Four realistic steps to upgrade your online security
Comment on this story
This article is a preview of The Tech Friend newsletter. Sign up here to get it in your inbox every Tuesday and Friday.
The whole password system on the internet is stupid and insecure.
Requiring you to create a unique and complex password on hundreds of digital accounts is error-prone and annoying. Most of the advice you hear about passwords—including from tech journalists like myself—is unrealistic, condescending, and sometimes outdated.
I have tips for improving your password practices, including if you’re dealing with a recent breach of a password vault called LastPass. I know that taking care of your online security is a hassle. But if you make a small improvement, you can claim victory.
I also want you to keep this long-term mission in mind: Passwords must die.
There is hope. In just the last few months, more websites and apps have started to let you remove your password entirely. Instead, your phone, fingerprints or face are proof that it’s you.
Technologists have been promising a password-free future for a long time. That won’t happen anytime soon. But internet security is broken beyond repair. We need to pass the password.
In the meantime, you’re a safety star if you take just one of these steps:
Aim for longer passphrases
To create the best password, try to make it at least 16 characters. The more characters, the longer it takes hackers to figure out your password. Don’t worry so much about having a bunch of symbols, capital letters and numbers.
Security experts recommend using memorable phrases as passwords, with a twist. If you like nursery rhymes, try the password, “L1ttleMi$sMuffetSatOnATuffet,” with a number and symbol replacing some letters. Or put four words together in nonsense like “TumblerElbowMerinoWoodpecker.”
Not every online account allows you to set such passphrases, due to requirements stemming from outdated government security guidelines.
Again, there is a lot of individual responsibility and blame on you. You know you shouldn’t create easy-to-guess passwords like “RedSox04” or reuse your passwords across multiple sites. But no human can invent and remember hundreds of complex passwords.
Try to prioritize it by creating strong passwords or passphrases for your most important accounts like email, financial accounts and password managers. (More on those in a minute.)
The ultimate guide to securing passwords
Consider two-step verification on your important accounts
Requiring a password plus a second step to sign in to an account — such as a code sent to you via text — protects you much better than signing in with just a password.
If you can manage it, add two-step verification to your essential accounts like email, social media, and your bank accounts.
This is the common internet safety tip that most people don’t take. Don’t blame yourself. It takes work, and not all online accounts allow you to use two-step verification. (This website allows you to request options for the websites and apps you use.)
Using a dedicated one-time code app like Authy, Microsoft Authenticator, or Google Authenticator is more secure than getting codes by text. But don’t dwell too much on these details.
The online security reset guide: Keeping you safe from scammers, hackers and digital threats
Use a password manager if you can
There’s a reason my colleagues have consistently recommended password managers. Services like 1Password and Dashlane generate strong passwords for each of your accounts, store them in a digital lockbox, and autofill them when you’re on websites and apps.
You create a single password in your password vault and these services store the rest.
Password managers are not infallible. I’d also rather clean my tub than put them on. But they are a smart investment in your online security.
I’ve used Dashlane for years, and while it’s not cheap—I pay about $65 a year—I find it easy to use and worth the hassle. It also makes me happy by automatically typing passwords and credit card numbers.
As a backup for memorizing my Dashlane passphrase, I have it written down on two pieces of paper, one I keep in my desk drawer and one in my wallet.
If you are thinking, what if a thief steals my wallet and has access to all my passwords? Is it safe to store all passwords in one place? Nothing is zero risk. But anything you do with a password manager is probably a security upgrade. Please don’t try to be perfect.
Read more tips on how to get started with a password manager or alternatives like saving all your passwords in a notebook. This is great too! (Some of this advice is outdated, but the basics still hold.)
6 simple fixes to avoid tech headaches in 2023
LastPass, one of the most popular password management services, recently revealed that hackers stole copies of usernames and passwords.
LastPass told customers that they are probably safe because essential information including passwords was scraped. This makes it harder for fraudsters to realize what they stole.
But Chester Wisniewski, an Internet security researcher with the firm Sophos, told me he’s been alarmed by years of red flags with LastPass. He recommended that users consider switching to an alternative.
Wisniewski said he feels confident in password managers 1Password, Bitwarden and Dashlane. (Here are instructions from 1Password, Bitwarden, and Dashlane for switching from LastPass.)
I asked LastPass representatives to respond to Wisniewski’s advice. They directed me to the company’s recent blog post.
Wisniewski also said that LastPass may still be a good option for you. An alternative such as using your child’s name as a password is much less secure.
The future you want: No passwords
Have I mentioned that the password system is stupid and there’s only so much you can do to protect yourself in this broken system? Yes?
Here’s where things start to get promising.
Some companies, including Microsoft, Best Buy, and PayPal, have started giving you the ability to log into your account without a password.
This is not entirely novel. Some apps let you log in with just your fingerprint or face scan – but most work on your phone. You still have a password somewhere. Now imagine using your phone or device, fingerprint or face scan as the only way to log in anywhere.
Last week, I deleted the password from my Microsoft account and asked to sign in without a password. Now when I tap Skype on my Android phone or use Outlook email on my computer, I’m asked to confirm a two-digit number that I can see in the Microsoft Authenticator app on my phone. (I have to unlock the Authenticator app with my fingerprint.) That’s it.
Hacks and data breaches are very common. Here’s what to do if you’re affected.
Microsoft told me that nearly half a million people have removed the password from their accounts and opted to sign in without a password.
This password-free system, which the tech industry is calling “passkeys,” is now embedded in Android phones, iPhones, PCs, and major web browsers.
Right now, going without a password isn’t easy. When I created a PayPal account in the iPhone app and confirmed that I wanted to use the iPhone’s FaceID to sign in, I had to create a password. However, technology is getting there.
It’s worth rooting the passkeys to kill the password system for good, although it will take many years.
Security experts told me that passkeys, which use proven cryptography practices, are more secure than the password systems in use today. Hackers also can’t steal passwords or trick you into giving them out if there are no passwords at all.
Even better, it’s easier to access your accounts with just your device, finger or face. It’s no problem if you lose your phone or computer. And passwordless login will get easier over time.
If your accounts give you password-less logins called passkeys, definitely give it a try.
I usually roll my eyes when I hear that magical technology will fix an existing broken technology. In this case, yes, passkeys can be the magic solution.
You can make yourself more secure within the stupid password system we have today. But it’s even better to end the tyranny of passwords forever.
After talking to internet security experts about this piece, I realized I could make some changes to improve my password practices as well.
With the help of Dashlane, I made longer passwords on my Google account and my financial accounts. I also replaced the 10-character Dashlane password with a 20-character passphrase of four words mixed together.
I’ve known for a long time that I needed to make a stronger Dashlane password. I just didn’t. Give yourself a break. Everyone can benefit from a small security upgrade or two, and it’s never too late to start.
Brag about your little victory! Tell us about an app, gadget or tech trick that made your day a little better. We may feature your tips in a future edition of The Tech Friend