Thu. May 26th, 2022

Some of my old usernames and passwords are hovering around the internet, and maybe yours are too.

After repeated reports of data breaches on sites, some I have not visited in years, I decided to take it seriously and use a password manager to create unique, unmanageable passwords for each of my accounts. They are so complex that I do not know what most of them are.

To find out if your credentials have been disclosed, connect your email address to Haveibeenpwned.com, a website by security expert Troy Hunt, to reveal which breaches contained your data. It does not ask for your passwords (and you should not give them out to random sites anyway!).

Hackers commonly use an attack called “credential stuffing”: They take usernames and passwords leaked from a hack and enter them on other sites in the hope that people reused them.

This is why security experts always say that you should not reuse passwords, especially those for important logins like your bank, your email and your work accounts. But it also means that you quickly end up with more passwords than you can remember.

Creating a password manager with all the features is a good idea, but setting up a password manager can be time consuming, daunting and sometimes expensive. So as someone who has gone through the process for myself and several family members, I recommend that beginners to cybersecurity start with the fast, free versions built into the smartphones and browsers they already use.

The best password manager for you

A good password manager:

• Creates strong passwords

• Saves login information

• Fills in usernames and passwords

• Protects your data

• Allows you to export credentials if you want to change administrator

I generally recommend standalone services such as Dashlane and 1Password because these apps work better across different platforms and have more features. However, Apple is a good fit for less tech-savvy people‘s

AAPL 0.51%

iCloud Keychain and Google‘s

GOOG 0.47%

Password Manager. They are free, there is nothing to download and they are integrated with software that people are already using. Plus, they can generate new passwords and send alerts once a password has been compromised.

Even Gary Orenstein, chief customer officer of the open source password app Bitwarden, agrees: “It’s better to use any password manager than not to use a password manager.”

Just remember, iCloud Keychain is for people who live primarily in the Apple ecosystem, and Google’s Password Manager is for people who use Chrome or Android for most of their Internet activity.

When you create a new account or reset a password, Apple’s iCloud Keychain will automatically suggest a strong password and save it for you.


Photo:

NICOLE NGUYEN / THE WALL STREET JOURNAL

If you are not quite in one of these camps, you may need a third-party app. Bitward is a solid free option that works across different platforms, while 1Password and Dashlane, which have monthly subscriptions, are great for families and people who need more features, such as secure password sharing.

Once you have set up your system, first change the passwords for a few of your web and app logins, and then try to use the manager across different devices, just to get a handle on it. If you use a built-in system, your device’s password protects your credentials, so do not choose an easily guessed password like 1111. Getting started:

Apple’s iCloud Keychain

Wherever you find it: iOS / iPadOS apps, Mac apps, Safari for web and mobile, Chrome for Windows

The easiest way to add existing iCloud Keychain passwords is by entering your login – a pop-up will offer to save the password for you.


Photo:

NICOLE NGUYEN / THE WALL STREET JOURNAL

How to activate: If you have not already done so, turn on iCloud Keychain in your Mac’s system settings. Click Apple ID, then iCloud, and select Keychain. Then go to Settings on your iPhone or iPad, tap your name, iCloud and then Keychain. If you’re using a Windows computer, you’ll need to download iCloud passwords for the Chrome extension.

When you create a new account or reset the password for an existing one, Keychain will automatically ask you to generate a strong password and save your login information for that site. The next time you visit the site, this credentials will be filled in automatically for you.

When you enter an existing password, Keychain also offers to store these passwords.

Consider enabling biometric authentication for autocomplete passwords so you do not have to enter your computer’s password or phone’s PIN every time. On a Mac, go to System Preferences and then Touch ID. On an iPhone, go to Settings and then Face ID and Password.

Find your passwords: Do you want to look up a saved password? On a Mac, open Safari Preferences and then select Passwords. On an iPhone, in the Settings app, scroll down and tap Passwords.

How to export: On your Mac, go to Safari and open Preferences. Click on Passwords. At the bottom of the password list, click the three dots and select Export Passwords.

Google Password Manager

Wherever you find it: Android, iOS (with the Chrome app), Chrome for web and mobile

Google’s Password Manager includes a tool that scans your logins for compromised, reused, and weak passwords.


Photo:

NICOLE NGUYEN / THE WALL STREET JOURNAL

How to activate: Go to chrome: // settings / passwords in the Chrome browser’s address bar and enable Offer to save passwords. On Android or iOS, open the Chrome app, tap the three-dot icon, go to Settings and then Passwords, and tap Save passwords. When you create a new account or reset the password to an existing one, the browser will suggest a strong password and save it for you.

The easiest way to add existing passwords is to visit a website and enter your username and password – Chrome also offers to save them.

If you use iOS, Google can fill in saved passwords in other apps as long as you have the Chrome app installed. Go to Settings apps, select Passwords, click AutoFill passwords and select Allow archiving from Google Chrome.

Find your passwords: If you need to access your passwords manually, open a new tab and go to chrome: // settings / passwords or passwords.google.com to copy and paste the password manually.

How to export: Go to passwords.google.com, click the Settings gearbox, and select Export passwords.

Independent password administrators

If you need an independent service, I have two general tips:

Download the manager’s app or extension on each device and browser you use.

• Take the time to create a strong master password.

If you use an independent administrator, remember only one password that you do not need to change unless you think it has been leaked in some way. Master passwords are private keys that only you know – not even the company knows them.

Choose a password that is at least 12 characters long with numbers, uppercase and lowercase letters and symbols. It helps if it is based on a meaningful sentence. If your favorite song is Queen’s “I Want To Break Free”, it could be “In Want 2BF by Queen!”

You can also make your sentence simpler, but longer: “Oh, how I want to be free, oh, how I want to be free!” Password length is more important than complexity because longer passwords are harder to decrypt, says Jameeka Green Aaron, Chief Information Security Officer at Auth0 customer authentication firm.

It is important to note that your master password cannot be recovered or reset, so you may want to write it down on paper and keep it in a safe but accessible place.

Do not forget two-factor authentication

Regardless of how you plan to strengthen your password game, you need to turn on two-factor authentication, also known as 2FA, on all the Internet accounts that offer it. This protection requires an additional code or validation that is sent to another device – for example, a text message or a pop-up phone message – upon login.

SHARE YOUR THOUGHTS

How do you manage your passwords? Join the conversation below.

It should be turned on for each account that supports it. This is extra secure because even though hackers have obtained your password, it is unlikely that they will have the required verification code to gain access.

Often 2FA is sent via text message, although security experts warn that even your phone number could be forged if someone really wants to steal your stuff. Many accounts now support an authentication app, which can be more secure and works without any network connection. Google Authenticator is popular. I prefer Authy because it syncs codes across multiple devices, which helps if you lose one.

Write to Nicole Nguyen at nicole.nguyen@wsj.com

Copyright © 2022 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8

.

Leave a Reply

Your email address will not be published.