safely managing passwords

The first in a series of posts to support family in moving to safer information management practices.

Identity theft is hard to recover from. Banks, governments... they really don't care if someone gets hold of enough information about you to create credit cards and bank accounts in your name. If that happens, you are kinda on your own, and (if things went poorly), you're broke.

How risky is this? If you are my parents, you’ve already been caught in (at least) 3 different data breaches. (Six, for my dad.) I discovered this by using the website https://haveibeenpwned.com/. I entered their email addresses, and haveibeenpwned tells me what breaches their email addresses appear in.

Nifty.

Does that mean passwords were lost? No... maybe... well... in some cases, yes. This is only a concern if you reuse passwords, or generally have insecure passwords. How do you know if your password is insecure? One way would be to go to the UIC Password Strength Tester and try out a few of your passwords. (NOTE: NEVER ENTER YOUR PASSWORD INTO A RANDOM SITE. This is one I trust, but still, you have been warned.) If UIC says your password is anything less than very strong, I'd say you have a problem.

Passwords I rely on (and remember) have 30-40 characters because they are a combination of memorable words, phrases, numbers, and symbols, in a mix of lower and uppercase. However, I have given up on remembering most of my passwords, and instead use a password manager. This is a tool that remembers my passwords for me. This way, I remember one really good password, and I let it 1) generate and 2) remember lots of insanely good passwords on my behalf.

using bitwarden

Let’s look at using Bitwarden, an open source password manager.

First, go to bitwarden.com.

Click “Get Started,” and create an account.

For the master password, you need to pick something secure. That means:

  1. Never previously used.
  2. Long.
  3. Mix of numbers, letters, and symbols.

To start, you could go to useapassphrase.com. This gives you an example of what a passphrase looks like. You might pick five words of your own, or use a couple of runs from this to pick a collection of words. (Don’t use one directly from the site, just in case they’re insecure.)

Now, put a few symbols in there. If you had

rust friend bust flashily staunch

it might become

rustfriend!bustflashily@staunch

and, add a number or two into the mix. Make them memorable if you have to.

rustfriend!4bustflashily@2staunch

There you go. You have a difficult-to-hack, nearly impossible to guess, reasonably secure password. Write it down, keep it safe, and use that as your master password for Bitwarden. You will, over time, memorize this password. Why? Becuase, if you are doing things correctly, this will be the only password that you keep in your head.

for next time

At this point, you have a Bitwarden account, but you’re not sure what to do with it. That will be the topic of the next post.