Login

How to: manage your passwords online

password lead

"To the cloud!" said Microsoft’s Windows 7 ad campaign, and silly as those commercials may have been, we didn't hesitate to take the advice. We happily put our personal information into accounts all over the web, receiving in exchange the ease and convenience of cloud services. At this point, there's probably very little about you that isn't online somewhere.

Hackers have realized that our valuable (and lucrative) data is out there, waiting to be cracked wide open. How, then, do you protect your online accounts from intrusion?

First, you should start with a little piece of software known as a password manager. Not only will these help you lock down your accounts, but they’ll save you from having to enter your login credentials every time you sit down at your computer (all your logins and passwords are stored within these tools). Some will even extend this functionality to your mobile devices, too.

A password manager keeps your data secure by enabling you to use passwords that are as difficult to crack as they are to remember. Instead of a password like "lumia920fan," the manager would suggest something along the lines of "50P3HofuvzDL." Now imagine that you’re using a unique complicated password like that for each website you log into. Good luck.

Using passwords for your online accounts that are both strong and unique is important for a couple of reasons. Hackers have penetrated the defenses of even the largest cloud services, like iCloud and Gawker’s systems, and when they do, they often download as much sensitive data as they can so that they can pick it apart at their discretion. Then it’s just a matter of time until they can decrypt your account credentials, gaining them full access to your information.

Hackers will try your compromised credentials on hundreds of other sites

Hackers will try your compromised username and password on hundreds of other sites, hoping that you used them in more than one spot. Many of us are guilty of this digital faux pas, and the information contained in other sites may help hackers break into even more accounts. One needs only to look at the cautionary tale of Mat Honan for a frightening example, where the credit card number contained in his Amazon account allowed the hackers to break into his Google accounts. Strong passwords also dramatically increase the amount of time it takes a computer to crack them, making your account much more likely to be passed over in favor of those with weak passwords.

Given these dangers, it’s no surprise that there are quite a few password managers out there, both for PC and mobile platforms. Here are a few of the best.

Password managers

The first password manager we’ll be looking at is a service called LastPass. Initially released in 2008, LastPass lives almost entirely within a browser plugin. It will automatically detect password forms, generate strong passwords, and fill in your saved credentials as you travel around the web. It’s free for desktop use, but people that want to use it on their mobile devices have to purchase the company’s $12 / year Premium service.

1wr8d_2

LastPass is sometimes criticized by die-hard security enthusiasts for storing your data on its servers, putting it at risk of being extracted by hackers. This is true, but your data is encrypted before it’s sent, which should put your mind to rest provided that your LastPass master password is itself secure — you will need to remember that one. The company actually detected an intrusion last year that put "tens of users" at risk, but only because they had weak master passwords. After working quickly to secure the accounts of those affected, LastPass CEO Joe Siegrist confirmed that users with strong master passwords had nothing to be worried about.

Users with strong master passwords had nothing to be worried about

Despite its earlier security fumble, LastPass offers several features that its competitors do not. First and foremost, it supports Google Authenticator. This multiplatform app makes it impossible for the passwords in your LastPass account to be hacked without physical access to your phone. LastPass also offers some of the best smartphone integration of any password manager, and can integrate with Firefox and the Dolphin browser on Android almost seamlessly. It can also install a custom bookmarklet that will fill out username and password fields within web pages with just a few taps.

1Password is a major competitor to LastPass, and despite its Apple-esque UI design, the password manager supports Mac, Windows, iOS, and Android. 1Password doesn’t have the same bells and whistles as LastPass, but its Dropbox-based syncing strategy means you're completely in control over all your data. Instead of syncing with the company’s servers, 1Password can place your password database within a Dropbox account, which can then be synced with a phone. The company's recent version 4 update for iOS costs $7.99 and adds convenient iCloud syncing to compliment the offline Wi-Fi or USB iTunes File Sharing.

In the past, 1Password could integrate with the stock iOS browser using a bookmarklet, but the company abandoned that functionality some time ago. Instead, you have to use the web browser built into the app. The Android version is notably worse: you can view your passwords, but not change them, and there is an "Autologin" button, but in our testing it fails to do anything besides pull up a blank, white screen on two separate Android devices. 1Password for OS X is a bit pricey at $49.99 for a single (lifetime) license.

Opting for a paid service like these two is certainly your simplest option, but you can replicate most of their capabilities for free — if you’re willing to get creative with your software. You could use a free password manager like KeePass to generate secure passwords on your desktop, then use Firefox Sync in conjunction with Firefox for Android to push them to your mobile device. Unfortunately, Chrome for Android and iOS doesn’t sync passwords saved on your desktop or laptop, and there is no version of Firefox for iOS at this point in time.

Other options

Password managers aren’t the only way to secure your online identity, of course. Prolific Google users should consider using the company’s 2-step verification process. You can enable this security setting from your Google accounts page, and though it’s slightly inconvenient at times, 2-step verification makes it far harder for someone to get access to your Google account. Whenever you log into Google from a new device, 2-step verification requires you to input a code sent to your phone via text message. (You can also create and print out single-use passwords, for when you don't have your phone handy.) After entering the code into your browser, you can choose to enable the machine for up to 30 days, and special applications like email clients can be provisioned with strong, one-time use passwords. If you use your Google account to log into other services online, 2-step verification is one of the easiest ways to drastically increase your online security.

2-step verification is one of the easiest ways to drastically increase your online security

For those who don’t want to depend on their smartphone, or want their accounts kept under literal lock and key, a product called the Yubikey offers two step authentication with the push of a button. There are a handful of models available, and each is a small USB dongle that effectively provides the same protection that Google’s 2-step verification offers with a device that you can put on your keychain. These are less effective for smartphone users, since few handsets have full-sized USB ports, but the company does offer an NFC-equipped model that can be tapped by your smartphone.

Smartphone authentication and physical key access are great ways to add a second, physical element to your security scheme, but some users won’t be satisfied until their computers resemble something out of a spy movie. Fortunately, LastPass supports devices like fingerprint and SmartCard readers, provided that they can interface with your web browser. Like the YubiKey, such physical security layers may prove to be a hassle for people with mobile devices, but if you’re considering security features at this level, that probably won’t bother you very much.

Conclusion

Even the best password manager can't keep your online accounts from getting hacked, but it will prevent intruders from being able to access the data inside, or worse, use your compromised credentials with your other services. Add that to the sheer convenience of having a password manager remember your passwords for you, and LastPass or 1Password becomes easily worth the cost of entry. Whatever your reasons, taking control of your online property takes only a few minutes, and can save you a considerable amount of money and headache down the road.

May your hashes be strong and thoroughly salted.

The Verge
X
Log In Sign Up

forgot?
Log In Sign Up

Forgot password?

We'll email you a reset link.

If you signed up using a 3rd party account like Facebook or Twitter, please login with it instead.

Forgot password?

Try another email?

Almost done,

Spinner

Authenticating

Great!

Choose an available username to complete sign up.

In order to provide our users with a better overall experience, we ask for more information from Facebook when using it to login so that we can learn more about our audience and provide you with the best possible experience. We do not store specific user data and the sharing of it is not required to login with Facebook.