In light of the Heartbleed bug mess, this seemed like a timely topic to revisit.
Ready to be scared a little bit? The odds are very, very good that — at some point in time — a website you use has been hacked, and your e-mail and password from that site have been compromised.
Ready to set your mind at ease? It’s simple and easy to set up your online life so that you’re totally safe if that ever happens again (and to protect yourself now, in case one of your passwords is out in the wild).
I know that normally I talk about money stuff, but today I’m going to be talking about you, your online life, and how you can make sure the bad guys don’t get to access your bank accounts, your e-mail, your blog, or the other important parts of your identity on the internet.
So, it turns out it’s hard to write a post about “security on the internet” without it quickly falling into a hysterical, doom-and-gloom, panicky mess of a post.
I have no desire to cause anxiety, but I also want you — when you read this — to understand how important it is, and how easy it is to protect yourself. Really, it’s as simple as downloading a free program (takes a few seconds), setting it up (takes about a minute), and then using it to log in to the sites you normally use (no more time than it takes you now).
If a website I use gets hacked, and my password gets stolen, what do the thieves get?
Without getting into the boring details, there are two ways a website can store your password: encrypted (meaning a password like “puppies_are_cute” is stored as something like “c76dae966ba4fe2e427249511e3983ac16beef67”) and unecrypted (meaning it’s saved in the database as “puppies_are_cute”). Even if a password is encrypted, hackers might still be able to crack it and figure out your password.
Ideally, every website would encrypt passwords securely before saving them. But they don’t all do it. If your password gets stolen, it’s probably safest to assume that the bad guys have your actual password. (Yikes!) And that they now have access to every site where you use that password. (Double-yikes!)
If I can’t guarantee that my password will be safe at a website, how can I protect all my other accounts if that site gets hacked?
The easiest way to keep yourself safe is to use a different password for every website. That way, if Site A gets hacked, your password from there will be useless at Site B.
Do you know how many sites I use? I can barely remember to get all the things on my grocery list. You expect me to remember that many passwords?
“Remembering passwords” is something you should probably commit zero brainspace to. But if you can remember just one (which you’re doing right now), you can use a password manager.
What is a password manager, and why should I use one?
Password managers do three things:
1. They securely store the username and password you use to log in to every site on the internet.
You only have to remember the one password you need to get into your password manager, and you’re all set. Also, when you first set it up, it’ll import all of the saved passwords you have on your computer.
2. They let you create unique passwords for each site.
Instead of using an easily-guessable password, they’ll generate a password that looks like this: “Af!@ADn56Zk*”. And every site you use will have a different password, so if one gets compromised, the rest of your online accounts are safe.
Even better, they remember your passwords for you, and can fill them in automatically. So you don’t have to worry about remembering them.
3. They give you a browser extension that lets you log in with a click of the mouse (or no clicks!), and manage your account across computers.
You might already have your computer set up to do this, but with LastPass and One Password, you can set your computer up to log you in to any site automatically. Further, if you log in to your LastPass account from another computer, or from your phone or tablet, it’ll log you in there, too.
As a bonus, they also store credit card information and other important data that you need. They encrypt it all, so your info is secure.
I have to pay for this, right?
Nope. There are two leading password managers. One of them is free.
- One Password — a one-time $50 fee, works across all your devices.
- LastPass — free, but if you upgrade for $1/month, you get an iPhone/iPad/Android app that lets you log in more easily on your phone or tablet.
Personally, I use LastPass (the free one) and when I need to log in to a site on my smartphone, I just enter the password manually.
But … what happens if LastPass/OnePassword gets hacked?
The short answer: nothing. All of your data is encrypted, via methods that make decryption practically impossible. Your data is safe. Not even the folks behind password management tools can see your passwords.
Every few months, I see news that some large site has been hacked, and millions of passwords have been leaked. I used to be afraid. Since setting up a password manager, though, I’m not at all concerned. I’d love for you to have that same sense of peace.
And with all the things you’re trying to manage in your life, don’t make managing your own passwords be something that you have to handle as well.
Do you use a password manager?
This post was originally published on April 19, 2013.