It is currently 4.27am and I have just finished going through a pile of papers. Most of this is general correspondence that we receive, utility service notifications, copies of mailed invoices, bank statements – you name it! I have also just finished all the monthly bill payments and reviewed the email reports received by my passive income portfolio providers during the week that I was travelling. It occurred to me that I have just used a considerable number of usernames and passwords while doing all of the above – most probably, in the range of 25 sets of usernames and passwords and that is during just one hour of work so far.
We are nowadays completely online and we have to manage multiple identities in different websites, services, social media networks, etc – we take this for granted. However, there are tools that can make this a lot easier. Some people simply register for an online service, set the same password as for all their other services and that’s it. Others, like me, use tools to manage their online passwords to organise the chaos. Why would you do that though? Cannot you just choose the same password for everything, or at least, choose from a set of 3 or 4 preferred passwords?
The use of static passwords across a large number of services still exposes us to a significant level of risk. First of all, the use of the same static password exposes you to a multiplier effect if any one of those services gets breached. In the past months and years, we have also seen an increase in credential stuffing attacks. Basically, an online service is breached and its customer database including identities, email addresses and stored passwords are released online.
Credential Stuffing attack – an example
Someone gets hold of your identifier (e.g. email address) and your password (on that breached service). Then, they proceed to try that same combination on other websites (e.g. Facebook, Twitter, Gmail, etc…) until they find a service that uses that same combination. If you think that they might be targeting you specifically, think again – in such cases, it’s a shotgun approach. They take the entire list of username/password pairs and try them out on all services that they can find. They are bound to be successful at some point!
Tips to create better static passwords
On the other hand, static passwords are convenient. Most of us can remember a collection of approximately 4-6 different static passwords before it starts becoming a complete haze. Some also use a favourite passphrase (e.g. favourite song lyric) and use that to build a password that they then use across a number of services.
For example, I might want to choose the lyric ‘Never cared for what they do’ (from the ‘Nothing Else Matters’ lyrics by Metallica). I use this as a passphrase to build a static password like ‘N3vC4rFWTD!. That password gets a 94% (‘Very Strong’) password score at time of writing which is pretty good and it is definitely easier to remember a favourite lyric and the way in which you build a password from it then a bunch of random characters.
What else can I do?
In order to safeguard yourself against credential stuffing attacks would require that you use different passwords (and passphrases) for different services. That’s a massive headache if not managed properly (and please don’t tell me that I store all my passwords in a spreadsheet).
For a good number of years, I have now started using password managers. These utilities allow you to use completely random passwords on every single service and manage these passwords for you. You just need to remember how to access this service (through a master password, biometric data, etc…). This has dramatically changed the way myself and my family work. When choosing this solution, I had a couple of simple but important requirements:
- It has to work on different devices, systems and browsers
- Support the sharing of credentials with multiple users (myself and my wife)
- Have a proper recovery process to ensure that I never lose access to my passwords
- Store the passwords in a secure manner
I started off by using password managers installed on my computer as there were some freely available ones. However, this soon became a headache as my number of personal devices increased (smartphone, tablet, desktop and now watch). I started looking for an online password manager and I came across Lastpass.
I started using Lastpass some years ago as they have a Free version available. This worked perfectly and it integrated directly with my mostly used web browsers.
Later on, I started using Lastpass on my phone as well and I can say that, nowadays, I don’t need to remember any password as I can use Lastpass to get to all my service passwords simply by using my fingerprint on my phone! Until some years ago, the use of Lastpass on phones was limited to Premium users. However, this has since been made available to Free users as well.
Nowadays, I have Lastpass set up in all my browsers (Chrome, Firefox and Internet Explorer) as well as on my Android phone. I am still waiting for a Samsung watch version though. Lastpass has been available for Apple watch users for quite some time!
Both myself and my wife have since moved from Lastpass Free to Lastpass Premium as it packs more features and is relatively cheap with an annual subscription. In the future, when the Boss grows up, it would make more sense to go for Lastpass Families as that is even cheaper for 3+ family members. You could also decide to use this subscription with other close family members – it pays to have a common Lastpass Families subscription!
For those of you who would like to read more about how Lastpass works, click here. I hope that this post helps you to organise the chaos of password management securely! After all, it’s one step closer to making your Busy Human life easier.
Have a great weekend!
– Busy Husband