Use Good Passwords!

Use Good Passwords! a reader asks…

I have a bunch of websites that I log into on my computer, and I also log into online accounts using apps on my smartphone. I know that everybody recommends using unique passwords for each login, but I’m kind of lazy and just use the same password all over, sometimes with slight variations. That way I don’t have to try to remember dozens of passwords. Is there an easier way?

Absolutely there’s an easier way. Use a password manager – this is an app for your smartphone as well as a plugin for your web browser. Which one to use depends on what you’re using for internet access – computers and smartphones.

If you are an all-Apple user (Mac computer and iPhone), the answer is easy. You already have a good password manager – Apple’s Keychain. This is an app on your Mac, and is baked into the iPhone’s iOS operating system (see Settings>Passwords). There’s no real need to use something else. Your Apple Keychain will synchronize between your Mac and iPhone, and can be used to log into apps as well as websites.

If you use a mix of Apple and non-Apple devices (say an iPhone and a Windows PC), then you could still use the Keychain app by adding the Keychain extension/add-on (called iCloud Passwords) to your web browser (Chrome or Edge). Unfortunately, the iCloud Passwords extension doesn’t currently work with Firefox, so if you use that browser you’ll need an alternative. Or you may simply not want to put your password security in Apple’s hands. For you, a 3rd party password manager is the right answer.

There are many 3rd party password managers available, and which one you use really doesn’t matter, so long as you use one. The reason to use one is to keep you from having to remember all the unique passwords on all the apps and websites you use/visit. The password manager does this for you, and all you need to remember is the master password to your password manager app. That’s the only practical way you can make sure your passwords are both unique and strong (see below for what I mean by “unique” and “strong”).

Everybody has an opinion on what’s the best password manager to use. For most people, they’ve only tried one or two, and use the whichever was easier for them to use. Very few people actually try out and compare all the leading password managers. If you’ve not used a password manager yet, please pick one (any one) and start using it. All of them require you to learn something new – how to use it. Each one has its quirks and methods. I happen to use the venerable LastPass, and have continued to stick with it as the competitive market has evolved with more password managers – some with some better features (and worse). My recommendation isn’t for any specific password manager, but just for using one.

A word about the password manager built into your web browser (Chrome, Edge, Firefox, Opera): I simply don’t recommend them. Not to say they don’t work, they are certainly easy to use. But I am more concerned about the security of your account with them – respectively, Google, Microsoft, Firefox or Opera. If your account or computer gets hacked, all those passwords become available to the hacker. I’d stick with either the Apple Keychain (for Apple users), or a good 3rd party password manager for everyone else. Whichever you use, you simply must take the time to learn how to use it. Most password managers have decent tutorials (such as LastPass’s), and there are plenty of video tutorials online (such as at Youtube.com).

Now a word about unique and strong passwords. First, there is no standard for passwords, each online entity can choose whatever complexity requirements they want. Some will force you to use special characters, some won’t allow them. Some won’t let you use a very long password (over 15 characters) – although this is absolutely the best way to ensure you have a strong password. You have to conform to each entity’s password requirements. Outside of that, let your password manager suggest long/strong and unique passwords for each online entity, and let the password manager remember those for you.

You need to use a completely unique password for each and every single online entity you deal with who requires you to create a user account with a password – no exceptions. Reused passwords are an easy way for hackers to mess with/steal your digital life and identity.

In addition to a strong and unique password, if you are offered the option for 2-step verification, by all means set that up. Google is currently starting to make that mandatory for all Google/Gmail accounts, and more and more online entities are making 2-factor authentication available. For a quick primer on 2-factor authentication, check out my article 2-factor Authentication.

Coming soon Here now is new technology that promises to make this all moot – passwordless logins using biometrics. Most people now have a smartphone that has biometric security, FaceID or fingerprint ID. The major online players are working toward a standard method (the WebAuthn protocol) for using biometrics everywhere instead of logging in with a username and password. This will also negate the need for current 2-factor authentication methods, since WebAuthn is even more secure. You don’t need to know the technical details (unless you’re interested and geeky like me), you can just let your smartphone’s biometrics work across more and more platforms as this protocol is adopted. Google, Microsoft, Firefox, Apple, and more companies are jumping on this bandwagon. If an online entity offers this option to you, you should take it.

Lastly, you should be protecting your email account with the best security you can – every online entity has a “forgotten password” feature, and your email account is usually the place where password reset links are sent. If your email account gets hacked, the hacker can quickly gain access to all your other login passwords.

---

This website runs on a patronage model. If you find my answers of value, please consider supporting me by sending any dollar amount via (send to @PosiTek), (send to Support@PosiTek.net), using any credit card (no Paypal account required), using Zelle, Apple Pay or Google Pay, or by mailing a check or cash to PosiTek.net LLC 1934 Old Gallows Road, Suite 350, Tysons Corner VA 22182. I am not a non-profit, but your support helps me to continue delivering advice and consumer technology support to the public. Thank you!

Go to Top of Page