Improving Your Password Security Strategy—December 2019

lrby Steve Burton

Whenever we read of high-profile data breaches where usernames and passwords are stolen from large companies such as LinkedIn, Adobe, and eBay, we are reminded to improve our username/password security strategy.

Several months ago, Apple notified me that someone on the other side of the globe was trying to log in using my credentials. I realized that my Apple account was still using a password that I had also used on my account at one of the compromised companies, so I quickly changed it to block the would-be intruder. 

Using the same password to open more than one account is a bad idea, but many of us do this or have done this in the past. Still, how are we supposed to manage our dozens of online accounts without reusing passwords?

hrThe answer is to limit the number of passwords that you actually have to memorize. At a recent security conference I attended, the presenter stated that he only knows one password: the one to his password manager. All of his other passwords are long strings of gibberish. Whenever he needs to use one of these passwords, he uses his one memorized password to unlock his password manager's encrypted vault which quickly provides the needed password for him.

After years of dragging my feet, I started using LastPass as my password manager last year; not I can't imagine living without it. You may think that it will take forever to switch over, but my computing support team members can help you get started and then you can switch over at your own pace. I encourage you to take this step as well, because it greatly improves your password security strategy. 

Steps for Switching to a Password Manager (LastPass)

  1. Create an account
    • Click the Get LastPass Free button and follow the prompts
  2. Choose a master password that you can memorize
    • Follow the password guidelines below, remembering that this password unlocks everything
    • Record this master password and store it in a safe place in case you forget it (with important papers, in a locked box, etc.)
  3. Install the LastPass software
  4. Log in to your LastPass account through the browser extension or the mobile device app
    • For mobile devices, you also need to enable password autofill for LastPass and may want to enable biometric access as well
  5. On a computer, visit a website that requires you to log in (bank, store, association, etc.)
    • LastPass will offer to memorize your credentials for you
  6. Go to your account preferences on the website and request a password change
    • Click the small icon at the right end of the new password box and LastPass will offer to generate a password for you
    • LastPass will then offer to update its memorized password for this site
  7. Repeat the previous two steps for other websites
    • All of the credentials you store in your LastPass vault will be available to you on computers and mobile devices through your LastPass account

Five Principles for Creating a Strong Password

  1. Length (give said the little stream)
  2. Entropy/Unexpectedness (give sang a tiny schtreem)
  3. Special Characters (#236: Give, Sang a Tiny Schtreem)
  4. Exclusivity (use for only one account)
  5. Privacy (don’t use a compromised password like Gandalfthegrey1—you can check your password privacy here)

lpGuidelines for Passwords You Intend to Memorize

  1. At least 10 characters long
  2. Include at least one number, capital letter, and special character (often required)
  3. Easy to remember (follows a theme)
  4. Easy to type
  5. Example: S0letitbdunn!

Guidelines for Passwords You Don’t Intend to Memorize

  1. At least 20 characters long
  2. Include at least one number, capital letter, and special character (often required)
  3. Randomly generated by your password manager
  4. Stored in your password manager and retrieved whenever needed
  5. Example: Nqf8c6%QRPr$v^aBJzN$

LastPass Presentation

Here’s a link to the LastPass presentation I gave at McKay Day in August 2019. If you want to watch the video clip near the beginning, download the PowerPoint presentation. Otherwise, you can view the slides without downloading it.