It can feel impossible to come up with and remember unique passwords for the hundreds of accounts and apps most of us have: Netflix and Uber and Tidal and Target and Amazon and CVS and LinkedIn and Mint Mobil. Plus our charge card and bank accounts. Plus the tons of accounts that we forgot we had.
Many of us just use the same password for everything. Something simple. Something easy to remember. Easy to guess.
Over recent years, I’ve begun saving my passwords in Google Password Manager. It offered to help, so I said yes. I’m lazy and not too concerned with security breaches, considering my bank account balance rarely bobs above a few hundred bucks. The idea of someone tapping into my Marvel Contest of the Champions account isn’t too intimidating. But am I being safe?
I asked two security experts if you should let your browser save your passwords or if it’s better to invest in password storage companies such as LastPass or 1Password.
Just Do It
“Everyday people need not be so concerned with low value accounts” such as music apps, video apps, video games and individual stores, said Brett M. Frischmann, a professor of law at Villanova University and an affiliate scholar of the Center for Internet and Society at Stanford Law School.
“If something goes wrong, you just abandon the accounts, create a new username and password, and as long as you don’t reuse the same password across all of your accounts, it doesn’t put other things at risk,” he said.
What Frischmann thinks you maybe should worry about — a little — are the accounts with money in them, such as “your 401(k) or your employer or your bank’s financial stuff,” he said. “There’s certain high value accounts which if hacked, it would then compromise my livelihood or compromise my assets.”
In those cases, he recommends doing an itsy bit of Google research, making sure the browser password service you use hasn’t had any breaches recently.
Because they use encryption and cryptography, most password managers — both paid and free — have so many protections in place that you don’t have to stress your password getting stolen, said Adam Shostack, the president of Shostack and Associates, a threat modeling training and consulting company, and the author of “Threat Modeling: Designing for Security.”
He compared password managers to lockboxes, where each individual password is in its own lockbox that hackers would struggle to crack open. These companies have “spent a lot of time studying ‘What are the bad guys doing? What can we do to defend ourselves against it?’ They’re working to integrate the password filling experience with their browser really well. It’s just one less tool you have to learn.”
The advantage of paid password services like 1Password is that you can securely jump between computers that you aren’t on often, whereas password managers within browsers are best when you mainly use personal computers and phones, said Shostack.
But for the average person, whatever internet password manager comes with your browser is the way to go.
But Use Unique Passwords
“Over the last decade or two, the threats have morphed,” Shostack said. Hackers used to hack into a computer system, take a list of passwords, and then run a program to speed guess which passwords fit where. “Now, the problem is phishing attacks. It’s password leaks by sites that haven’t done a good job of protecting them.”
The answer to not getting phished is not diving into sketchy emails, and the answer to not getting hacked is by using a unique password, especially for your master password.
“There’s common nonsense about password security among laypeople,” said Frischmann. “There’s a difference between what experts agree on, what are best practices, and what laypeople believe… The tools you interact with sometimes teach you the wrong lessons.”
People like checklists, which can be problematic. For instance, when you create a password for a site, often people will put a common word in — possibly their name — and the site will tell them it is weak, listing suggestions of things to add to make their password more complicated. But the checklist that programs ask people to achieve doesn’t make their password any stronger, said Frischmann.
“They teach people the wrong things because they’re designed to instrumentally get people through quickly. They teach people that adding a one and then an exclamation point is a marginal improvement in security. And in fact, adding a 1 at the end of a name or end of a password doesn’t substantially increase the security.”
Another misconception is that changing your password every few months makes you safer. Many folks who do this just add a 1 at the end of their old password, then a 2 the next time, then a 3, and so on. “That’s a terrible practice,” said Frischmann. The National Institution for Standards inTechnology advises against it.
Frischmann recommends companies and programs “don’t periodically require people to change passwords. Instead, change passwords when there’s a reason, if there has been a hack, then you respond by having everyone change the password.”
To make a unique password, make it long, make it tricky. Throw numbers randomly between letters. Vomit symbols throughout. Luckily, password managers make this easy because they offer to suggest passwords for you. Just make sure your master password is spectacularly confusing. Something like “J35A#^k6f#4Gd3EEWS#$.”
And Write Passwords Down On Paper, Not In Notes
It’s important that you save your master password to your browser or password service, but don’t email it to yourself. And don’t save a list of passwords in a Word doc.
“The attackers will search for that stuff,” said Shostack. “And they will find it pretty quickly… They know that people will store passwords next to the word secret or my special words or passwords or passwords spelled with a Z.”
Instead, write it down on a piece of paper and keep it tucked away in a drawer where no one looks.
“Passwords are bad design,” Shostic said, but he believes that things are improving. “Getting away from passwords will be good in the long term. We’re just sort of used to them and so we keep stumbling along and trying to keep using them.”
Eventually, he believes, we will not need passwords. Everything will be more individualized, with us actually needing our phone on us to log into programs, or with accounts using fingerprints and facial recognition to get in.
In the meantime, it’s OK for most of us to accept help from our browser.