Nobody wants to spend their weekend doing paperwork. Nobody wants to spend several evenings in a row sitting over a laptop and slowly digging through every online account they have, resetting every password and carefully documenting everything in a secure password manager. I know this better than anyone, because I forced myself to do it.
Here’s the thing though, EVERYBODY should do it. As soon as possible.
Over a month ago, I took it upon myself to fully audit and change every single personal password I have. I had been using a password manager for many, many years, but after a while, it started to get a little messy. There were plenty of duplicate entries with older passwords, generated passwords that weren’t clearly labeled, and old accounts that didn’t exist anymore.
Triggered by my desire to tidy up my password manager, I was also inspired by the recent announcement that last year’s LastPass data breach included unauthorized access to customer password vaults. I won’t bore you with the technical details—essentially the password vaults are encrypted, and the only way to get access to the passwords is by knowing the individual user’s LastPass Master Password, but that means just one single password separates your passwords from cybercriminals, and with the password vaults stolen, all a criminal needs to do is use software to continuously guess passwords until it breaks through.
In other words, it’s a bad situation, and if you have been using LastPass, we recommend you immediately change your LastPass Master Password and audit all of your accounts within and change passwords.
I had over 400 entries in my personal password manager, so if I were to find myself in a situation where I needed to scramble to change passwords and try to gain control over my online identity, I would have to set aside several days. So even though I wasn’t personally facing any urgency (my accounts were mostly secure and set up with two-factor and I always use strong passwords), I felt a strong need to get my personal cybersecurity in check.
It sucked, but I’m so glad I did it.
So here’s what I did. Get yourself a drink and a snack, cut up a charcuterie board, and get ready to sit still for a while.
Before we get started, let’s go over the goals of this.
It’s likely that you are relying on your web browser to store your passwords for you. While this is generally better than nothing, it means the strength of your online security relies on how secure your browser and its account is. Inherently, it’s probably fairly secure, but that all falls apart if you do something insecure. For example, logging into a public computer, installing an extension that isn’t secure, or getting infected with malware could breach those passwords.
TIP: Don’t depend on your browser to save passwords! Once you are done with all of this, you are going to turn that feature off.
There are plenty of password managers out there, including Keeper, 1Password, Dashland, LastPass, Bitwarden, and more. Depending on when you are reading this guide, we might have different suggestions (this industry ebbs and flows a lot), so be sure to reach out if you want our suggestion. You can give us a call at (405) 494-0828 and ask what password manager we would recommend for you and for your business.
Once you’ve selected a password manager, they all generally work the same.
Create an account with your email address, and set up a strong, secure password.
This is going to be one of the few passwords you will need to memorize, but it also has to be extremely secure. Don’t EVER use the same password in multiple locations—that’s how most people get hacked.
For this password, use a passphrase. Instead of randomly mashing on the keyboard, you can pick three or four random words and mix in some numbers, make some letters capitalized, and add a few symbols to make it secure. Use a site like https://randomwordgenerator.com to give you the random words. Here’s a fun comic about how this is more secure than short, random passwords.
Another method that I like to use is to take a song that gets stuck in my head, and derive a password from that. For example, if you want to take The Proclaimers’ hit 500 Miles and take the first letter from each word or syllable, but mix in numbers, symbols, and capital letters in a way that makes sense to you, you can quickly generate a password that you’ll never forget how to type in.
Obviously, don’t copy this example, but here’s what I mean:
The lyrics from 500 miles go something like this:
When I wake up, well I know I'm gonna be,
I'm gonna be the man who wakes up next to you
…
And I would walk 500 miles
wiwuwikigbigbtmwwuntyaIww500m
It’s a good start. Now let’s make some letters capitalized…
WIWUwikigbigbtmwWUNTYaIWW500m
And finally, we’ll swap out some letters for symbols. Hey, just so we can remember it easily, every time they use the word “up” let’s use the ^ symbol, and change the a for “and” to &. “To” can become the number two, as well, just to throw in another number, and we’ll throw in an exclamation point as a cherry on the top.
WIW^wikigbigbtmwW^N2U&IWW500m!
That’s a 30-character password that is easy to memorize and type out, and the only downside is that it might get the song stuck in your head every time you go to use it. If a cybercriminal programs a computer to try to guess that password, and that computer could make a billion guesses every second, it theoretically would still be guessing long after our sun burns out.
If your password were only 8 characters, it could be guessed in this manner within an hour.
You might decide there are a couple other accounts where you want to generate a password like this that you can memorize. For me, that’s my Microsoft and Gmail accounts, because I feel like I’m always logging into those. For everything else, I’m letting the password manager generate a password for me, and I’m never going to bother trying to memorize those.
You likely have one of these already—Authenticator apps like Microsoft Authenticator, Google Authenticator, Duo, and Authy will let you scan the 2FA QR codes and generate a 6-digit number you can use to log into sites that support 2FA.
I ended up using Google Authenticator because I was already using it for my personal accounts, but it’s worth exploring other options, because Google Authenticator gets a little hard to manage when you have dozens of accounts in it. Either way, you can always log in and use a different app down the road, so you aren’t stuck with one thing; you just need to commit the time it takes to log in to your accounts, generate a new QR code, and scan it into a different application.
This means that even if someone can guess your password, they still need to prove that they are you to access your account. If anything, set this up for those extremely important accounts like your email, your Google account, your domain registrar, your hosting, and any other critical accounts.
Here’s where the mundane slog of digital security rears its ugly head. This is going to be a boring, arduous process, especially if you have a lot of accounts. I mentioned I had over 400 accounts—I ended up with fewer than 200 by the end. Many sites and services no longer existed, or I was able to delete my information and remove the account from the site/service entirely.
While most people probably won’t have quite as many passwords as I do, don’t expect to do this in one sitting. Take it slow, document everything you do, and take a little time to look for security settings like two-factor authentication, and to verify the email and phone numbers tied to each account. If you used to have an old Yahoo account that you used to use but no longer have access to, you’ll want to update your email on any accounts tied to it.
Since I was moving from one password manager to another, I would label the old entry in the older account with a Z in its name (so the item “Facebook.com” was changed to “Z-Facebook.com” after I updated everything). This forced it to the bottom of the list, and ensured I didn’t miss something.
I let the password manager generate a secure password with capital/lowercase letters, numbers, and symbols. My standard was 36 characters, although some sites forced me to use 16-31 character passwords.
You know that feeling you get when you tackle a task that you’ve put off for a long time—cleaning the garage, or finally fixing that loose step on the back porch? The task that’s never really THAT hard to do, it just takes time and motivation, and when it’s done, you can release that big sigh of relief and move on with your life?
That’s what this felt like. I knew I wasn’t in immediate danger, and I knew I could rely on my strong password habits and my mostly-enthusiastic use of 2FA to keep me generally safe online, but now I’m organized, and everything is as secure as humanly possible. Unless my password manager gets hacked, I’ll likely never need to go through this whole process again, and if I do, it will be much faster because everything is organized neatly in my password manager, and I intend to keep it that way. I’ll likely change the passwords on a handful of accounts every few months like I normally do, but changing them is as simple as a couple of clicks, and letting the password manager remember an entirely new password. It was getting everything in there the first time that took the most time.
Here’s the thing, you’ll want to make sure nothing else is trying to store your passwords, so disable this in Google Chrome and any other service that asks if it should save that password for you, so only your password manager knows your actual passwords.
At least you can sit around in sweatpants while binging Better Call Saul for the 3rd time when it comes to securing your personal accounts, but these practices should be applied to your business too. We can help your organization establish a centralized password manager that lets you control the security of every account your employees have access to. This helps ensure that your staff will use secure passwords, and make it much easier for everyone to get access to the accounts and services they need.
To set this up for your business, give us a call at (405) 494-0828.
Comments