The Heartbleed bug has been responsible for a lot of well-meaning advice to change your passwords. I’m a little skeptical about whether that’s necessary because of Heartbleed but – sigh – it is a good reminder that you should update your weak and duplicate passwords. That weak password you use everywhere is protecting your finances, your business, your social life, your computer, and your secrets, and a lot of bad guys are trying to crack it.
Here are three tips that might help ease the pain.
1 Create unique passwords that you can remember
If you’re not using LastPass, realistically there’s no way you’re going to create complex passwords (the ones that look like brKcV3apY9 or worse) for every web site. If you’re like most people, you use the same password all over the web.
Let me suggest a simple trick – not foolproof but it will help.
Take that password you’ve been using everywhere and add something to it. Say your standard password is Swordfish!
Add the first letter of the web site to the beginning and the last letter to the end. Example:
• Apple: ASwordfish!e
• Google: GSwordfish!e
• Amazon: ASwordfish!n
See how it goes? Each one is unique but you can remember how it’s done.
Invent your own pattern. Use the first two letters of the website at the beginning and the end (ApSwordfish!Ap, GoSwordfish!Go). Add a punctuation mark in the same place in each one (A%Swordfish!e, G%Swordfish!e). It doesn’t matter what the pattern is as long as each password turns out to be different and you can remember how you did it.
2 Use spaces in your password
You can put a space in your password at almost every web site. Put two or three words together with spaces and you’ve made it far more difficult for a hacker to crack it by brute force. Nitwit! Blubber! is a far better password than Dumbledore!
3 LastPass – use the password generator
LastPass users should have complex passwords. That’s the point of using it, after all.
Whenever you need one, click on Generate Secure Password on the LastPass menu. A window will appear with a few options and a suggested alphanumeric string.
In the Advanced Options, choose 10-12 characters and at least upper and lower case and numbers. Add “Special” for punctuation marks. (I don’t use them myself – too painful when it has to be typed in.) By all means check the box to “avoid double meaning characters” so you don’t get tripped up by I and 1 and l and 0 and O and the rest.
Then follow this process very closely.
You’re on a web site changing a password. You’ve clicked on LastPass / Generate Secure Password.
• While that window is open, copy the password somewhere – highlight it and click Ctrl-C and paste it into a note, or write it on a piece of paper.
• Then click Accept and see if LastPass pastes it into the two places for a new password on the web site. It frequently doesn’t do that correctly. Type it in manually if you have to.
• After you log in, LastPass should ask about updating its stored password for the site. After you do that, open your LastPass Vault and see if the new password is stored correctly. Put in the updated password manually if necessary.
It’s extra work, I know, but that’s what it takes to be sure LastPass got it right.
Here are two bonus tips from the last password ruckus.
4 Never type a useful password hint
If you are asked to type in a password hint as part of the process of setting up an account, never ever type something that would allow the password to be guessed. Don’t try to be clever. If you need that hint to remember a password, then you’ve chosen a weak password; you don’t need a hint, you need a better system to manage your passwords. The best password hint: “Look in LastPass.”
5 Never answer a security question directly
Many online accounts include a security question that is used to authenticate you if your password needs to be reset. The answer does not have to match the question. Think of something that you will use as your security answer going forward – words that you will remember but that no one will guess that you chose. Use those words to answer security questions consistently, with the same capitalization and spelling every time. First pet? “Inigo Montoya”. Mother’s maiden name? “Inigo Montoya”. Street you grew up on? “Inigo Montoya”. Elementary school? “Inigo Montoya”.
No one is fact-checking those answers. When you call in to reset your password, the tech support rep types in what you say to see if it matches. The rep doesn’t care if it makes sense. The only crucial thing is that you have to remember what you chose. Make a note of it in LastPass.
Be careful out there!