|device||your desktop, laptop, mobile phone or tablet|
|app(s)||software “applications” for desktop: Apple Mail (mail client), mobile: Twitter (social) or both: Google Chrome (browser)|
|identity||the answer to the question “who are you?” can be: your real name or a pseudonym that represents yourself to a web site or online group. Your identity is used to authenticate yourself to web sites you register with.|
|credential||username and password, proves your identity for a web site or service|
|secret||something kept hidden or unexplained from others, shared only confidentially with a few.|
|username||a unique identity used to identify yourself to someone else, typically an email address (a universally unique locator for email) or a screen name like “jmac” (unique name for a closed system or service).|
|password||a secret word or phrase that must be used to gain admission to something (e.g. web site)|
|password manager||an app for storing your credentials, typically associated to a vault|
|vault||a encrypted storage area to prevent unauthorized access|
|encryption||encryption is the process of encoding a message or information in such a way that only authorized parties can access it and those who are not authorized cannot.|
|master password||a single password used to access (encrypt, decrypt) the credentials stored in the password manager vault.|
|privacy||For password manager: only you have the keys to access your vault data, vendor does not.|
For the web: LOL cool story bro – online privacy is dead. impossible to expect any when you share everything, with everyone, for free.
|web service||Any WWW location, viewed in a web browser or used (behind the scenes) by an app, to exchange information.|
|bug bounty||Compensation and recognition offered by software vendors and web sites to researchers who report defects in a safe manner.|
The two most popular password managers are 1Password and LastPass, each having +15 million users and +30,000 business customers. Both have good features, decent security and work on almost every device. They make generating, protecting and using passwords safer and easier.
But…LastPass got hacked in 2015!?!? More on this in the next section…
The key feature behind both solutions is in their name: you only need to remember “one” master password (1Password) to access the vault that protects all of your other credentials. Making your master password the “last password” (LastPass) you will ever need to remember.
Generally speaking, both employ a design that prevents your master password from ever being shared with anyone, including them (LastPass or 1Password), which means the only person who can unlock your vault and access your information is you.*
*…provided, you do not share your master password with anyone else!
Both also use similar security models, employing layers of encryption and other features to help protect your credentials “at rest” (while stored in a vault), “in transit” (while transported over the internet) and during “critical operations” (encryption/decryption during use) to protect your identity and your privacy.
Encryption is simple in principal and complicated in practice. For more information checkout How Last Pass Works and About the 1Password security model for details about how it is used to keep you safe.
This design is sometimes referred to as “end-to-end” (or E2E) encryption. This means:
- your data is only encrypted or decrypted on the device level
- your data is never written or transported unencrypted
- your unencrypted data is only available to you.
That means you can safely and securely access your vault, decrypt your passwords and use them from any supported device, anywhere in the world.
Caveat – NOTHING is 100% secure! Do not be fooled by anyone, including me! A highly motivated, well funded and extremely determined adversary will stop at nothing to get what they want from you. However, majority of criminals are lazy and will use the easiest and cheapest methods to prey on the weak and land a quick score.
- Design Transparency – both document and publish their use of encryption to allow design scrutiny from security experts around the world.
- Bug Bounty – both support rewarding and recognizing security researchers that safely disclose issues so software security patches can be rapidly deployed to address any concerns found.
Why continue recommending LastPass? Simple: using LastPass is 100% improvement over doing nothing. Sure, a seatbelt will not protect me from a hellfire missile, but, it will improve my chances of surviving a wreck on the highway.
As for cost, LastPass has a 100% free option while 1Password is free for 30 days.
If you use or prefer another password manager, continuously review the developers reputation and community participation.
For all password managers, check for and apply software patches and review the security options to ensure your critical data is safe.
Personally, I used LastPass for years with much success but recently migrated most of my credentials over to 1Password due to some additional features they have which I now found valuable. I continue to use LastPass for specific scenarios that are important to me.
Starting from your favorite desktop browser (Chrome, or Firefox), visit one of the following and create an account:
Both offer paid options for families and small groups as well as options for business. Pick whatever best fits your budget and your needs.
I will attempt to show you how both work throughout this guide.
Create Your Master Password
There are many suggestions for creating strong passwords that lack predictability (entropy). Basic suggestions include using unfamiliar phrases or song lyrics to achieve length using phrases you can still remember. To increase complexity, sprinkle in word capitalization, punctuation or swap expected alpha-numeric characters with alternatives.
When creating your master password, make sure it is long but easy to for you remember.
Others swear by opening a big dictionary to a random/different page 4-6 times and using the words you blindly pick to generate a strong password that is unpredictable.
Both LastPass and 1Password suggest using their password generators for your master password. This is ok but only if you think you can remember a generated password like “1;ihsdf@917td+aHD*&6087219…” which I cannot. However, both do offer to generate passwords using random words which are easier to memorize.
Pro Tip: Why not mix in even more strange ideas like using an uncommon misspelling of a common word or using different languages for random words in your password phrase?
They most important goal is to pick a password that has sufficient length and complexity that you can also remember but is unpredictable to friends and strangers alike.
Pro Tip: Commit your new master password to memory! Do NOT write down your new master password for someone else to find or discover by accident. If you have memorization issues, write down the password on a slip of paper and keep it under lock and key.
Get the Apps
Both solutions offer an app that you can install on most of your devices. Once your account is created, the 1Password app is available for your computer, table or phone.
- Download and install 1Password (Mac, iOS, Windows, Android).
- Open the app and Scan your Setup Code
- Scan the QR code from the 1Password.com site (you must be logged in)
- Enter the Master Password and Click Sign in.
Get Your Passwords into the Manager
After you install 1Password, start using the 1Password browser extension immediately.
You can install the browser extension from within the 1Password app running on your Mac or PC.
- Click the 1Password menu
- Select Install Browser Extensions
- Follow the instructions to complete the browser setup.
Once installed, visit a web service that you know has a weak password, and, login. The browser extension will recognize that you entered what looks like a credential and will ask you if want to store it. Say yes!
Huzzah! You just saved your first credential into your new password manager by simply logging into one of your sites and confirming you want the manager to save the credential. Easy!
Great! Now what? Simple: rinse and repeat until all of the web services you use that ask you to register and login are added to your vault.
Pro Tip: open all your bookmarks (one at a time)!
Fixing the Weak Links
The most important thing you must do next is replace all of your short, easy to guess and reused passwords with strong, impossible to remember, complex passwords that are generated by your password manager.
Doing so will fix the most common problems with your passwords today:
- short passwords
- easy to guess passwords
- password reuse (e.g. same one for both Facebook and your bank).
- passwords that have been publicly exposed by a breach