Passwords and login security seem to be in shambles. Many companies and many consumers use poor security practices. Here’s how I deal with my passwords and login security.
The most commonly used password is “password” and the second most popular one is “123456”. And how do we know this? It’s because all the passwords exposed in data breaches are accessible for anyone to see.
We have way too many accounts to individually remember all passwords, we reuse our easy-to-remember favorites on multiple sites and we waste excessive energy on the “forgot password” links.
Using weak passwords or reusing the favorites is risky. A data breach on one site where your login details are exposed puts all your other accounts at risk.
And data breaches of the apps we use are in the news frequently.
We’re stuck with passwords
Even for those who take more care of their login security, the recent news hasn’t been too positive.
1Password, one of the most popular password managers, took $200 million in venture funding while LastPass has been bought by a private equity firm.
These moves may not turn out bad but chances are that some not so user-friendly decisions will be made in the future on the hunt for growth and value optimization.
And I think we’re stuck with passwords in the foreseeable future. I don’t see some new technology coming in to replace them any time soon.
So it’s a sensible idea to take precautions and extra care about your passwords. Take a few minutes to rethink the way you deal with your account logins and optimize that process. This is how I deal with it.
I only know and remember one of my passwords
I use a password manager to help me create and remember strong, long, random and impossible-to-remember passwords such as this one. These are the most secure passwords.
I only remember one of my passwords even though I use a strong and unique password for each and every account that I have. That one password that I remember is the password to my password manager.
That single password unlocks access to all of my other passwords. All 293 passwords that I have saved at the time of writing. My password manager does the rest of the heavy work for me. All this without compromising my security and data protection.
I recommend you start using a password manager too. Pen and paper or our memory are simply not efficient enough to deal with this problem in most cases.
You can either use the built-in password manager that great browsers such as Firefox have or a standalone password manager. Here are the two best options.
Password manager service such as Firefox Lockwise
The easiest option to start using strong and unique passwords is to use the in-built password manager within your browser.
I use Firefox and Firefox has a great password manager called “Lockwise” built-in. It is a relatively new feature and this is what it can do:
- Remembers all your usernames and passwords to all the websites you’ve signed up with so you don’t have to.
- It allows you to set the master password that unlocks access to the rest of the passwords.
- You can sync your account logins and passwords between the different devices including your mobile phone or you can keep it offline on your machine only.
- “Monitor” feature automatically warns you if and when your login details have been exposed in data breaches on the different websites you’ve signed up to so you can reset your password and make sure you don’t reuse that password other places.
- You can manually scan your email address for data breaches, see a list of recent known breaches and you can even set it up to notify you if other email addresses were exposed too so you can inform your non-technical family members.
- It generates strong and unique passwords when you’re signing up to a new account or when you’re changing your password.
- You can even install Lockwise as a standalone iOS or Android app and use it for the app logins outside of the Firefox browser.
- All this is safe, encrypted and protected using 256-bit encryption.
To get started, simply download Firefox and in Preferences > Privacy & Security > Logins and Passwords tick all these boxes:
The only negative I see about Firefox Lockwise is that there is no import/export functionality.
Hopefully they’re working on it but for now, you cannot import all your passwords from another password manager and you cannot export your Lockwise logins and take them somewhere else either.
Standalone and local password manager KeePass
If you really want to take your login and password security game to another level you can try KeePass.
KeePass is an open-source application available for all the different operating systems. Being open-source it’s also less liable to get acquired by someone who may not have your best interests in mind.
It’s not a full service like Firefox Lockwise so it doesn’t offer sync between devices built-in. You basically get a single, secure and encrypted file (in the kdbx format) which has all your password data.
Syncing that one password file between your devices is up to you. You can use whatever service you want (Google Drive, Dropbox, Nextcloud…).
KeePass synced using Syncthing is what I use to sync between my Linux laptop and my Android phone. This means that I’m not using any third-party cloud service for syncing.
There are multiple KeePass apps for all the different operating systems but these are the most popular options:
KeePass also has multiple browser extensions so your passwords are automatically filled in on your favorite sites. These are the KeePassXC extensions for Firefox and for Chrome.
The only negative about KeePassXC that I use on my laptop is that the look and feel is not the most modern but it’s something I can live with for my login details.
Use two-factor authentication as an extra protection level
I also recommend you turn on the two-factor authentication (2FA) on every account that offers it. You do it using a mobile application and that adds an extra level of protection to your accounts.
You basically login using your regular username and password and then you are asked to input your always-changing and always-unique six-digit code too.
Even though you may use a weak password or your password was exposed in a data breach, the 2FA will stop someone from entering your account. They would need to have access to your mobile phone too to successfully break-in.
I believe every business should provide the 2FA feature and make it a requirement for every account. Many already do offer it. You can even set two-factor authentication on your WordPress site.
Here are some popular 2FA apps for Android and iOS which you can explore:
Choose a 2FA option that supports backups
Make sure to use a two-factor authentication app that allows backups as you may need that backup in case you switch phones or your phone gets stolen or broken.
I’ve learned that lesson the hard way as my first two-factor authentication experience was using Google Authenticator which turns out does not offer an easy way to backup.
When I broke the screen on my phone a few years ago, I decided it was time to invest in a new phone. I logged into Google Authenticator on my new phone only to find it completely empty.
None of my 2FA codes were in there and I had to figure out how to log into the services I enabled two-factor authentication for without having my 2FA codes. That’s not something you want to deal with.
It’s much easier to simply import your backed up file to your new phone and restore the access to all the 2FA logins you have.
A 5-step-plan to better password and login security practices
Here’s how I recommend you start the process of improving your login security practices:
- Pick the password manager you prefer (I use KeePassXC on laptop and Keepass2Android on my phone)
- Pick the 2FA application that you prefer (I use Aegis Authenticator on my Android phone)
- The next time you log into a site or service you use, go into the “Security” settings and explore the options:
- Enable the two-factor authentication for those services that offer it
- Change the password from the old and weak one to a strong password created by your password manager
- Save the new entries in your password manager, backup the 2FA codes and sync to the different devices using your preferred cloud provider or another method (I use Syncthing)
This may be a bit inconvenient in the short term as you must spend a couple of extra minutes on each site to do this, but you’ll be in a much safer and more secure situation after you make these changes.
In the world of the regular data breaches that we live in, you’ll be happy with that inconvenient choice.