FREE NEWSLETTER
MANY OF US HAVE little more than a weak, reused password standing between our financial assets and a remote attacker—one armed with powerful tools and a database of passwords from security breaches. This is a losing battle. It’s the most likely way for weak computer security to put our finances at risk.
Think this can’t happen to you? I’ll bet you have at least one password taken in a big security breach. A quick way to find out is entering your email address at Troy Hunt’s HaveIBeenPwned site. My address turns up in almost a dozen big cyberattacks.
We are notoriously bad at creating strong passwords and remembering them. When you decide to create stronger, unique passwords for each site, you quickly discover that managing dozens of randomly generated, site-specific passwords by hand is a headache.
Don’t fret. Password managers like LastPass, Dashlane and 1Password make short work of it. A password manager puts all your passwords in an encrypted vault, leaving you with just one password to remember. You want to make this password really strong and unforgettable. The password manager then fills in the right password for mobile apps and websites whenever you use them.
What can you expect from a good manager?
Some of these are only available in paid versions of the service.
Despite knowing better, I procrastinated in evaluating password managers. That changed the day I tried to picture life for my spouse after I leave this vale of tears. I visualized the chores I handle: Banking, bill paying and investment management all involve online accounts. That brought my password problem into focus. A list of passwords in a binder, next to our wills, isn’t secure and it’s a pain to keep up.
After experimenting with a free trial, I bought a family subscription. Moving my password vault from low-ranked to the top 1% took a couple of weekends. Each weekend, I’d spend an hour or two changing passwords, guided by the security challenge and with help from the password generator. Do this on your home PC or Mac, not an office computer.
I started with high-value accounts: email, cellular carrier, and then banks and brokerages. Why email? Most web sites let you reset a password by emailing a link to the address on file. If hackers have access to your inbox, they’ll use it to access every online account. The cellular account is also important if you’ve enabled two-factor authentication that triggers text messages with secure codes.
What if someone hacks into your password manager’s vault? If you pick a great vault password, the odds of this are low. But when you have all your eggs in one basket, you want to ensure that basket stays safe. That’s what led me to the YubiKey 5 series hardware keys.
When you use a YubiKey with a password manager, the manager encrypts your vault twice, once with your vault password and again with a secret it gets from the YubiKey. For convenience, I’m using two models of YubiKey. I use YubiKey 5 Nano with my PC and Mac. Meanwhile, YubiKey 5 NFC stays on my keyring for use with my phone. The latter should work with an iPhone 7 or newer, as well as an Android phone with NFC (near field communication).
David Powell has written software or led engineering teams for 35 years. He enjoys work, vegan fine dining, cycling and travel with his spouse. His previous article was Playing Defense.
Want to receive our weekly newsletter? Sign up now. How about our daily alert about the site's latest posts? Join the list.
Our family uses Dashlane since we have several operating systems in our household. It works great as a central vault of information. The credentials to Dashlane are stashed in a secret place (on paper) in case of death or an emergency. BTW, adult children can have their own profile for the same family subscription as well. I highly recommend it.
I recently read an account security article:
https://thefinancebuff.com/security-hardware-fidelity-schwab-vanguard.html
Based on that, I was thinking about implementing Yubikey security for my Vanguard account and Yahoo email. Does anyone have experience and advice regarding the use of Yubikey for security in general, or specific experience when using it with Vanguard or Yahoo?
Thanks in advance.
I have successfully stored and use 2FA mechanisms for Vanguard in a hardware key as well as in a synchronized password manager (BitWarden) and both work fine.
Thanks
I’ve used a pair of Yubikey 5 security keys with Vanguard for a while now. They work well and are easy to use. It’s possible Vanguard now supports the newer FIDO standard. If so, there are less-costly Yubikey models available. I’m not sure about Yahoo. If a site supports FIDO passkeys they also work with Yubikeys.
Thanks
There’s a gaping security hole in Verizon if you have cable and cell service and share with family members. There is one password for everything. If you give anyone the password so they can stream video on their computer, they have the password to do anything with the account. This is a huge threat to 2 factor authentication.
Years ago I wrote to many people at Verizon complaining of this security hole. They need a different password for account management access and video streaming access, But it’s a huge corporation and I was ignored.
I am handling someone else’s finances. They have a brokerage account with a large company. We can log in to see the accounts, but neither of us can make a trade or withdraw assets without calling and talking with a member of a fixed team. This part is very pre-2000. I’m beginning to see its benefits. Sure it’s possible somebody could attack it with AI if they took voice samples, but from the point of view of an internet attack via the account name and password, it’s disabled.
A year ago I searched the Boglehead site and settled on Bitwarden as a password manager. It took several hours to get all set up for myself and each family member but I really like it. I did find it easier to just click forget password on sites instead of being logged in and trying to find how to reset a password. It’s faster to auto fill in with the browser extension or the phone app which works 98% of the time, otherwise I copy/paste. It’s faster and I sleep better with passwords similar to 7@DBC5Hj7NxG1u#M38H0 (used Bitwarden generator to create)
Is the vault option better than the Apple device password manager, and if so, how?
If all your devices are made by Apple, and you only use Safari, then Apple’s new password manager is a fine option and the price is right (free).
Across our family, we have a mix of devices and browsers so we opted for a DashLane family subscription. Their secure notes feature is also a secure place to keep instructions about finding wills etc for when the last of us leaves this vale of tears.
I choose to use a password manager vault system (I use Bitwarden now after several years using LastPass) because then I am not tied to one device system (e.g. apple) or one browser (e.g. google or firefox which offer to save passwords). Also, the vaults like Bitwarden can do much more than save passwords. Saving important and confidential notes such as family SSNs, driver license #s, & details related to a site login. For example, on my credit freeze logins I have a note of the PIN I need to unfreeze the account, and where the one time code for login is sent (text, email, or authenticator app because some sites just say “code sent”). I am also trying to learn how Bitwarden can save the more secure account passcodes, similar (I think) to a Yubikey.
If you lose your apple device, you can go to a friend’s device or any sort, and access critical information you need by logging into the website vault of the password manager you use. I couldn’t live without my vault securely storing all this information for me.
Based on our behavior, it is good to reinforce this message, thanks.
I do have a beef with how password managers implement Yubikey authentication. I bought one some time ago and and set it up with Lastpass, then was dismayed to see a link on the LastPass login that allowed me to bypass the Yubikey and have a code sent to my email instead. I called support and they said that option cannot be turned off. My financial website login pages also provided links to bypass the hardware key.
Why have a more secure authentication method (Yubikey) when any bad actor can just bypass it and use a less secure method? I tossed my Yubikeys and now use a time base authenticator. I queried an AI chatbot and it confirmed that LastPass and Dashlane still allow bypass (though AI hallucinates a lot so take that with a grain of salt.)
Yes, some services don’t allow you to eliminate phone based mechanisms (text or call) even after you have enabled other 2FA methods (TOTP or Passkeys). That is very unfortunate.
As an alternative for text based authentication, you might want to use a service like Google Voice, as it can be used to receive texts to Google Voice (instead of to a particular phone). You can access those texts via the website and/or have them forwarded as desired – I have them sent to my email account.
But if you have implemented Passkeys and/or TOTP I would recommend disabling text based 2FA wherever you can after you are sure that your other mechanisms are working successfully in all situations and you have duplication of those mechanisms through various means.
Yeah LastPass and YubiKeys was a headache, one reason I switched.
I use an acronym for the password for my password manager. I have a sentence describing my Mom and one describing my Dad. I combine them, use characters (! for letter i), and sometimes flip the sentences.Very easy to remember.
Please educate me. If I am at work and want to create a log-in for a new website, how do I use the password manager? Of if I already have a password for a website that I created with the password manager, how do I use it? Do I have to log-in to the password manager at work or wherever I am?
When I was still working I installed my password manager’s browser extension there too. I used it with external sites I needed in the normal course of doing my job. I’d add a [work] suffix to the name of the entry in my password manager. On the very rare occasion I needed to do some time-sensitive personal task the password manager let me get through it quickly.
I went down a ChatGPT rabbit hole on this as I’ve seen too many articles or news clips on people losing their life savings. Chat helped me by keeping a list of things and prioritizing which things needed to happen first. For example, LastPass should have 2FA and a printed version of our password in a safe. Then it was fortifying emails with 2FA. I think you get the gist. It’s great and part of my monthly subscription.
Fidelity also offers account locking, which is more convenient than two-factor authentication. You do need to use two-factor authentication to unlock your account if you need to move money.
On a related topic, not long ago I listened to a Fidelity webinar about account security. They estimated that 85% of their clients DO NOT use 2 factor authentication despite the fact that it greatly enhances the level of account security. The tool is there at no cost: use it.
This piece is from a few years ago, and my memory’s a bit hazy but I recall Fidelity’s implementation of 2FA used to involve some unique hassles, so I have some sympathy for customers who punted. At some point, Fidelity’s 2FA experience improved.
I am a long time user and promoter of PW managers to my friends and relatives. Unfortunately, there are a few sites, which in their very limited intelligence, don’t allow you to paste in your complicated 20 character PW from your PW manager. I do not understand their rationale for doing this. And, they never explain what is happening when the copy/paste fails. So, you try repeatedly thinking you did something wrong, or that the site is broken etc. Or, perhaps the site doesn’t like your browser. When you finally realize that these dumb asses have blocked the copy/paste function on their page you are generally a little UPSET.
If you then find that this is also a site which sunsets your PW periodically, requires a symbol or two but doesn’t tell you which symbols are acceptable, insists on using your email address for your logon ID, which just adds to your email spam volume after they are hacked, you might want to find another source of whatever you are trying to get from the site.
And how about a few comments on security questions. More stupidity! All these folks use the same list of questions which after they have been hacked are out there in the dark web with the stolen PWs.
At 79, I am also concerned about how to convey the power of my PW manager, authenticator apps, face id, fingerprint id, etc., etc. on whoever might have to deal with my affairs if I had to go into the hospital or died. It ain’t easy. With passcodes sites want to have bio-metric confirmation that whoever is using your device is you. BUT, then, how do you keep things running when you need stuff to work and it isn’t you?
I hope he answers here. I would rather learn here than by trial and error after starting down one road, only to discover that I should have taken the other.
For anyone reading this waaaaay later like me, I’d like to add one brief comment re this statement from the article:
“You want to make this password really strong and unforgettable.”
Look at this explanation of password strength and memorability.
Then Google diceware and go to a site like this one. You can use a set of five actual dice to generate random numbers, and those turn into a passphrase you’ll probably memorize in about a day.
A passphrase is exactly what you want. Lucky me, my spouse is a human passphrase generator as she buzzes around the house singing ditties with words unlikely to appear in dictionary attacks.
Extremely helpful and painful article, thank you David. Your point about protecting one’s email password is something I (embarrassingly) didn’t think about. I just spend a couple of hours starting the process but don’t think I want to bother with a hardware key.
Question: where is/are the “encrypted vault(s)” stored? I’d assume the answer is at least two places; (1) online via hosting from the password software company to aid sync’ing across devices, and (2) on the device such as a computer or smart phone. Thus I’d assume the vulnerabilities with a software-only approach are hacking the online host and hacking one’s personal device? Thanks!
Hi Langston. Glad it helped! The nice thing about YubiKey is you can add that later once you’ve worked through the process of tightening the screws with a password manager. Just be sure you get at least two keys if you do or you can lock yourself out of your own “vault”. The “vault” for most solutions is just an encrypted data file which gets securely sync’d between the client and a cloud service. In the case of things like KeePass you have to supply the device sync solution (OneDrive, Box etc); the others include sync in their solution. The cloud services don’t have access to your master password, so the main point of attack should be on your device. If your device software is not kept secure/up to date, then your password manager is not the only thing at risk of course.
Thank you for this helpful information. I’m curious, why not use a corporate machine with VPN to change passwords?
Hi Natalie. In part because you don’t want your browser to cache personal passwords on a work device. You could clear your cache but then you lose work items too. In terms of usability, I found changing passwords went faster/smoother on a PC or Mac at home with a large screen and mouse/keyboard. After 20+ years of creating accounts I had a few to do 🙂
For those who like a little light reading, here’s an ACM research paper on the topic of password reuse (thanks Tom):
https://people.cs.vt.edu/gangwang/pass.pdf
May I ask, why did you decide to go with YubiKey rather than an app like Authy? Thank you.
Hi Bill. Mainly convenience but also because a hardware key is more secure.