Security concepts and secure passwords have been drilled into me so much that I am almost fatigued by them. For the longest time I knew that I needed to switch to a password manager rather than the 2 - 3 passwords that got used between the many sites that I have signed up to. After seeing so many breaches of popular sites I finally moved to using a password manager this week, and thought I would share some of my learnings. In my household; I definitely found that small steps worked in making the password manager become part of the normal process.
Select a password manager
You need to select a password manager before embarking on the journey of updating all of your passwords. Some password managers will generate passwords for you which can speed things up during changing your passwords. When selecting a password manager, you need to decide which features are the most important to you. Price? Open Source? Stored locally? Usability? Mobile Apps?
There are several comparison charts floating around the internet that showcase what each password manager offers. For me I felt that KeePass really ticked the most boxes and I almost committed to it, but a trial run with the family stopped me from using it. I have a few accounts on websites that are shared between me and my partner, and her using the password manager as well was key to its continued use. KeePass is great, but my non-technical family really struggled with using it with the user interface changing drastically between the browser extension, the desktop app, and the mobile app. This is due to each of these pieces being developed by different people as they are all third-party plugins. Ideally I would have created my own browser extension and mobile application that the family could use. I did not do this because I really wanted to start using a password manager, and not spend months writing software first.
We decided to go with LastPass in the end, as it is very simple to use and has a great experience across all devices, and also offers 2FA options if I decide to do that in the future.
Start with the important passwords
It can be quite an undertaking to go through everything that you have ever signed up for and update the password to something more secure, for me it certainly was and I definitely didn’t get through it all in one sitting. I think the best way to get through it all is to start small. Start with the most important passwords first, the ones that can cause real damage if they are compromised. For me this was my email accounts, as if anyone had access to that; most password reset features on the sites I am signed up would send an email to them and I would be able to be compromised. This included an email account that I have had for over 10 years which probably had the password updated once in that time.
Review third party applications
While you are going through each of your accounts and giving them a random password, it is a good idea to check if any of these applications are used to authenticate any third-party applications and if you want to continue to allow this. You may find things here that you never intentionally signed up to that you may want to remove.
As of the writing of this article you can find what you allow for Google, Facebook and Twitter at these links:
- https://myaccount.google.com/security?utm_source=OGB&pli=1#connectedapps
- https://www.facebook.com/settings?tab=applications
- https://twitter.com/settings/applications
Find things you have signed up for
Search your email inbox for “confirm your email” type emails. This will help you identify any sites that you have signed up for that you haven’t yet put into your password management tool.
You probably have several accounts that you have signed up for with the same password in the past that you have long forgotten about, googling your name or common usernames that you have used will also help you find these accounts. Once you have found them you can either add them to your password management tool or decide to close the accounts.
Two Factor Authentication (2FA)
2FA is a further step you can take to secure your accounts. Not all sites will offer this, but all of the major ones that you use likely will offer it. It is a good idea to use it as it adds an extra layer of security to your account. But you may find that moving to a password manager is a big enough step to take for a while, and do 2FA at a later date. This is the exact approach that I am taking as I want my family to adopt it, and introducing to much change at once will probably confuse, and annoy them.
Taking small steps is definitely working in our household to making the password manager adoption a smooth process.