Are you using a password manager?

hands on laptop typing password on screen

Are you using a password manager? Should you? First, let’s talk about passwords in general and the problems they pose for people just like you and me.

Nearly all of our online activities require passwords. As more and more of our favorite things are online, password management becomes a huge nuisance. Or maybe it doesn’t. Perhaps you’re one of those folks who say to themselves: “to heck with it, I’m going to use the same password everywhere. I’ll make it an excellent one”. I wouldn’t blame you, but it’s a terrible idea. This phenomenon is known as “password re-use.” I’ve done it, you’ve done it, and hackers are quite happy when we do. Here’s why:

Let’s say you sign up for Facebook and use your email address ([email protected]) and you choose a difficult password such as “m00s3@ndSqu1rr3l”. Congratulations, that password, despite the not-so-vague Bullwinkle reference, checks all the boxes when it comes to a) not being a dictionary word, b) includes both lower and upper-case letters, c) has numbers, and d) even includes a non-alphanumeric character. Bravo! That password is so awesome you decide to use it again and again, all with your email address as the username.

Then one day you receive an email telling you that Microsoft is about to suspend your account. Huh? Wow, you’d better click the link and log in. The login page looks genuine, so you key in your credentials. But it doesn’t work. So you try again and again to no avail. So you give up and wait for the other shoe to drop on your soon-to-be-closed account. The only problem is this: that wasn’t Microsoft, it was a hacker. You just gave them your super-secret username/password pair.

So now the hackers have your information. They log into your “real” account and do a bunch of nasty stuff. But they don’t stop there – they have programs that begin logging into every important website on the planet using your credentials – entirely automated. This tactic is known as “credential stuffing,” and soon they are logging into sites as you, taking things that don’t belong to them and wreaking havoc on every level. They will pretend to be you and send messages to your friends to steal their credentials too.

How do you prevent this from happening? Well, you could just come up with dozens of unique, complicated passwords. But nobody can manage all of those passwords, let alone remember them on-the-fly without referring to a master password list. Besides, a list like that is a terrible idea. If it gets lost or stolen, you will be in a world of hurt.

This dilemma is where a password manager becomes very useful. This author personally uses LastPass, though there are several competitors that all work pretty well. I’d recommend sticking with one of the big guys, however, as they have more resources to fund tight security and reliable infrastructure. Let’s go over the details.

LastPass has a free version (hooray!) that will suit most people’s needs. Just go to https://lastpass.com and create an account. Here is where that one, unique, super-difficult password is necessary. You use it here, and nowhere else, period. Make it hard, like “my first car was a 1934 Ford”. Sentences work very well, spaces and all. Note that somewhere and share it with a significant other if necessary. Then log in and follow the instructions to add the browser plugin to Chrome, Firefox, or whichever browser you prefer.

From that point forward, merely log into your usual sites. As you do, LastPass will offer to save your passwords. As it does, however, you may start getting warnings about having weak passwords or using the same password again and again. That’s good. Now you can use LastPass to change them to randomly generated passwords created by LastPass. As you would expect, LastPass updates the stored records with the updated passwords.

From now on, visiting the login page of your websites using a plugin-enabled browser will result in a neat little option to auto-fill the passwords from LastPass.

Now that you know this, there is no excuse to wait. LastPass is free and straightforward, and your cybersecurity posture can get a significant boost starting now. What’s keeping you?