MANY OF US HAVE little more than a weak, reused password standing between our financial assets and a remote attacker—one armed with powerful tools and a database of passwords from security breaches. This is a losing battle. It’s the most likely way for weak computer security to put our finances at risk.
Think this can’t happen to you? I’ll bet you have at least one password taken in a big security breach. A quick way to find out is entering your email address at Troy Hunt’s HaveIBeenPwned site. My address turns up in almost a dozen big cyberattacks.
We are notoriously bad at creating strong passwords and remembering them. When you decide to create stronger, unique passwords for each site, you quickly discover that managing dozens of randomly generated, site-specific passwords by hand is a headache.
Don’t fret. Password managers like LastPass, Dashlane and 1Password make short work of it. A password manager puts all your passwords in an encrypted vault, leaving you with just one password to remember. You want to make this password really strong and unforgettable. The password manager then fills in the right password for mobile apps and websites whenever you use them.
What can you expect from a good manager?
Some of these are only available in paid versions of the service.
Despite knowing better, I procrastinated in evaluating password managers. That changed the day I tried to picture life for my spouse after I leave this vale of tears. I visualized the chores I handle: Banking, bill paying and investment management all involve online accounts. That brought my password problem into focus. A list of passwords in a binder, next to our wills, isn’t secure and it’s a pain to keep up.
After experimenting with a free trial, I bought a family subscription. Moving my password vault from low-ranked to the top 1% took a couple of weekends. Each weekend, I’d spend an hour or two changing passwords, guided by the security challenge and with help from the password generator. Do this on your home PC or Mac, not an office computer.
I started with high-value accounts: email, cellular carrier, and then banks and brokerages. Why email? Most web sites let you reset a password by emailing a link to the address on file. If hackers have access to your inbox, they’ll use it to access every online account. The cellular account is also important if you’ve enabled two-factor authentication that triggers text messages with secure codes.
What if someone hacks into your password manager’s vault? If you pick a great vault password, the odds of this are low. But when you have all your eggs in one basket, you want to ensure that basket stays safe. That’s what led me to the YubiKey 5 series hardware keys.
When you use a YubiKey with a password manager, the manager encrypts your vault twice, once with your vault password and again with a secret it gets from the YubiKey. For convenience, I’m using two models of YubiKey. I use YubiKey 5 Nano with my PC and Mac. Meanwhile, YubiKey 5 NFC stays on my keyring for use with my phone. The latter should work with an iPhone 7 or newer, as well as an Android phone with NFC (near field communication).
David Powell has written software or led engineering teams for 35 years. He enjoys work, vegan fine dining, cycling and travel with his spouse. His previous article was Playing Defense.