The last Resolution dealt with keeping our physical home safe. This is obviously extremely important. But in our modern world, we increasingly have an online alter-ego which has become equally important to protect.
Everything from bank & investment accounts to deeply personal information like pictures are increasingly digital and available through the internet. Aside from actual theft potential online, identity theft is also a rapidly growing problem.
Most online sites we interact with use technologies like SSL (secure socket layer) to encrypt information so that online snoopers can’t read the traffic data. However the vast majority of these sites also use what is called single factor authentication. That’s a fancy way of saying a username and password.
Many sites use an email address for a customer’s username, and email addresses are generally very easy to find. That means the only secret thing separating your accounts from someone looking to steal or do damage is typically your password. If you use a simple password that is easy to guess, you can be compromised pretty quickly. Likewise if you use the same password in many places, even if it is harder to guess, once you are compromised at one site, a hacker will try that same password on another site with your email. In such a situation you can be compromised across every site where you reuse that password in a very short time frame.
The Password Manager
A password manager is a program that quite simply maintains your passwords. It typically allows you to enter a username, a password, and a link or description of where the credentials are used. Something like:
Site: Facebook.com User: JohnDoe Password: Try2GuessIt
A good password manager will go a few steps further. It will have a feature to auto-generate passwords for you. This is crucial, as the auto-generated passwords can be up to an arbitrary level of complexity, subject to optional rules which can be set in the software, such as: at least one number, at least one punctuation, at least one capital letter, and so on. Auto-generated passwords are far less likely to be guessed using brute force techniques; doing so is virtually impossible.
A good password manager will also allow you to export your password database in an encrypted format. A master password or private key is then typically used to gain access to the password database. This keeps your database secure while at the same time allowing you to keep your password database centrally located, such as in Dropbox or on Google Drive. If someone gains access to your database, it will be useless without the master password / private key. With the database centrally located, you can access it from any device capable of running the password manager software.
This is also the main advantage of keeping passwords in a manager rather than storing them in a browser: usernames & passwords stored in a browser are for the most part local to that machine & browser where they have been used. Credentials stored in Google Chrome on your desktop, for example, will not be available in the Safari browser on your iPhone. There are some browsers that attempt to sync credentials across devices, but these are typically kludgy and require enabling advanced syncing features. It is also true that if the credentials you are saving are for a non-webpage, such as a native application on a phone, the browser is not involved and as such won’t provide any assistance in remembering the credentials.
Our Recommendation: KeePass
KeePass is an open source password manager that works exactly as described above. It has versions for Windows, Mac, Linux, iOS, and Android.
A new password database comes pre-allocated with folders such as Internet, eMail, Windows, etc. to help you organize your credentials based on category. You can of course also create your own category folders.
The auto-generation feature for passwords can be set to arbitrary length & complexity, and gives immediate feedback as to the secure quality of your password.
KeePass Touch is available for iOS devices and has some other features for ease of use, such as accessing your password database easily via DropBox & Google Drive, using Touch ID (fingerprint) to decrypt your password database, and copy/pasting of usernames and passwords to allow for easily getting credentials into your other mobile device apps.
A complete list of the KeePass downloads available can be found here.
Using a tool like KeePass, make it a preparedness priority this year to get your passwords centralized, secured, accessible via all your devices. Additionally, start using auto-generated passwords for any new accounts you create, and make a timeline to switch over your existing passwords to auto-generated ones, especially if your existing passwords are relatively easy to guess or you are using one password across many sites.