FREE NEWSLETTER

Beefing Up Security

David Powell

MANY OF US HAVE little more than a weak, reused password standing between our financial assets and a remote attacker—one armed with powerful tools and a database of passwords from security breaches. This is a losing battle. It’s the most likely way for weak computer security to put our finances at risk.

Think this can’t happen to you? I’ll bet you have at least one password taken in a big security breach. A quick way to find out is entering your email address at Troy Hunt’s HaveIBeenPwned site. My address turns up in almost a dozen big cyberattacks.

We are notoriously bad at creating strong passwords and remembering them. When you decide to create stronger, unique passwords for each site, you quickly discover that managing dozens of randomly generated, site-specific passwords by hand is a headache.

Don’t fret. Password managers like LastPass, Dashlane and 1Password make short work of it. A password manager puts all your passwords in an encrypted vault, leaving you with just one password to remember. You want to make this password really strong and unforgettable. The password manager then fills in the right password for mobile apps and websites whenever you use them.

What can you expect from a good manager?

  • Up-to-date access to your password vault on all devices, regardless of the device’s operating system.
  • Updates to your vault as you create new accounts or update existing passwords.
  • A random password generator that creates really strong, unique passwords. Those passwords will meet each site’s requirements for length and allowed characters.
  • A security challenge which guides you through the work of replacing existing poor passwords—those which are known to be compromised, weak or easily guessed, or which you’ve used more than once.
  • Emergency access to your vault by someone you choose, as well as password sharing with, say, family members for your Amazon Prime or Netflix account.
  • Two-factor authentication for extra vault security.

Some of these are only available in paid versions of the service.

Despite knowing better, I procrastinated in evaluating password managers. That changed the day I tried to picture life for my spouse after I leave this vale of tears. I visualized the chores I handle: Banking, bill paying and investment management all involve online accounts. That brought my password problem into focus. A list of passwords in a binder, next to our wills, isn’t secure and it’s a pain to keep up.

After experimenting with a free trial, I bought a family subscription. Moving my password vault from low-ranked to the top 1% took a couple of weekends. Each weekend, I’d spend an hour or two changing passwords, guided by the security challenge and with help from the password generator. Do this on your home PC or Mac, not an office computer.

I started with high-value accounts: email, cellular carrier, and then banks and brokerages. Why email? Most web sites let you reset a password by emailing a link to the address on file. If hackers have access to your inbox, they’ll use it to access every online account. The cellular account is also important if you’ve enabled two-factor authentication that triggers text messages with secure codes.

What if someone hacks into your password manager’s vault? If you pick a great vault password, the odds of this are low. But when you have all your eggs in one basket, you want to ensure that basket stays safe. That’s what led me to the YubiKey 5 series hardware keys.

When you use a YubiKey with a password manager, the manager encrypts your vault twice, once with your vault password and again with a secret it gets from the YubiKey. For convenience, I’m using two models of YubiKey. I use YubiKey 5 Nano with my PC and Mac. Meanwhile, YubiKey 5 NFC stays on my keyring for use with my phone. The latter should work with an iPhone 7 or newer, as well as an Android phone with NFC (near field communication).

David Powell has written software or led engineering teams for 35 years. He enjoys work, vegan fine dining, cycling and travel with his spouse. His previous article was Playing Defense.

Want to receive our weekly newsletter? Sign up now. How about our daily alert about the site's latest posts? Join the list.

Browse Articles

Subscribe
Notify of
8 Comments
Newest
Oldest Most Voted
Inline Feedbacks
View all comments
markLimke
2 years ago

For anyone reading this waaaaay later like me, I’d like to add one brief comment re this statement from the article:

“You want to make this password really strong and unforgettable.”

Look at this explanation of password strength and memorability.

Then Google diceware and go to a site like this one. You can use a set of five actual dice to generate random numbers, and those turn into a passphrase you’ll probably memorize in about a day.

Langston Holland
Langston Holland
5 years ago

Extremely helpful and painful article, thank you David. Your point about protecting one’s email password is something I (embarrassingly) didn’t think about. I just spend a couple of hours starting the process but don’t think I want to bother with a hardware key.

Question: where is/are the “encrypted vault(s)” stored? I’d assume the answer is at least two places; (1) online via hosting from the password software company to aid sync’ing across devices, and (2) on the device such as a computer or smart phone. Thus I’d assume the vulnerabilities with a software-only approach are hacking the online host and hacking one’s personal device? Thanks!

David Powell
David Powell
5 years ago

Hi Langston. Glad it helped! The nice thing about YubiKey is you can add that later once you’ve worked through the process of tightening the screws with a password manager. Just be sure you get at least two keys if you do or you can lock yourself out of your own “vault”. The “vault” for most solutions is just an encrypted data file which gets securely sync’d between the client and a cloud service. In the case of things like KeePass you have to supply the device sync solution (OneDrive, Box etc); the others include sync in their solution. The cloud services don’t have access to your master password, so the main point of attack should be on your device. If your device software is not kept secure/up to date, then your password manager is not the only thing at risk of course.

Natalie Jane
Natalie Jane
5 years ago

Thank you for this helpful information. I’m curious, why not use a corporate machine with VPN to change passwords?

David Powell
David Powell
5 years ago
Reply to  Natalie Jane

Hi Natalie. In part because you don’t want your browser to cache personal passwords on a work device. You could clear your cache but then you lose work items too. In terms of usability, I found changing passwords went faster/smoother on a PC or Mac at home with a large screen and mouse/keyboard. After 20+ years of creating accounts I had a few to do 🙂

David Powell
David Powell
5 years ago

For those who like a little light reading, here’s an ACM research paper on the topic of password reuse (thanks Tom):
https://people.cs.vt.edu/gangwang/pass.pdf

Bill
Bill
4 years ago

May I ask, why did you decide to go with YubiKey rather than an app like Authy? Thank you.

David Powell
David Powell
4 years ago
Reply to  Bill

Hi Bill. Mainly convenience but also because a hardware key is more secure.

Free Newsletter

SHARE