Passwords are hard to make secure these days, and we need to have more than one password because if your one password gets stolen then the malicious person can access everything you own. The problem we encounter having so many passwords is we now do not remember passwords. So what do we do when we don’t remember passwords? We write them down in a note book. What is wrong with writing them in a note book? Well, say someone found it in your house or you keep it in your purse. You lose all your passwords and someone else knows them. Another issue is that when we make a password, we don’t come up with something random; we usually just go about making it something memorable which means it’s something like married1998 or spotthedog23. These are some of the worst passwords one can come up with. Why? Because hackers can guess these easily because they know people do this. So the passwords you really need should look something like B^xD2$9zXP@#9t68w4U4UJ5r%J77SV. But there is no way you would want to type that or you would remember that, so this is where Password Managers come into play.
Password Managers keeps track of all the passwords you use, makes it easy to use them, are able to make unique passwords for sites you use, and they encrypt your passwords using a Master Password to protect them from just being stolen. These are all great reasons to use a Password Manager.
Here are some password managers I recommend:
LastPass is a cloud based password manager which stores all your passwords in their data center and syncs between devices and browsers you use. One issue with going with a cloud based password manager is if they don’t do security right, malicious people can possibly break in and steal all your passwords. This is something LastPass has done right.
They had break ins in the past, however each time nothing important was stolen and they learned from their mistakes. At most what was stolen was a hash of the master password which they know how to hash the passwords so well that it’s incredibly hard to reverse into the actual password. For this reason, this has become the password manager for me.
They allow one type of device for free, Mobile/Tablet/Computer, but if you want to use more than one, it costs $12 a year which is a steal for something that protects your online life.
This is an open source password manager which is free but platform availability is limited. It was made for Windows, but has Unofficial releases for Linux, Mac, Windows Phone, Android, and iOS. I don’t personally trust “Unofficial” releases, so I’m sticking with LastPass.
This password manager is quite nice, the only thing that prevents me personally from using it is it doesn’t support Linux and is expensive in my opinion at $50.
Now my recommendation on how to do passwords is as followed.
1. Have a password you don’t care about for sites you don’t care about that don’t have important information (like forums).
2. Make your master password long and have lots of entropy (many kinds of characters). You can use something like https://www.grc.com/haystack.htm or https://passwd.gec.im/ to get an idea as to how good your password may be.
3. Pad your master password, example put %^@3 at the front of the password and *22#$ at the end or something like that.
4. It’s ok to use phrases to make the master password memorable. Like maybe “I walked to the Candy Store, and I found some Butter Finger candy bars.” That mixed with some padding is “&*2^ I walked to the Candy Store, and I found some Butter Finger candy bars. $#6(” which could take 50.42 thousand trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion trillion centuries to crack.
5. Use absolute random max length passwords for any place that has your credit card info or access to your money.
6. Protect your email address with two factor authentication and a random password because it can be a weak point for entry into your accounts.
7. Use two factor authentication on your password manager if possible so people have to both know your password and have your phone to get in.
This is what you have to do until Public Key encryption becomes popular. The one I’m waiting for is https://www.grc.com/sqrl/sqrl.htm.