How many passwords do you have? 20? 80? 200? 300? If you have a unique password for each account, as you should, that number climbs quickly. How can a person possibly create and manage that many passwords? Even if you find a way to handle passwords at home or work, what do you do when you’re away from those places?
Fortunately, there are password managers that answer these questions. I’ve been using the LastPass password manager for years, and I highly recommend it. Let me give you a few tips for creating and managing strong passwords with LastPass.
Note: this page contains affiliate links. Please see Affiliate Disclosure.
Passwords are still extremely common, despite some progress towards replacing passwords with biometrics and other authentication methods. LastPass found that the average employee using its password manager is managing 191 passwords! That means you’re frequently asked to create and remember passwords. This results in a number of practices that reduce security.
1. Short Passwords
When people think they need to remember all their passwords, they create short passwords that are easier to remember. The shorter a password, the easier and faster it is to crack using password-cracking software. That’s because the fewer the characters in the password, the fewer combinations the software needs to try.
2. Simple Passwords
Another thing people do when they think they need to remember all their passwords is create passwords made up of common words you’d find in a dictionary (such as monkey), or memorable letter or number sequences (such as 123456 or qwerty). Such simple passwords are easy to crack using password-cracking software, which look for common words and sequences.
3. Duplicate Passwords
Another thing people do when they think they need to remember all their passwords is reuse the same password(s) across multiple accounts. According to Marc Goodman in Future Crimes, 75% of people use the same password for multiple websites, and 30% use the same login info for all their online activities.
Think of the physical keys you use. What if you used the same key for your house, car, safe, workplace, etc.? If you lost that key, and someone found it, they would immediately be able to access not just one property but several, or all. The same principle applies to passwords, which are digital keys. If you use the same password for multiple accounts, and someone gets that password, then they immediately have the ability to access many of your accounts.
4. Insecurely Storing Passwords
When people decide that they shouldn’t use the same password for everything, they realize they’re going to need to record their multiple passwords. I’ve seen people use Post-It notes on their monitors, a text file on their computer, a Google Doc, a draft email, and other methods that aren’t secure. These containers have few barriers to prevent people from finding the passwords they contain.
5. Not Changing Passwords After Breaches
No matter how careful you are about your personal cybersecurity, it’s inevitable that organizations will suffer data breaches, and your passwords will be leaked. We hope that every organization is encrypting and otherwise protecting passwords, but sadly, that’s not true. And even when passwords are encrypted, there’s always the chance that they can be decrypted.
If you don’t change your password for an account after a breach affects that account, it’s only a matter of time before someone uses your password to access your account. This is especially dangerous if you use that same password for multiple accounts, because hackers will try using that password all over the Internet.
6. Insecurely Sharing Passwords
Although it’s always best to have your own credentials for an account, sometimes that’s not an option, and you need to share an account. For example, most of the websites for my utilities companies don’t let me create multiple users, so I need to share those accounts with my wife. If you send passwords through email or another insecure messaging system, you run the risk of those passwords falling into the wrong hands.
7. Entering Passwords into Phishing Sites
A phishing site is a website that’s designed to look like a legitimate site, so that you feel comfortable logging into it. For example, you receive an email or text with a link to your bank’s website. You click the link, recognize the bank’s website, and log in. However, you didn’t realize that it was a phishing email or text, and a phishing website. Now you’ve given up your username and password.
How to Increase Your Security
Fortunately, there’s one tool that can greatly alleviate all these problems! It’s called a password manager. There are many options. I’ve been using LastPass for years, and I highly recommend it.
I’ll show you how to LastPass helps you create and manage passwords.
Here’s a brief overview of how LastPass works:
- LastPass lets you create and manage passwords from your computer, phone, and/or tablet, and securely syncs your passwords to their servers.
- There are browser extensions for several browsers, and apps for mobile operating systems.
- You need to enter your master password to unlock your password “vault.”
- Because your vault is encrypted on your device before it’s synced to LastPass’ servers, neither LastPass nor anyone else who were to gain access to your vault would be able to get your passwords out of it.
There’s a lot more to know about LastPass, which you can learn from their website. I’m going to focus on how LastPass solves the seven specific problems I discussed above.
1. Longer Passwords
You can use LastPass to create new passwords. One of the settings is Password Length. Because each additional character makes it exponentially stronger, the longer the password, the better. However, most websites and apps have limits on how many characters you can use in a password. I recommend using at least 15 characters. I use 20. If an account says you’ve used too many characters, you can reduce the number until you reach the maximum allowed.
LastPass’ Security Challenge analyzes your passwords and tells you which ones are weak. It can even automatically change some of them for you.
2. More Complex Passwords
LastPass’ password generator has Advanced Options that allow you to select the classes of characters used in your passwords. Those are uppercase letters, lowercase letters, numbers, and symbols (sometimes called special characters). I recommend checking the box for all 4 classes. If an account says you’ve used a disallowed character, just replace that character with one that is allowed.
Again, LastPass’ Security Challenge analyzes your passwords and tells you which ones are weak. It can even automatically change some of them for you.
3. Unique Passwords
This is where LastPass really shines. Because LastPass makes it so easy to create and store passwords, there’s no reason not to create a unique password for every account.
LastPass’ Security Challenge analyzes your passwords and tells you which ones are duplicates.
4. Securely Storing Passwords
As I mentioned earlier, LastPass stores your passwords securely. LastPass says,
We’ve implemented AES-256 bit encryption with PBKDF2 SHA-256 and salted hashes to ensure complete security in the cloud.
Your data is encrypted and decrypted at the device level. Data stored in your vault is kept secret, even from LastPass. Your master password, and the keys used to encrypt and decrypt data, are never sent to LastPass’ servers, and are never accessible by LastPass.
To open your vault, you must enter your master password.
You can manually log out of the LastPass browser extension or app any time you want. You can set your browser extension or app to automatically log you out of LastPass when you close all your browsers, and/or when you’ve been idle for a certain number of minutes.
You can set individual passwords (and notes) to prompt for your master password again, even if you’re already logged in. I recommend doing this for sensitive accounts (financial, medical, etc.).
LastPass supports several forms of multifactor authentication. I highly recommend enabling one or more of them! If you try to log in from a new device (one you haven’t told LastPass to remember), LastPass will require you to authenticate yourself with another factor.
5. Breach Alerts
LastPass automatically informs you when your email address has been exposed in a data breach, and which breach it was. That way, you know which password you should change.
6. Securely Sharing Passwords
LastPass provides an extremely simple yet secure way to share passwords with other LastPass users. You can even share the password without allowing the recipient to see the password. That way, they can use the password to log in, but they’re not able to learn what the password is. You can even unshare passwords when the time comes.
7. Doesn’t Autofill Phishing Websites
LastPass knows the website that your password goes to. For example, if you save a password for Bank of America, LastPass will save the website as bankofamerica.com. If you land on a phishing site that looks like the Bank of America site, but uses a different domain (such as bankofanerica.com), LastPass won’t show any matching passwords. When this happens, stop and carefully study the site to see if this is a phishing attempt.
Note: technically, LastPass looks at the domain, not the website. I used the word website for simplicity.
What You Should Do
- Research password managers. I recommend LastPass, and it will probably work well for you, but it wouldn’t hurt for you to research the alternatives.
- Sign up for a password manager, which could be free or paid.
- Install the password manager on any devices where you’ll need it.
- Configure the password manager’s settings for the maximum level of security and privacy you can for your situation.
- Move all your passwords into your password manager, then destroy any insecure copies of those passwords.