How Did We Get Here?

Passwords have become the bane of our modern computer existence. Just about every web site we visit requires that we create an account to use any of its features. That means creating and remembering yet another password. To make it interesting, every web site has a slightly different set of rules for its passwords. Your password has to be long, but not too long. You have to use mixed case and throw in a least one number. Some require you to use a “special character,” but only certain ones. Some sites don’t let you use special characters at all. Some of them are even more restrictive. You can’t use any dictionary words. It can’t have repeated letters. It can’t contain your name or user ID or anything that looks like a date. In short, they all require that your password be very hard to guess and yet somehow also be something you can easily remember. And just to add insult to injury, some systems require that you change your password on a regular basis.

It would be bad enough if we had to do this only once, but in our modern online world, most of us have dozens if not hundreds of different web sites that require us to log in. And so we all do the same thing: we come up with one or two favorite passwords that meet all the stupid rules, and we use them for everything. How else can we possibly remember them all? And yet, that’s precisely what you should not do. I’ll explain why in a bit.

So, how did we get into this horrid state of affairs? Why do we need all of these passwords? In some cases, it’s obvious—you don’t want just anyone to have access to things like your online bank accounts. Somehow you need to convince your bank’s web site that you are who you say you are and prevent someone else from impersonating you. This process is called authentication . We use these credentials (username and password) to prove our identity. It’s not foolproof, of course—someone could steal or guess your password and then gain access to your account. It’s like the key to your house. Ideally, only you have the key that opens your front door, but if you lose your key or lend it to someone who secretly makes their own copy, then someone else can open the lock. It’s better than nothing, but it’s not perfect.

However, there are many web sites that have nothing of yours that needs protecting, and yet they still require you to sign up for a “free” account , meaning you have to create a set of login credentials. Why is that? Because they want to track you and they want to be able to send you e-mails with advertisements. They may tell you it’s for your own benefit—allowing you to customize your settings, share things with your friends, save info for later, get customer support, etc. But in the end, it’s probably about tracking what you do and building up a profile on you that they may use for themselves or sell to others or both.

There has to be a better way, though, right? Isn’t there something else besides passwords? Let’s look at this a bit because it’s good to understand how we got where we are.

Most people immediately think that the best method is “something you are.” You can’t forget it! You can’t lose it! However, biometrics have some serious drawbacks as a primary means of identification. What if you have a disfiguring accident? Or what if someone manages to make a viable copy that fools the system? For example, you may be able to fool a simple facial recognition system with a picture of the authorized user’s face. Or why not simply remove someone’s finger to fool a fingerprint scanner? You can’t control something that you are. If that method of authentication is somehow compromised, you’re screwed for life. But it’s more than that—you also can’t hide or change who you are. There are many situations where you want to prove to the web site that you are the same person who was here last time, but you don’t actually want them to know who you are specifically. That is, you want anonymity. Nevertheless, biometrics are used in many hypersecure environments, and the technology is becoming cheap enough to be used on laptops and smartphones. Biometric identification can be useful as a second authentication factor, but it’s not good as a primary or sole factor. In truth, biometrics are really more like user IDs than passwords.

What about “something you have”? The problem with this solution is that, until recently, it was not common for computers to have any sort of mechanism for detecting and identifying something you have in your possession. Computers were pretty much guaranteed to have only one form of user input: a keyboard. Whatever technique they came up with had to be something that every computer could do, which is why they settled on a string of characters (i.e., a password or a personal identification number, or PIN). However, most devices today now have wireless technologies like Bluetooth and Wi-Fi built in, which will allow us to start using things like our smartphones to authenticate ourselves. In fact, there’s a promising new technology called Secure Quick Reliable Login, or SQRL¹ (pronounced “squirrel”), that will allow you to simply scan a code on your phone, tablet, or computer to log in to web sites. It automatically generates a secure code for each web site and remembers them all for you! Best of all, there are no secrets that need to be saved on the servers, so there’s nothing to steal! There will undoubtedly be other such technologies coming out of the woodwork in the years to come because passwords are so bad... but for now, passwords are what we’re stuck with.

Understanding Password Strength

So, if we’re stuck with passwords as our primary form of authentication, then we need to understand what constitutes a “good” password. To truly understand this, first we need to understand how the bad guys try to guess our passwords and hack into our accounts. There are two key scenarios to consider: I will call them online attacks and offline attacks . I think when most people consider the threats to their accounts, they think of online attacks: a live human being sitting at a computer somewhere trying to log into your bank account. They try to guess your password over and over till they either get in or give up. That’s actually not very common, but let’s discuss it because it does happen. In this case, a human has somehow picked you out of the billions of people out there and decided they want to hack your accounts. So, they figure out where you do your banking (somehow), guess your user ID (maybe it’s just your e-mail address), and then slowly and methodically try to guess your password. If they know you (or maybe if they’ve found your Facebook page), they can make some educated guesses: your pet’s name, your kid’s name or grandkid’s name, your address, your anniversary, your alma mater, your favorite sports team, etc. While this is a real risk, it’s actually a small one, and I think most of us realize this. What are the chances that someone is going to target little old me? Unless you’re rich or famous or you ticked off a wacko, there’s really not much of a reason for someone to attack you, personally. This sort of attack is also just not that efficient—it’s hard to pull off.

The more common threat for John Q. Public is the offline attack . Surely by now you’ve seen the news stories about companies having their servers hacked and then asking all their customers to reset their passwords. In these situations, hackers break into the computer systems of a large company, and they steal their customers’ information. This often includes names, addresses, phone numbers, credit card numbers, and passwords. The passwords are almost always scrambled, but unfortunately it’s not always done properly. So at this point, the bad guys have this juicy vault full of information in their possession, and they have all the time in the world to try to crack it open. That is, they have copied thousands or millions of encrypted passwords to their local computer and can now try to crack them all.

Let’s compare this to the previous case. In the online attack , a human (or perhaps a computer) is trying to log into a single person’s online account by guessing individual passwords. The web site is slow, so you can’t roll through a long list of different passwords quickly. And if the web site is secure, they will cut you off after you fail too many times anyway. But in an offline attack, the bad guys have a massive collection of scrambled passwords in their hot little hands, and they can just crank up a computer to guess billions of passwords per second until they start finding matches.

So, the bad guys aren’t starting from scratch. They know human nature, and they know that most people will choose something they can remember, probably something pronounceable. That significantly reduces the number of guesses they have to make. The scrambling process for the passwords they’ve stolen is not directly reversible, but the scrambling process (known as hashing ) is well-known and repeatable—so all they need to do is take a guess, scramble it, and see whether it matches one of the other scrambled passwords.

So if I find 5f4dcc3b5aa765d61d8327deb882cf99 somewhere in my stolen list of scrambled passwords, then I know the password for that account is password. (There are techniques that make it harder to do this, but sadly they’re not used as much as they should be.)

The first passwords the bad guys try are the popular ones, based on much larger lists like the one in Table 4-1. In fact, this list is so useful that hackers usually have all the scrambled versions of these passwords precalculated to save time. If these don’t work, they move on to dictionary words, common names, phrases from pop culture, sports-related terms, and so on. They try them all forwards and backwards. They replace some letters with numbers or symbols (zero for O, @ for a, etc.). Believe it or not, this process is usually enough to guess most of the stolen, scrambled passwords.

But surely this must take a lot of time, you say. It doesn’t. Computers can crank out these guesses and compare them to every stolen password millions or even billions of times per second. Using common guessing techniques like this, hackers can usually recover most of the stolen passwords in a matter of hours. This is why companies that have been hacked will often immediately lock all their user accounts and force everyone to reset their password.

That would seem to be very effective, right? If we just invalidate all the stolen passwords, then this must stop the hackers dead in their tracks. What’s the point of guessing these passwords if they’re almost immediately reset? The problem is that people tend to reuse their passwords. If you used “CowboyUp!” as your password for one web site, the bad guys know that it’s very likely that you used that same password for some of your other online accounts. While hacked-site.com has invalidated that password on their system, what about other-site.com where you used that same password?

This is why it’s crucially important that you use a strong, unique password for each and every online account you have, at least the ones that are important. Important ones would be your financial accounts, any web site that has your credit card info, your social media accounts, and your e-mail accounts. You might not think your Facebook and Gmail accounts are that important, but they can be used to impersonate you, luring people you know into clicking links or giving up information that will get them in trouble. Also, when you forget your password, almost all web sites use your e-mail account to send you a link to reset your password. If a bad guy can get to your e-mail account, they can log into your banking site and request a password reset—and then intercept the e-mail and set the password to whatever they want. Worse yet, they can change your e-mail password and lock you out, preventing you from fixing the problem. It’s very hard to convince your e-mail provider that you are the true owner of your account when you can’t even log in. (And good luck getting them on the phone.)

Now we come to the crux of the chapter: what makes a strong password? When choosing a new password, many web sites will tell you to include numbers, uppercase and lowercase characters, and “special characters,” like punctuation marks. They will often have a little password strength indicator that will indicate, as you type, how strong your password is. These “strength meters” are handy, but they’re sometimes too simplistic and may give you a false sense of security. So I want to educate you on what truly makes a strong password. We’re going to get into a little math here, but don’t be afraid…I’ve got you covered.

Let’s start with a simple case: a personal identification number (PIN). These are most often used with ATM and debit cards, but we also use them on our phones and tablets. They’re usually four digits long—some sequence of numbers from 0000 to 9999. Each character in this PIN has ten possible values: 0 through 9. If you take all possible combinations of four digits, that’s 10,000 total possible values. To get that value (10,000), you take the number of possible choices for each digit (in this case ten) and multiply by itself for each digit in the PIN (four). That’s 10 times 10 times 10 times 10, or 10,000. This is the same as 10 to the 4th power. (I know, your eyes are starting to glaze over and you’re having horrible flashbacks to middle school math…just bear with me a bit longer; I promise you won’t actually have to think this stuff through.)

Ten thousand possibilities may seem like a lot, but a computer can crank through those values in a fraction of a second. However, PINs are almost always used in cases that require human input, and that’s why they’re good enough. That is, trying to guess a PIN would be an example of an “online” attack—the hacker would have to be there, in person, entering all of these guesses by hand. The attacker would need to steal or somehow copy your card, as well. Finally, most systems will lock the user out (and probably keep the card) if there are too many wrong guesses. For these reasons, PINs are usually good enough for these situations.

Now let’s consider the case of passwords. Remember that the worst-case scenario for guessing passwords is an offline attack where the bad guys can just sic a computer on the problem and walk away. Assuming we avoid the common passwords as we discussed earlier and choose a truly random password, then the attackers have no choice but to just try to guess all the possible passwords…that is, start with a, then b … eventually aa and ab and bb, and so on, and on, and on. This is known as a brute-force attack and is limited only by the speed of the computer and the complexity of the password. This is enormously more difficult to do, as long as the password is sufficiently long and random. In fact, for all practical purposes, if you choose a strong password, then it’s effectively unbreakable.

To understand this, we have to use the same mathematical approach we used earlier on PINs to judge the strength of a password. First, we’re adding more possible values for each character—not just numbers but letters and other keyboard characters. There are 10 numbers and 26 letters in the English alphabet. Each letter can be uppercase or lowercase. If you’re keeping count, we’re now at 62 possible values (10 letters + 26 lowercase letters + 26 uppercase letters). Let’s stop right there and check our math. If we have an 8-character password that is only made up of letters and numbers, that means we have 62⁸ (62 to the 8th power) possible values.

That’s more than 200 trillion! Wow, surely that’s good enough, right?

Not really. A fast computer performing an offline attack could conceivably guess 100 billion passwords per second, meaning that it could try all 221 trillion values in just under 37 minutes. That’s not really good enough, especially when you have to assume that the supercomputers at the NSA are probably at least 1000 times faster (100 trillion guesses per second). Such a computer could chew through all those possible values in just 2.21 seconds. In the age of government surveillance, we need to consider the worst case—and we need better passwords.

This is why adding more types of characters to the mix is so important. If you add punctuation characters (period, comma, semicolon, etc.) you can add about another 33 possible values, bringing the total number of possible characters to 95. If you raise 95 to the 8th power (95⁸), you can lengthen the guessing time for our regular hacker’s computer from 37 minutes to almost 19 hours. For the supercomputer, we go from a paltry 2.21 seconds to a little over a minute. Hmm…still not good enough for me. The answer is to make the password longer—with all due respect to our intrepid Mr. Bradford from 1970s TV, eight is simply not enough! Look at Table 4-2 to see how much difference a few extra characters makes, and you’ll see why longer passwords, even just a little longer, are so important.³

So, how can we possibly come up with dozens if not hundreds of unique, strong passwords and expect to remember them? The simple answer is: you can’t. That’s where password managers come in.

Managing Your Passwords

The bottom line is that you should not know any of your web site passwords. Any password you can remember will have some sort of inherent pattern, and the bad guys have gotten really, really good at predicting those patterns. The human brain is just not up to this task. The only possible way to create an unguessable, unique password for every online account you have—and be able to instantly recall them all—is to use a password manager.

What is a password manager? A password manager is a software application or web browser plugin that helps you to generate truly random passwords and then remembers them all for you. A good password manager will automatically fill in these passwords for you on web sites that require a login and even synchronize your “password vault” across multiple computers and devices so you can access them anywhere.

Now, if I’ve done my job here, there should be all sorts of sirens going off in your head. If you’re properly paranoid, you must be screaming right now: “Why on Earth would I trust all of my passwords to some unknown third party? What if they get hacked? All my eggs are in one digital basket!” And guess what…you’re absolutely correct. However, I’m here to tell you that it’s still the best option available to you. The pros far outweigh the cons; the benefits trump the risks. Think of putting all your valuables in a big safe. Yes, all the goodies are in one box... but that one box is really, really strong. People who make these vaults are experts in making them secure; it’s what they do, and they wouldn’t be in business very long if they didn’t do it well.

Password managers are built for the express purpose for being secure. Password managers will encrypt all of your precious data on your local machine, using a master key or password that you provide. The password manager people will have no way to access your passwords, and neither would a hacker that got hold of your password database. That’s the whole point, really. You open your vault with one master password that only you know, and then you put all your other passwords and sensitive information inside this vault and lock it. The locked (encrypted) vault can be safely sent between your devices and even stored on the password manager’s company servers. Yes, it’s scary—and you should be nervous about trusting any third party with all your passwords. But in reality, they don’t have your passwords; they have a blob of scrambled data that is completely inscrutable to them or to any hacker that manages to steal it.

As a side note, many cloud storage companies will tell you that they lock up your data with “military-grade” encryption. That may well be true, but the real question is: who holds the keys? Here’s a little test for whether you can trust a third party with your sensitive encrypted data. Call up their technical support staff and ask them what they can do to recover your data if you forget your password. The answer better be “we’re sorry, we can’t help you.” If they have any way to get to your encrypted data back for you, then they can get at your data any time they want because you don’t have the real master key—they do.

Dropbox is a good example of this. If you haven’t heard of Dropbox, it’s a cloud storage provider that allows you to synchronize files and folders across multiple computers through the Internet. If you place a file in your Dropbox folder at home, it will magically appear in your Dropbox folder on your work computer—and vice versa. It’s sort of like having a magic folder that can be seen by any computer where you’ve installed Dropbox. It’s an extremely useful tool if you want to share files between multiple computers and devices. I have no doubt that they use heavy-duty encryption on the copies of your files that they store on their servers, but they also have full access to those files. That is, they can decrypt them whenever they want. They need to be able to decrypt them in order to provide many of the services they offer, such as letting you log into a web page where you can see the file names and search the content of the files. If the feds come knocking with a search warrant, Dropbox can give them full access—even though they are locked with “military-grade encryption.” This is true of most services that I’ve seen, including Apple’s iCloud. (We’ll talk about ways to work around this later.)

A password manager can also hold other sorts of sensitive information for you: credit card and bank account info, PINs , medical and healthcare data, Wi-Fi passwords, driver’s license and other key ID numbers, passport info, lock combinations, Social Security numbers, and any other secrets you may want to write down in a safe place. Where do you store this info now? Slips of paper in your wallet? Notes in your address book? Sticky notes on your computer monitor? This information is much safer in a secure digital vault, and as an added bonus, your passwords will be accessible anywhere you have a computer or a smart phone (even without an Internet connection).

Some password managers will allow you to securely share specific bits of information with friends and family, as well. It’s even possible to allow someone else to log in to one of your online accounts without actually letting them see your password! When hooked up to your web browser, you can use password managers to automatically fill in credit card and address forms, saving you the hassle. Once you’ve installed a password manager, you’ll be amazed at all the things it can do for you, and you’ll wish you had done it sooner.

You might know that most web browsers will also offer to store your passwords for you and automatically fill them in. Some will even sync them across computers for you. But I strongly recommend you do not use these built-in services—use a separate password manager and turn this feature off in your web browser. We’ll talk about that more later.

Spoiler alert: when we get to safe web surfing later in the book, we’ll learn about how the bad guys often try to trick you with fake web sites. Another major plus for using a password manager is that they aren’t fooled by look-alike web addresses!

Choosing a Master Password

While a password manager can be used to remember all your web site passwords, you will still need to memorize at least one password: the master password for your password vault. So now we’re back to the drawing board, right? You still have to find some way to come up with a really tricky password that you can easily remember but the bad guys can’t guess. However, you only need to remember one such password, not hundreds.

There are various techniques for generating a really good password that you can still remember easily. I’m going to discuss some options here to get you started, but you should then come up with your own algorithm. It can be a combination of these ideas, or something you come up with on your own that’s similar. The key is to find a string of letters, numbers, and special characters that do not have any obvious patterns, like words in the English dictionary, dates, ZIP codes, phone numbers, and so on.

A popular method for coming up with the base for your password is to think of a phrase from a movie, poem, song lyric, or book—a phrase that you can easily memorize, perhaps one you already know by heart. It shouldn’t be a phrase that people would associate with you, though, because you don’t want anyone to be able to guess it. Then take the first letter of every word in that phrase to create your password. Include things like punctuation that exists in the phrase—capitalization, commas, question marks, and exclamation points. Change some letters to numbers or symbols, too—like 3 instead of E, $ instead of S, and so on.

I changed a to @, changed s to $ and changed i to 1 (one). Now, you don’t have to do all of these changes, you might just do some of them. The key is that you must remember which changes you made.

That’s a 14-character password that includes uppercase and lowercase letters, numbers, and symbols. That’s plenty strong enough for our purposes. The semicolon trick may seem trivial—it may even seem wrong. It’s a repeated character! Isn’t that a no-no for passwords? Yeah, sure. Sorta. But you just made your password three characters longer with almost zero effort. This is the concept of password haystacks , which I referenced in the previous section. If a bad guy is trying to guess your password and can’t figure it out using the standard English dictionary type attacks , then they will have no choice but to brute force it (that is, try every possible combination of letters, numbers, and symbols). And at that point, every character you add multiplies the guessing effort by almost 100. Adding three semicolons to your already-hard-to-guess password just made it almost a million times harder to guess!

Now you need to come up with your own technique. Maybe you put your three extra characters at the beginning. Maybe you put a period between every letter. Maybe you repeat every punctuation character twice. But just make sure that whatever you come up with is something you’ll remember, something that “makes sense” to you.

Doing the Two-Step

Earlier in this chapter, we talked about the various factors we use to prove our identities: something we know, something we have, or something we are. When you require more than one of these, we call it multifactor authentication . In the case where two factors are required, we call it two-factor authentication . Many web sites and services are starting to offer a two-factor authentication option, which is a fantastic way to increase security with only a little extra effort. The primary factor is your password (something you know). The second factor is either something you have (like your smartphone) or something you are (like your fingerprint).

Let’s look at a couple of examples to see how it works. Google offers various ways to add a second authentication factor to your Gmail account. This second factor can be required all the time or, more commonly, only for “untrusted” computers and devices. That is, the first time you try to log in from a new device, Google will require that you use a second factor to prove you are really you. At that point, you can decide to tell Google that this device is trusted and whenever you log in from this device in the future, you can skip the second factor. But if you were logging in from a public computer, say at a library or a cybercafe, you would not “bless” this device, leaving it as untrusted.

One method Google offers for second-factor authentication is to send you a text message. After registering your cell phone with Google, it can send you a text message with a special one-time PIN that you will have to enter in addition to giving Google your regular login credentials.

Another method Google offers, which is very cool, is a smartphone app called Google Authenticator . This app, once properly registered and synchronized with Google, will generate a six-digit PIN that you will need to enter along with your regular credentials. The cool thing is that this PIN changes every 30 seconds. Google is generating the same series of PINs on its end so that they always match. You can use this tool for other services besides Google, too—Dropbox and LastPass both offer Google Authenticator two-factor authentication. Each service has its own PIN, and all your PINs are accessible in a single window of the Google Authenticator smartphone application.

The key thing to realize about two-factor authentication is that now the bad guys have to beat you two ways in order to crack your accounts. Even if they somehow manage to guess or hack your password, now they also need to have your cell phone. That makes their job a hell of a lot harder. Also, if you have an account that is protected with two-factor authentication and that company’s servers are hacked, you don’t have to rush to change your password.

Note that there have been several successful attacks against the texting services. It’s not easy, but it’s possible. A technique involves a person convincing your cellular provider that they are you and claiming they’ve lost their phone. They convince your provider to give them a new phone... and now your phone no longer works, and the new phone is getting all your calls and text messages. Another technique is to hack the cellular communication network itself, which isn’t as hard as it should be. So... if you have the choice, you should always go for the time-based PIN (e.g., using Google Authenticator app ) over text/SMS.

Periodically Changing Passwords

If you’ve ever worked at a large company with an information technology (IT) department, then you’ve probably had to have a password to log in to your work computer. Furthermore, you’ve probably also been required to change that password every three to six months.⁴ You can’t reuse old passwords, and sometimes they even check to see that your new password is sufficiently different from your previous one.

You’re probably wondering a) why they do this and b) whether you should do the same thing yourself for your personal passwords. For companies, the real issue is not preventing employees from getting access to sensitive information; it’s to prevent nonemployees from getting in, not just hackers but previous employees. Companies also will compartmentalize information so that some people can access things and others can’t. If your personal login credentials were somehow stolen or cracked, then someone could get to whatever company resources that you can access. Someone with these credentials in hand would try to snoop around without being caught—that is, they probably wouldn’t do anything that would draw attention. If they allow themselves to be discovered, then your IT department will lock your account, and they will lose their access. Your password will be reset, and you will be allowed back in, but they won’t know that new password. To combat this, companies try to limit these windows of opportunity. Forcing you to change your password every so often will also mean that someone else who managed to figure out your password will have only a short time to use it.

For your personal accounts , the problem is usually different. Someone who wants access to your accounts will probably want to use them (as opposed to just spying on you without leaving a trace). They may buy things in your name or try to transfer your money to their accounts, for example. If they were breaking into your e-mail account, they may be satisfied to just read your e-mails, in which case changing your password every so often would help. But generally speaking, you will probably know if someone hacks your account because they will probably do something with it.

So, should you periodically change your passwords? And if so, how often? This is completely up to you. Generally, I don’t think it does much good to change passwords periodically for no reason. If you’re worried that someone might be lurking on your account, just reading information but not actually changing anything, then you might want to change that password. If you have ever given out your password to someone else for any reason, you should change your password when they’re done using it. When one of your online service providers is hacked and the password database is compromised, they should send you an e-mail telling you to change your password, and of course you should do that right away. They may even reset it for you or lock you out until you re-authenticate. But beyond that, you can probably just leave your passwords alone, as long as they’re strong (and particularly if you have two-factor authentication turned on).

Summary

Checklist

This checklist covers one of the most important, most powerful defensive steps in the entire book. Please do not skip this one!

There are a handful of good password managers out there, each with their own pros and cons. You are of course free to choose whatever password manager you want, but for this book I am recommending LastPass. LastPass has been vetted by people I trust: independent third parties who know a lot about security were given access to the source code and spent serious time scrutinizing the tool for security holes. LastPass has some really nice features that we will be using that may not be available with other products. LastPass is supported by all major web browsers on all major operating systems and also has strong support on both iOS (iPhone and iPads) and Android devices. For web browsing on a computer or mobile device, the service is completely free. This includes securely synchronizing your password vault to multiple computers and your mobile devices. This service is sufficient for just about everyone. It offers some premium features for a few dollars a month that are worth considering, but the basic service is totally free.

So, feel free to use the password manager of your choice, but all the examples and suggestions in this book will use LastPass. Some other options to consider, if you’d like to do some research and make your own choice here, are 1Password, Dashlane, Roboform, and KeePass. KeePass in particular is a good option if you can’t stand the thought of saving your passwords to the cloud, but if you have multiple computers, you’ll have to figure out a way to take your password vault with you (like on a USB thumb drive) or use some other cloud service to sync your vault.

Note that we have a little bit of a chicken-and-egg situation here. The LastPass installer will install a plugin for every web browser you currently have installed, but in a later chapter, you may be installing a new web browser. At that point, you’ll have to rerun this installer. Unfortunately, we need LastPass before then to help us generate and save some kick-butt passwords. But I’m just giving you a heads-up that you may have to do this more than once.

Tip 4-2. Install LastPass on Your Computer

1. 1.

   Go to the LastPass web site: https://lastpass.com /.

    
2. 2.

   Take a look around the web site and learn what LastPass can do and how it works. Trust me, this is important—you’ll want to know this information, and I’m not going to try to repeat it here.

    
3. 3.

   The exact process for installing and signing up for LastPass changes too often for me to explain it here in detail. But basically you need to do two things: install the browser plugin and sign up for a free account. Use the kick-butt master password you just created! It will give you the option of storing a password hint…I would avoid this. You’re honestly better off writing down your password and storing it somewhere safe.

    
4. 4.

   Once you have the LastPass plugin installed and you’ve signed up for your account, you're ready to start adding passwords! You can access your password vault by clicking the LastPass icon (as of this writing, it looks like a button with an ellipsis: …).

    
5. 5.

   Your initial, empty vault should look something like Figure 4-1.

    

1. 6.

   I strongly recommend taking the tour and watching the tutorials. LastPass does tons of cool stuff, and the tutorials are the best way to understand how it all works. Please, just do this right now before you go any further. You can find them under More Options and then the Help menu.

    

Note

If you have a ton of saved passwords in your browser, you can jump through some hoops to import them into LastPass. It’s not as easy as it used to be (which is actually good because the browsers are locking this down more). You may have to first export the saved passwords from your browser’s vault to a file and then import that file’s contents into LastPass. But if all those passwords are crappy... you’re frankly going to want to reset them to something better anyway (covered later in this chapter).

Tip 4-4. Enable Two-Factor Authentication

This is strongly recommended. You’re going to be putting all of your passwords in a single place—all your eggs will be in one digital basket. You should protect it well. Hackers are going to start focusing their efforts on breaking into password managers, so having some “defense in depth” here is very smart. Note that once you enable two-factor authentication, you must have your cell phone with you whenever you want to log into LastPass on an untrusted computer. I know that sounds like a pain, but you honestly get used to it pretty quickly. And most of us keep our cell phones with us all the time.

Note that LastPass has its own authenticator app, and that app has some advantages for LastPass itself. However, I recommend using Google Authenticator instead. It’s more versatile, is easy to use, and is supported by many, many services.

1. 1.

   Download and install the Google Authenticator app on your smartphone. Launch the app. You will probably have to set it up first, so follow the instructions carefully. This may involve sending a text message to your phone.

    
2. 2.

   Using your computer’s web browser, click the LastPass icon in the toolbar and open your LastPass vault. Open Account Settings.

    
3. 3.

   Click the “Multifactor options” tab. Find Google Authenticator and click the pencil icon to enable this service.

    
4. 4.

   On the next screen (Figure 4-2) , you’ll want to enable Google Authenticator.

    

1. 5.

   If your smartphone has a camera, then use the Barcode option. Click the View link to reveal your barcode. You should see a square QR code like Figure 4-3.

    

1. 6.

   Open the Google Authenticator app on your phone. Click the plus sign to add a new account.

    
2. 7.

   Click the “scan barcode” button. Hold the phone up to the QR code on your computer screen until it scans. You should then start seeing the 30-second PIN codes on your screen.

    
3. 8.

   If your phone doesn’t have a built-in scanner, you can click the Private Key link to get a manual code. Then select “enter manually” on the Google Authenticator app to enter this code.

    
4. 9.

   At this point you will need to enter one of your six-digit codes to verify that it works.

    

Note that this is exactly the process you’ll use when adding other accounts to Google Authenticator.

Tip 4-9. Generate Strong Passwords for Key Accounts

You will eventually want to do this for all of your online accounts, which may be time-consuming. At first, focus on the critical ones: your e-mail, social media, and financial accounts, plus any web sites that have your credit card information on file. You can use the output of your security check to find and change the passwords for these sites. Just click the “Visit site” button next to the entry in the list. (LastPass can actually automatically change passwords on some sites! Use this option where you can to save yourself some time and effort. Otherwise, follow these instructions to manually change them.)

1. 1.

   Go to the web site for which you’d like to change your password.

    
2. 2.

   If this web site is already in your LastPass vault, it should automatically fill in your username and password. You’ll know it’s LastPass doing this because the form boxes will have a little LastPass ellipsis icon at the far-right end (see Figure 4-4). If you see an icon there with a little number on it, that means that LastPass thinks it may know multiple logins for this page. In either case, click the icon to select your login.

    

1. 3.

   If this web site is not already known by LastPass, you will need to log in manually. If you had to enter your ID and password by hand, once you click the button to log in, LastPass should ask you if you want to save this password—say yes!

    
2. 4.

   Every web site is different here. You’ll need to figure out how you change your password for each site. It’s usually in your “account” or “profile” or “security” settings. Click whatever links/buttons you need to bring up the form for entering a new password.

    
3. 5.

   In the new password form fields, you should see another little icon at the right side like a lock with a circular arrow around it. This is the button that will ask LastPass to generate a kick-butt random password for you. When you click this icon, it will pop up the “Generate password” dialog box. If you click the More Options button, you will see something that looks like Figure 4-5.

    

1. 6.

   For most web sites, I recommend a password of at least 12 characters, but since you’ll never have to type this yourself, why not go to 15 or 20? If you are unlucky enough to be on a web site that does not allow certain types of characters or passwords of a certain length, you can make adjustments using the setting. LastPass will remember these settings as your defaults, so be sure to change them to back to better settings the next time you change a password. That’s why I always like to show the expanded options.

    

Note

If this password is something you know you will have to sometimes enter by hand, either on a smartphone or worse yet something like an Apple TV, Roku, smart TV, or some other device without a full keyboard, you might want to consider unchecking that last box for symbols—they can be a real pain to get to on smartphone keyboards or using a remote control. You might even want to remove capital letters. If you do this, you should increase the length of the password to offset the loss of special characters.

1. 7.

   If you changed any settings, the password should automatically regenerate. But if not or if for some reason you want to create a different one, just click the little circular arrow button. Do this as many times as you want.

    
2. 8.

   When ready, click Fill. This should automatically fill the new password into the form field(s) on the page (many password change forms have a “new password” box and a “confirm new password” box; LastPass should fill both).

    
3. 9.

   LastPass should then pop up a little banner at the top of the web page to ask if you want to save this password; obviously, say yes.

    
4. 10.

   Note that at any time you can edit this login information directly in your LastPass vault. You can see your password history, too, in case for some reason the change didn’t “take” or if you just want to see what your previous passwords were. You can also add handy little notes to a site in your LastPass vault (see the next item).

    

Tip 4-10. Use LastPass to Store Secure Notes

For passwords that are not for online/web accounts, passwords that you will always need to enter by hand, you still need a way to remember them. LastPass has a “secure note” feature that is perfect for this. You can also store other important but sensitive info this way: passport info, Social Security numbers, driver’s license numbers, credit card info, computer login credentials, PIN numbers, etc.

• Click the LastPass icon on your web browser and select Secure Notes (Figure 4-6).

• In the next screen, click Add Note at the bottom. That should bring up a screen something like Figure 4-7 (with some sample info filled in).

• If you want, give this note a category. It will provide you with addition form fields to help you organize the data. For example, if you select “passport,” it will give you a form where you can enter your name, birth date, passport number, expiration date, etc. Otherwise, leave it as “generic.”

• Give this note a name that will help you find it quickly. Fill in your info and save the note . If this note is somehow particularly sensitive, you can check the box for “require password reprompt,” which is under the advanced settings. This will require that you to re-enter your master password before showing you the contents.

Tip 4-11. Generate and Store Offline Passwords

There will be some situations where you need to generate a strong, random password for things besides web sites. We’ll have such a situation in the checklist of the next chapter, in fact. So, you need to know how to generate and save passwords without having a corresponding web password form to fill out.

1. 1.

   To do this, click the LastPass icon and select Generate Secure Password. See Figure 4-8.

    

1. 2.

   Set the advanced options appropriately for your situation (Figure 4-9). If there are no restrictions, the settings shown in the figure are good defaults. Once it’s generated, you’ll want to select the text and copy it to your computer clipboard. You can then just click Cancel. You’re not going to use this password on the web page; you’re going to store it in a secure note .

    

1. 3.

   Using the process from the previous step, create a new secure note in LastPass (Figure 4-10). There is no “password” note type, so just use “generic.” The password was saved by your computer in the previous step, so just paste it in the big open space. Give the note a descriptive name and feel free to add more info in the note with the password; you want to be sure you know what this is for, and you also want to make it easy to search for.