Feature image via Shutterstock.
I was talking to Cee about this post right here, and they mentioned people’s passwords as a weak point that can be exploited in these dark times. It was then that I had to admit that I am the worst person I know re: passwords. Up until this week, I had the same three or four and I used them for everything. They were all semantic and too easily guessable. Cee took me to task and they’re totally correct. I decided to put off writing to y’all about passwords until I followed their (and my own! See, I know better, that’s why it’s so fucked!) advice. So here’s what I did to make my password life more secure.
Now I recognize that the following things I’m going to suggest that you do are, in fact, a pain in the ass. That’s why I recommend getting a group of friends together at a dining room table and doing this all together. Don’t share your passwords or passphrases, but do share snacks and beverages and a sense of accomplishment.
Why LastPass you ask? Because we’re about to change all our passwords to long strings of numbers, letters and symbols that we will most definitely not remember. LastPass is a service that stores all these passwords and makes them accessible and autofillable with one master password that you remember. Even though it stores passwords in the cloud, Cee assures me it’s better than what I (and maybe you!) have going on right now. Plus everything is encrypted and decrypted locally, meaning only on your device. LastPass can’t even see your passwords. You can even add two-factor authentication to make it that much more secure. They have this neat feature where you can set up an emergency person who can have access to your passwords if you get hit by a bus, so you can give access to your wife or family or best friend if you want. They have extensions for just about everything — all major browsers, plus software for Windows, Mac, Linux and so many mobile solutions as well. Starting to set up your account? Well then it’s time to—
Choose a Passphrase
What’s a passphrase? It’s basically a sentence instead of a word. A passphrase contains spaces between each word and might feature punctuation. It’s more secure than a password because it’s longer and features a larger array of different kinds of characters. Make your LastPass password a passphrase instead! Some examples (please don’t use these!) include: “Autostraddle is my number 1 website; I read it every single day!” or “You better believe I will resist Voldemort—I’m a member of the Order of the Phoenix.” I know it takes a while to type, but it’s just going to be to get into your vault. You won’t actually have to type it all that often. But REMEMBER the damn thing! Once you’ve got that all sorted, it’s time to—
Generate Random Passwords
This is the real pain in the ass part, but it’s gotta be done. Now you have to run around the internet and start changing your passwords to more secure random strings of stuff. LastPass has a password generator that you can use. If it weirds you out to have LastPass generating passwords (even though LastPass can’t see them!), you can use a separate plugin to generate strings. Google Chrome also lets you generate passwords from within the browser itself (just hit up chrome://flags to turn on password generation).
But how do you remember where you’ve gone and made passwords? Well, friend, that is a conundrum. You can start by making lists by category of all the services you remember using online. Try thinking of categories like Email, Social Media, Communication, Shopping, Work, Banking—what other categories can you come up with? Another way to do it is just start using the internet as you would any other day, and when you come across an insecure password, change it. I’ve approached it using some melange of both.
But What If I Don’t Like LastPass?
Fair enough. I think LastPass is peachy because it balances security and convenience, and I feel like we wouldn’t really get this password security stuff done if it made our online lives horrible inconvenient. It’s also free. That is my last pitch for LastPass. Password Dragon is also free, and it runs on Windows, Mac and Linux as well as being totally launchable off a USB drive. But it doesn’t have a mobile solution. Dashlane only syncs when you pay premium, so if the syncing is what’s bothering you, GOOD NEWS! You can just not have that feature and Dashlane is free. KeePassX is the open source option, but it’s not easy to use.
What Do I Serve at a Password Party?
Any tips for securing your password? Please make healthy use of the comment section so we can all benefit from your knowledge!
Sorry to be so ignorant but is it important for everyone to do this or is this more for people who do more important stuff online than the average jo? Like I don’t know what would be so valuable in my email or banking or like etsy account that it would matter?
*puts infomercial voice on* Identity theft can happen to anyone! Someone could be looking to get in/out or make a quick buck off of you, or somewhat more rarely your identity can go onto the black market and then honestly who knows what will happen to it then.
Someone who gets access to your bank account (or paypal/venmo/etc) can steal your money and your identity.
If you use plastic to buy things (credit or debit), you need to do this.
I promise, it’s for your own good.
I super promise it’s valuable! Also I love your username.
Think about your email as the access to your life. If someone gets ahold of it, then they can pretend to be you. With etsy, they can get your banking information; whether it’s your card number or bank account info, they can then make purchases on your behalf. If they have your bank account an email, they can look through your email to figure out what the answers to your security questions could be, or reset your bank account email to their own personal one. Is it a lot of effort for the hacker? Yes. Nonetheless, password security is your front line of defense. Plus, this makes it easy to regularly change a password if an account does get breached.
This is terrific; thank you! Also hi Ali I’ve been enjoying your columns for many years here and finally got a smart phone last week so I’m stoked to be able to go to the archives and start to use all the awesome mobile device info you’ve posted.
My password plan is working pretty well and the fun part is it’s inspired by Carmen’s column Rebel Girls. Each time I need a new password, (my school pw expires every 100 days) I pick a feminist icon that’s new to me and use their name to craft a new password. It’s cool because that way I memorize the names of these important people (helpful for checking out books at the library), and usually learn a bit more about them in the process.
Then to generate unique passwords for different sites (email, social media, etc) I add a tag that is specific to that website that’s easy to remember. I realize this is not the most secure way to do passwords, but I like the fact that it’s systematic; for example I was able to recall the password for a Twitter account I haven’t used in over a year in just a few tries because I remember which feminists’ names I was using at around that time.
The drawback is that a systematic password system like this is way easier to hack, so if someone happens to get my facebook password, they can probs guess all my other ones pretty easily. But it’s different enough that if my password is auto-hacked by a bot as part of a large data breach, my other accounts are still p well protected (though of course i would change them all if one of them did get hacked).
LastPass is so great!
Bonus: you can set up a contact with LassPass who will inherit your passwords if you die. (They are given access to request it, and then if you don’t respond to say “no, I’m still alive,” in 12 hours/3 days/whatever you set, they are granted access to your vault.)
My wife needs to get LastPass so she can do this for me!
This is a really important thing for people to do. I revamped all my passwords (using LastPass!) a month or so ago, except I didn’t get a party. Now the trick is to get my family onboard.
When I was doing my research for all this, the best password tip I found anywhere in all the articles I read was this: Choose a song and make a string of letters from it for your password. It’s easy to remember and super secure. That’s how I made my passphrase.
Example (Don’t use this one!) Your favorite song is “Here Comes the Sun” so you make your passphrase
Hctsldhcts (Here comes the sun, little darling, here comes the sun) and then every time you want to log in, you just sing to yourself.
For my initial push, I combined both methods Ali mentioned: I started out with the obvious stuff and went down the list, and then every time I wanted to take a break, I realized I had forgotten some type of password and fixed it. Then for the next few weeks (I still find sites even now!) if I go somewhere and realize I forgot to fix it, I just take care of it, which is a breeze, since it’s just one entry. Also, I run the Security Challenge every couple of months, just to check on things.
You could totally throw a Password Party anyway to get your friends on board! Then you still get cake and punch and your friends get better passwords.
I’ve been wondering about the part where it’s device-specific. I get that that’s good in that it makes things less hackable, but… what if I need to access an account on a different device? e.g. if I want to log into my email from a school computer to print things, or if my computer dies and I replace it with a new one? How easy is it to access my passwords on a new device?
I think LastPass syncing your devices takes care of those concerns, but I am not sure.
It syncs across devices. Now if that freaks you out, you can use another option, but you give up the convenience of being able to access your passwords anywhere.
When I’m using other (public) devices, I just pull up the password I need from LastPass via my phone and type it in manually. For this reason, I recommend that people make sure they have “Avoid Ambiguous Characters” checked when they generate passwords. And make sure you log out before you walk away!
Also, bonus for those of us who don’t always have internet/service on our mobile devices: all of that still works without data, although if you change a password online, you’ll need to manually update it or sync before it shows on your mobile app.
Can some nice person explain how LastPass works once it’s set up? Let’s say I want to log in to AirBnB from my laptop. Do I just navigate to the AirBnB website and there’s a LastPass extension that does a one-click login for me whenever I’m signed in to my LastPass Vault on my laptop? Or, do I need to access the Vault and click on the AirBnB password and copy the pw and then paste to the AirBnB login page?
Basically I’m wondering how many steps/clicks there are to log in to a pw-protected site once LastPass is set up.
Hey, so you can definitely navigate to the AirBnB website and use a LastPass extension to fill in your username and password. You can also go to your LastPass “Vault” (basically your password control center) and “launch” AirBnB, which should navigate to the AirBnB website and then login for you, all in one click.
The first time you do this during a new internet session, you’ll need to supply your LastPass password/passphrase, but at that point you can tell LastPass to remember you for the next few hours so you don’t have to input it over and over.
I haven’t been using LastPass for that long but I find it very easy and convenient!
There’s this LastPass logo that pops up in pw fillable fields. If you click on it, you can autofill those usernames and passwords as long as you’ve saved the right log into your vault.
It’s like you read my mind! I just got LastPass last weekend and it was clearly the right decision.
I want to do this but I’m still cleaning up the hell that is switching out yahoo as my main email account. Password party at my place next weekend?
Spending Sunday morning in bed with cat, changing all my passwords with lastpass. Thus fulfilling my needs to be lazy but FEEL productive. Thanks Ali!
This is a super productive way to spend your time, I promise!
Can I ask what happens if your computer breaks? And can you access it from multiple devices? I’ve been really reluctant to do this but this is the best argument I’ve seen for it.
I was wondering what happens if I forget my pass phrase, because usually pw recovery is via email but then to sign into email, i would need to remember my pass phrase, right?
I was wondering about that above so I looked into it–it looks like you can add it on multiple devices, and if you’re temporarily using another device (e.g. campus computer, borrowing a friend’s) you can use your passphrase to log onto your vault online and then copy-paste your passwords from there.
As for forgetting a passphrase, make sure you pick something you aren’t likely to forget. Maybe a song lyric or an inside joke or simply a sentence about your life that’s a fact you won’t easily lose track of. Adding punctuation and spaces is what makes it secure.
I mean, hell, you can choose a book off your shelf and type the first sentence of it in.
Great! Cee has been on my case to use lastpass and now you too?! Ugh fine, I’ll do it.
This post exists because Cee got on my case lalalala
if anyone wants to use the opensource keepass instead of lastpass i am available to help u through the process (ended up needing to teach myself a lot of it and ran into a bunch of fun teachable moments through trial and error…and more error). it’s definitely less user friendly as far as ui/ux but it’s reliable and useful. proud of everyone for taking the steps to secure your online presence.
So much of my grieving post-election has been feeling like I can’t do anything…this is such a helpful, simple thing to do to feel a teensy bit safer. Brilliant.
It’s maybe worth noting that if you use Macs and iOS devices, you can set up iCloud to share your keychain between all your devices – so if you set up a new account, or change an existing password on one device, it’ll automagically be available on your other devices.
Safari, thankfully, makes unique passwords easy: anywhere it recognises as a new password field, it’ll offer the option of filling in a random auto-generated password, and updating the Keychain at the same time.
Whatever solution anyone uses, I can only reiterate the key point above: never reuse passwords, and especially, guard your email – many sites will happily send a “reset my password” link to you by email, so if a malefactor gains access to your email, they can do some serious damage.
Will it link to PCs as well? I use an iPhone and a Mac at home but a PC at work (where I am currently typing this message because I had the PC save the password I use for everything including Autostraddle and my bank account).
I have a LastPass alternative suggestion for others who, like me, are hesitant to keep password information in an online service. Write ’em down in a notebook, and keep it in a secure location, perhaps alongside social security/passport/birth certificate type information. You’ll never accidentally delete it, the service never goes down or out of business, it can’t be remotely hacked, and, if you lose your laptop/phone, you don’t lose all your password/account data. To me, those are more serious risks than having a physical document be lost, stolen or damaged. It’s worked for me for more than five years now and is so far impervious to the march of technological advance.
For background, I work in information security and break into stuff for a living. Some of my colleagues and I are working on a free class at our local university called Fourth Amendment as a Service to help teach people how to protect themselves in a surveillance state.
Guessing or cracking your password is probably the least likely thing for a nation state actor to gain access to your stuff. There are just so many other ways to get into your stuff; they’re not going to pick the hardest route. That’s not to say that the advice above isn’t super important, but its not going to protect you from Voldemort’s sticky little hands.
Just as important, if not more important, is keeping what you do online private. Using end to end encrypted phone calls and texts through an app like Signal, using browser extensions like HTTPS Everywhere and Privacy badger, and being mindful of the privacy settings on things you post will go a long way. A private VPN with an endpoint out of Voldemort’s jurisdiction isn’t a terrible idea, either. You can learn more at the Electronic Frontier Foundation’s site on Surveillance Self-Defense: https://ssd.eff.org/en
Had a party of one tonight to update my passwords since I am a w f u l and reuse them. Put on a wildlife doc for background noise, and when the doc ended I also ended! I’ve been using LastPass for a while, and I only got down to D in sites a-z womp womp. I did delete my accounts on a couple services/sites though!
Downloaded lastpass, and the firefox extension on their site doesn’t work. I had no idea how the dratted thing was supposed to work until i watched a video, and found out that yes, clicking those little icons in the password field were supposed to do something.
Downloaded the addon through the firefox addons, and it was an updated version that worked.
Just installed it on my android phone, and am a little confused. I think it might work with Chrome without needing an extension, but with firefox nothing happened until i downloaded a mobile app. Then it told me that i have to upgrade to premium after 60 days.
Premium isn’t expensive, but i don’t remember seeing that mentioned anywhere.
So i’ve only changed one password that i use all the time, to test, and i’m not sure how easy it is on mobile devices…
Oh! I clicked the ‘log me in’ option once, and now it’s doing it on all sites automatically? Maybe i then need to unclick that in passwords i change, in the future?
(I’m looking forward to having my autostraddle and tumblr account auto log me in, I CAN’T REMEMBER THESE PASSWORDS EVER EVER EVER)
Coming up with passphrases is GREAT. But it’s also tricky, because lyrics from songs, lines out of books, etc., can still be cracked relatively easily.
Since human brains are REALLY GOOD at making meaning out of nonsense, the Diceware system means you can generate a random sequence of words and then it’s very easy to make up a tiny fragment of story that links them together.
And with just 6 words, you have an incredibly difficult-to-hack pass phrase.
To do it safest, you’ll need 1-5 plain dice and a copy of the word list on a device that doesn’t talk to the internet, like paper. You might want to use a word list for a language you know well but isn’t your primary language, if you’re feeling it.
I may have just lost a twitter account in the kerfuffle of trying to add multiple to LastPass (autofill gets so damn confused), but beyond the existential anxiety of changing everything, thanks for the prompt to get this done.