5 Reasons Why You Should Be Using a Password Manager

Password Manager

We often recommend using a password manager like 1Password or LastPass, but we’ve gotten a few questions asking why we’re so adamant about this. Lots of people think that all they need to do to keep their online accounts secure is create a single password with some numbers, often switching a lowercase L with a 1 and a capital E with a 3. And that’s for accounts people care about—for those that they don’t see as important, they’re likely to use a simple password like their child’s or pet’s name. Plus, most people don’t think they have much to protect or that they would be targeted by hackers, so they reuse the same password across multiple sites.

Guess what? Such an approach is extremely dangerous on today’s Internet. First off, no one is explicitly targeted. The bad guys get passwords by stealing them by the millions from Web sites with lax security. Then they use sophisticated hardware that can try over 350 billion passwords per second to decrypt as many of the stolen passwords as possible. All passwords under 13 characters can be cracked easily by such hardware.

Next, imagine you have a password on a shopping site whose passwords are stolen. The attackers can log in to that site, change your shipping address, and order items with your stored credit card. But they won’t stop there. They’ll use automated software to try that username and password combination on lots of other high-profile sites: Google, Apple, Amazon, eBay, Facebook, many banks, and so on. If they can get in anywhere, they’ll take over the account and exploit it in any way they can, which could involve stealing money, ordering goods, or using it to reset passwords and lock you out of other accounts. It can get ugly fast.

Use a password manager to generate, store, and enter strong passwords, one for each site, and you’ll never have any of these problems. A sufficiently strong password (16 characters minimum, but we recommend 20 when possible) will withstand cracking efforts for centuries, and if you have a different password for every site, even one password being compromised won’t expose any of your other accounts to abuse.

Here then are five reasons for using a password manager:

  1. Generate strong passwords: A password should be random, or it should be a long collection of words (think 30+ characters). Password managers can generate such passwords for you, so it’s easy to make a new one for each Web site.
  2. Store passwords securely: If you’re going to put all your eggs in one basket, you want that basket to be well protected. Password managers employ their own strong encryption and various other techniques to ensure that your passwords are safe.
  3. Enter passwords for you: No one can remember and type long, random passwords, but having a password manager enter the password for you is even easier than typing a weak password. Log in faster than ever before!
  4. Audit existing accounts: Password managers learn the credentials you use for existing accounts, and they can tell you which passwords are weak and which have been reused.
  5. Access passwords on all your devices: It’s even harder to type passwords on an iPhone or iPad, but good password managers have apps for mobile devices that sync with your password archive so all your passwords are available whenever you need them.

There are many different password managers, but for most people, there are three main choices. If you use only Safari on the Mac and in iOS, Apple’s built-in iCloud Keychain feature may be sufficient.

If you’re mostly an Apple user but also need support for Windows and Android, or if you want to share some passwords with family members or your workgroup, 1Password is the best choice. It costs $3 per month for an individual or $5 per month for a family, with team and business accounts as well. 1Password also offers add-ons for non-Apple browsers like Chrome and Firefox.

And if 1Password is too expensive, or if you’re platform agnostic, LastPass offers a solid set of features for free. Additional features and password sharing cost $3 per month for individuals and $4 per month for families, and again, team and enterprise accounts are available.

If you need help choosing among these three or setting them up, particularly in the context of a small business, get in touch with us. And if you’d like us to write more about each of these options, just drop us a note and we’ll see what we can do.

(Featured image by CMDR Shane on Unsplash)

iOS 12 Supports Password Managers for Faster Password Filling

For security reasons, we always recommend that you use a password manager like 1Password or LastPass to generate, store, and enter strong passwords in your Web browser. We hope you’ve been doing that because iOS 12 has a fabulous new feature that lets you enter passwords from third-party password managers in addition to iCloud Keychain. It makes logging in to Web sites—and iOS apps!—vastly easier than before.

Set Up AutoFill

To begin, you need to enable the feature. Go to Settings > Passwords & Accounts > AutoFill Passwords. Tap the AutoFill Passwords switch to turn the feature on, and select your password manager in the list below.

Two notes. First, the iOS app for your password manager must be installed for it to appear in the list. Second, although you can also allow iCloud Keychain to fill passwords, it’s not worth the extra confusion unless you have a lot of passwords stored only in iCloud Keychain.

Log In to a Web Site in Safari

Now it’s time to try the feature. Navigate to a Web site where you need to log in, and for which your password manager has stored your credentials. Then follow these steps:

  1. Tap in the username or password field.
  2. iOS 12 consults your password manager, and if it finds a username/password pair that matches the domain of the site, it displays the username for the site in a blue button or in the QuickType bar above the keyboard. Tap it, and unlock the password manager using your password, Touch ID, or Face ID. iOS fills in your credentials.
  3. Tap to continue the login process.

If you have multiple accounts for the same site, you may see several of them in the QuickType bar, but if the one you want doesn’t appear, or if none appear, tap the key icon to see all available passwords. If none are right even still, tap the name of your password manager at the bottom of the list to open and search it manually.

Log In to an App

The process of logging in to an app is often similar to logging in to a Web site, as with the Dropbox and Netflix apps, but iOS 12 doesn’t know how to match every app with an associated account in your password manager. For an app that iOS 12 can’t identify, like the Pixabay app, follow these steps instead:

  1. Tap in the username or password field.
  2. In the QuickType bar, tap the key icon to open your password manager.
  3. If necessary, unlock it with your password, Touch ID, or Face ID.
  4. Search in the password manager for the associated account.
  5. Tap the account to autofill it in the app’s login fields.

Password Manager Limitations

As welcome as iOS 12’s new support for password managers is, it’s lacking in two important ways:

  • The autofill integration is limited to usernames and passwords, so if a site requires an additional field for login, you’ll have to enter that information manually. Similarly, it won’t enter credit card numbers or other information the password manager can autofill when used on a Mac.
  • The password manager can’t automatically create new accounts or generate new passwords, as all password managers can do on the Mac. You can do both manually, but the process is so clumsy that it may be easier to wait and do it on a Mac later, or use an easily typed password temporarily until you can change it to something stronger on your Mac later.

Despite these annoyances, iOS 12’s support for third-party password managers is a huge step forward for anyone who wants quick access to the same login credentials on an iPhone or iPad.

What To Do if You Get Blackmail Spam Containing an Old Password

Have you gotten an email message whose Subject line says something like “Change your password immediately! Your account has been hacked.”? If not, it may be only a matter of time before you do. It’s a scary message, especially because it contains one of your passwords, some threats, and a demand for money. Worse, the password is likely one you’ve used in the past—how could the hacker have discovered it? Has your Mac really been taken over?

Relax. There’s nothing to worry about.

This “blackmail spam” has been making the rounds on the Internet recently—we’ve heard from several clients who have received it, and we’ve gotten copies too. The message purports to be from a hacker who has taken over your Mac and installed spyware that has recorded you visiting Web sites that aren’t exactly G-rated. The hacker also claims to have used your Mac’s camera to photograph you while you’re browsing said non-G-rated sites and threatens to share those pictures with your contacts and erase your drive unless you pay a ransom using Bitcoin.

This blackmail spam has raised so many pulses because it backs up its claims by showing a password that you’ve used in the past. Hopefully, it’s not one that you’re still using, because it was extracted from one of the hundreds of password breaches that have occurred over the past decade. Impacted Web sites include big names such as Yahoo, LinkedIn, Adobe, Dropbox, Disqus, and Tumblr—thieves have collectively stolen over 5.5 billion accounts. It’s all too likely that some old password of yours was caught up in one of those thefts.

Concerning as the message sounds, all the details other than your email address and password are completely fabricated. Your Mac has not been hacked. There is no malware spying on your every move. No pictures of you have been uploaded to a remote server. Your hard drive will not be erased. In short, you have nothing to worry about, and you should just mark the message as spam.

However, if you’re still using the password that appeared in the message, that is cause for concern. It means that any automated hacking software could break into the associated account, and it must be a weak password if the bad guys were able to decrypt it from the stolen password files. Go to Have I Been Pwned and search for your email address. If it shows up for any breaches, make sure you’ve changed your password for those accounts.

As always, we recommend that you create a strong, unique password for each of your Web accounts. The easiest way to do this is to rely on a password manager like 1Password or LastPass to generate a random password. Then, when you want to go back to that site, the password manager can log you in automatically. It’s easier and more secure.

If you’re still concerned about your passwords, call us and we can help you get started with stronger security practices.

Have Your Online Passwords Been Stolen? Here’s How to Find Out.

Data breaches have become commonplace, with online thieves constantly breaking into corporate and government servers and making off with millions—or even hundreds of millions!—of email addresses, often along with other personal information like names, physical address, and passwords.

It would be nice to think that all companies properly encrypt their password databases, but the sad reality is that many have poor data security practices. As a result, passwords gathered in a breach are often easily cracked, enabling the bad guys to log in to your accounts. That may not seem like a big deal—who cares if someone reads the local newspaper under your name? But since many people reuse passwords across multiple sites, once one password associated with an email address is known, attackers use automated software to test that combination against many other sites.

This is why we keep beating the drum for password managers like 1Password and LastPass. They make it easy to create and enter a different random password for every Web site, which protects you in two ways.

  • Because password managers can create passwords of any length, you don’t have to rely on short passwords that you can remember and type easily. The longer the password, the harder it is to crack. A password of 16–20 characters is generally considered safe; never use anything shorter than 13 characters.
  • Even if one of your passwords was compromised, having a different password for every site ensures that the attackers can’t break into any of your other accounts.

But password security hasn’t always been a big deal on the Internet, and many people reused passwords regularly in the past. Wouldn’t it be nice to know if any of your information was included in a data breach, so you’d know which passwords to change?

A free service called Have I Been Pwned does just this (“pwned” is hacker-speak for “owned” or “dominated by”—it rhymes with “owned”). Run by Troy Hunt, Have I Been Pwned gathers the email addresses associated with data breaches and lets you search to see if your address was stolen in any of the archived data breaches. Even better, you can subscribe to have the service notify you if your address shows up in any future breaches.

Needless to say, you’ll want to change your password on any site that has suffered a data breach, and if you reused that password on any other sites, give them new, unique passwords as well. That may seem like a daunting task, and we won’t pretend that it isn’t a fair amount of work, but both 1Password and LastPass offer features to help.

In 1Password, look in the sidebar for Watchtower, which provides several lists, including accounts where the password may have been compromised in a known breach, passwords that are known to have been compromised, passwords that you reused across sites, and weak passwords.

LastPass provide essentially the same information through its Security Challenge and rates your overall security in comparison with other LastPass users. It suggests a series of steps for improving your passwords; the only problem is that you need to restart the Security Challenge if you don’t have time to fix all the passwords at once.

Regardless of which password manager you use, take some time to check for and update compromised, vulnerable, and weak passwords. Start with more important sites, and, as time permits, move on to accounts that don’t contain confidential information.