– Let’s talk about your passwords. So I’ve actually been getting a bunch of questions lately from people about how they should go about managing their online security. And I wanted to start off with the real basics and build this into kind of a series for different ways you can secure your online presence more thoroughly.
Если Вам понравилось видео — поделись с друзьями:
And the first step is really just figuring out your whole password situation. That involves using something called a password manager. So when you think about the way you log in today, you use a username and password, and there’s a couple of big problems if you’re entering your passwords manually into these websites. The first is you’re probably using simpler, shorter passwords so that they’re easier to remember. Everyone spelling passwords with dollar signs, I’m looking at you. And number two is because it’s so hard to commit all your passwords to memory, you ultimately end up reusing the same passwords on multiple websites or services.
This second one, password reuse, is actually a big problem which has caused all sorts of headaches for people in the last few years especially. Because say for example, you use the same password for Facebook, Gmail, your Outlook account, and then some other service, a smaller service that ends up getting hacked. Now, although, hopefully that service was using some sort of encryption on those passwords, or hashing them in some way, so that the hacker just doesn’t have them in plain text. The simpler the password that you’re reusing on these sites, the easier it is to unhash that and get access to them.
So, if you’re using something like password123, hackers already have a dictionary of what that looks like hashed in multiple hashing algorithms. And so if that person that hacked that smaller website where you were reusing this password is able to get the unhashed version of your password, they’ve just gotten access to your email, to your Facebook, everything, all because you reused the one password for multiple websites. It’s a big no no. So, the goals here are rather simple. A, use random, long and secure passwords instead of short ones you can remember. And B, as we just discussed, you wanna use a different password for every website or service you’re interacting with.
The password manager
This can be hard because how are you gonna remember these long 16 character or 32 character strings for all these different websites. That’s where a password manager comes in. A password manager is simply an app that you use and it helps generate these really long passwords for every different site you use and then store them in an encrypted, secure way. Think of it as kind of a secure safe or vault where all your passwords are stored and only you have the key to unlock it. And all these passwords that the app is generating for you, you don’t know.
So, you actually don’t even know your password to Facebook, or you don’t know your password to Gmail. And that’s a good thing, because if you did know it and you were able to enter it in manually, it would be less secure. So, by storing all your passwords in this one vault behind a secure key, the only password you have to remember is what’s called the master password. And you’ll be prompted to enter this whenever you want to unlock that vault and get one of the passwords out that you’ve set for a certain website.
One of the best practices for being able to remember this really long password, it should usually be at least 20 characters in length, is to just combine common words in a certain order. An example of this might be correct, horse, battery, staple. That’s really easy for you to put into memory. But for a computer, because it’s so many characters and the words are in a different order, it’s hard for a computer to kind of brute force or crack that. It’s much easier for computers to try and guess things like dates, common surnames, and shorter pass phrases. And so the security of a password is always about the length and what’s called the entropy.
How varied that long pass phrase is. So, once you’re set up with a password manager, all your passwords are in one place. You might have a hundred, 200, 300 passwords in there. And all you have to do is enter that master password to unlock it and then get access to all of those passwords. The cool thing is that most password managers actually come with a browser extension. So, once you’ve entered that password, you don’t actually have to manually enter it into Facebook or Google. It simply auto fills the form, populates it, and submits it for you.
So, the only thing you actually have to ever enter is master password, click okay, and then it will automatically log you into Facebook or whatever service you’re trying to get into. In addition to that, when you’re using a password manager something you should try and look out for is the ability to sync your vault across different devices. So, if I’m using my iPhone or my Android phone I have access to all the same passwords that I’ve set up on my desktop computer. That’s very important so you don’t get stuck without a password to a service you need to access.
The main password manager options
So, let’s go through a few of the main password manager options out there today. Just to give you an idea of what’s on the market, what I personally use, and let you make a decision. So, the first one I want to cover is called LastPass, and it’s probably the most well known because it’s gotten a lot of media coverage and a lot of people have recommended it in tutorials over the years. And I think the reason it’s garnered so much praise and adoption is because it’s probably the simplest to use. It’s primarily web based, so you log in and you use their web interface. And that partners up with a browser extension that you use to do all of your password management. Creating passwords, storing them and viewing them.
Now, I’m in no way saying that I think web based password mangers are insecure, but I like to personally have my passwords stored offline, on my desktop somewhere, so that I have some ownership over that vault and it’s not just in the cloud. The other thing that people really like about it is that it’s free for the basic usage. They do have a 12 dollar a year plan that gives you some premium features. But it’s definitely one of the cheaper commercial password management options out there. One other criticism of LastPass is that over the recent years they have had a couple of vulnerabilities disclosed. Or they’ve had some user information leaked or hacked. Thankfully that wasn’t anybody’s vault of passwords that was stolen, but there was some user information because these people are subscribing to a service. People’s users details were leaked when this happened.
LastPass do have a mobile offering so that’s pretty cool. I just think that, as I said, I think I’m a bigger fan of desktop stand alone offerings where I’m able to have all of my passwords offline and choose where I store them. Not just in the LastPass cloud. I’ll discuss this more as I go into the other options. But one of my problems with having to use a certain provider’s cloud storage is that you have to put some trust in them. Your vault could be vulnerable if their storage layer is ever hacked. And this is unlikely, but again, I’m just kind of paranoid and I like to have my data with me and be able to store it wherever I want.
That being said, I do think LastPass is still a really good option for people that are maybe less technical or computer savvy and are really just looking for a simple solution they can fire up and actually use for free when you begin. If I was setting up friends or family who weren’t very computer savvy and they just wanted a solution, I definitely think that LastPass is a good option for that because there’s not a lot of maintenance and worrying about syncing and all of that. It just works.
Next up is one called Dashlane. And Dashlane is probably lesser known to most people. I think that’s kind of because it has a businessy enterprise kind of angle and that was what they were focusing on more previously. But it is a really solid offering and they have a stand alone desktop app that looks really nice and is super simple to use. The desktop offering itself with basic features is free to use as well so you could download it and start using it today without paying anything. But like most password managers in this space, they do offer a premium plan. It’s $3.33 a month. Kind of a weird number, and that gets you the syncing service. So if you’re using your password manager on multiple devices, or you’re using it on your iPhone or Android phone, everything just syncs up nicely and you can access your passwords from anywhere.
Again, this is using Dashlane’s cloud storage though, so you have to trust them and just be confident that they’re not gonna get hacked in the future resulting in your vault of passwords being leaked. They seem like a highly reputable company. I know a lot of people that use Dashlane and I think a combination of security, the desktop client, and ease of use is really a winner, so I recommend you check it out. Next up is 1Password, and you might have heard of this before. It’s my personal favorite and what I’ve been using day to day for many, many years now. I actually forget, I’ve just be using it forever. Been making 1Password for quite a long time. And it’s got a beautiful design, really solid desktop and mobile applications. And it’s just a pleasure to use.
Just like Dashlane, their stand alone desktop offering does let you do everything on your desktop so you own your data as well. And something I like about 1Password is you can actually use any kind of cloud service you want to store the vault file. So, I personally sync my vault file across my devices using my encrypted Dropbox account. And I just love that ability to be able to choose where my data is. I trust Dropbox and the setup I have there. And I’m not tied into a single cloud service that the password manager company wants me to use. 1Password has a free trial, but it’s important to know that it’s not a free app.
You will have to start paying for it. In the past it was just a stand alone license, and you buy it and you use it on your desktop forever. But more recently they’ve switched to a subscription model. I guess they’ve gotta make money like everybody else right? And that means the only way to purchase it today is if you’re willing to pay 2.99, so it’s cheaper than Dashlane a month for the service. It’s the same kind of deal as Dashlane in that the subscription gets you the desktop apps, the mobile apps. And it also adds a sync layer on top. So, one password have their own cloud service where they’ll sync the passwords between different devices.
And it’s the same thing I’ve been saying. As long as you trust the company and don’t think that their cloud storage is ever gonna get hacked, then go ahead and use it. But the cool thing is that because 1Password does allow you to use different storage mechanism, like I use Dropbox. Then you have that flexibility and that’s one of the things I really like about it. Now, I did want to throw in there a completely open source and free offering because I think it’s always important to highlight open source solutions to problems.
And the most popular open source password management system out there is called KeePass. This started off as one program, but then expanded into multiple ports across all sorts of different platforms and implementations. The chief one is called KeePassX, and it’s cross platform. So, Windows, Macs, Lunix, and there’s also a bunch of Android and iPhone apps that can tap into the database format that it uses. Now, these work pretty much exactly the same as Dashlane on 1Password. You do everything everything on the desktop, there’s browser extensions, mobile apps, all of that. The only problem is that when it comes to syncing across devices, it’s a little bit trickier and you’ve kinda gotta figure that out for yourself.
Obviously, because it’s open source software, there’s no cloud hosting service where you can sync all your passwords, so you gotta figure that out for yourself. It’s free though and if you’re a bit of a tinkerer and you like using open source software, then I recommend you go and check it out. It does give you full control over your security and you own all your data. So, that’s my breakdown of password managers. I hope you found it helpful. My top pick, as I indicated, is 1Password, and that’s mostly because I’ve been using it for so long and I trust the team. But Dashlane comes in a close second.
I really highly recommend that if you’re looking for a different solution. My take is that when you’re making a decision around which password manager to use, it’s really a balance of the security that it affords you and control of your security versus the UI and the ease of use. You don’t want to make using a password manager this laborious kind of thing that just gets in your way. It should just become part of your workflow. And so apps that have a really nice UI, have a really good Chrome extension and really good mobile apps, just make the whole thing a lot more pleasant and it doesn’t feel like a chore, protecting your security.
Now one thing I haven’t mentioned in this video is two factor authentication. You’ve probably heard of it and many of you probably get SMS codes when you log into certain apps, or you might be using a six digit code that you enter in from your mobile device. That topic kind of warrants it’s own video. I’ll be producing one soon that walks through the options and actually explains SMS codes are not secure. You shouldn’t be using them. And really gives you some insight into how two factor works and how you can beef up your security using it. Most of the password managers that I mentioned today actually support two factor authentication for an extra layer on top of your master password.
They support it to varying degrees of simplicity and so I would recommend you check that out as you’re considering which password manager to go with. So, I hope you found this video useful. I hope it’s kind of inspired you to go out there and make sure you’re doing everything securely online. And just protecting yourself. As always, if you did find it helpful, please like the video and subscribe for more videos like this in the future. I’ve got a bunch more videos about protecting your security in the future coming up. So, until then, I’ll see you next time. (energetic music)