Until recently, I thought that I will never write on this topic because there is no need. It is such an old topic, so much has already been written about it, and when it comes to protecting your digital life, this the most basic thing you need, which can easily be addressed.
Well, I was wrong.
I was helping my father recently with his online photo management when I came to know that he doesn’t have 2FA enabled for his accounts. Fair enough. He was also using the same password almost everywhere because of obvious reasons (I will talk about this in detail in a while)
I suggested that he should use the password manager, but the reaction I got from him wasn’t positive. I was furious at first. Later on, I also found out that it’s the same situation with my better half, my 16 years old son, my in-laws, and a few other family members as well.
OMG! This was beyond my imagination and hard to digest. Since then I couldn’t get these thoughts out of my head. I felt that it’s not just them, but there might be a lot of other people out there, who might have the exact same issues and concerns.
This story is just an effort to remove all the discomfort and scary feeling as much as possible so that more and more people can make their digital life better and protect it from online frauds.
We are not going to talk about 100s of the other things you should do to protect your accounts e.g. 2FA (Two Factor Authentication). We will just focus on passwords and why everyone MUST use the Password Manager.
But, before we go any further, a little bit of background based on what I experienced with 3 different generations in my family.
My 16 years old son
He has grown up in the world of smartphones and smart devices. He used computers and mobile devices from the beginning. He knows everything on the internet very well.
If he doesn’t understand the importance or need of using the Password Managers, then I would say it is just a lack of awareness. We, as a society or community, need to do a better job of spreading awareness. There is a need for all of us to help spread the word.
He was pretty easy to convince. Once I explained to him “WHY”, he was pretty okay and willingly went ahead and set up everything for himself.
My Better Half
He is 45+, falls into the category of the Gen X population. He is not into the field of computers, but I don’t think that it is a challenge for him to learn and explore new things.
It’s not a feeling of discomfort, but more of an inconvenience factor due to which he avoids using the password managers. He is simply not willing to change, unless and until he really feels the need. He is aware of everything going on in the world in the name of privacy and security, but he doesn’t seem to be concerned.
The simple reaction I always get is “Who will hack my account?” He protects his bank accounts, but for everything else, he simply doesn’t care. He uses 2FA only if it is forced, for example, Apple.
People like him just need only one of the accounts hacked, either of their own or of someone in the friend-circle. My advice is:
It is better to safe than sorry.
I have tried everything possible to convince him on WHY? Believe me, I couldn’t. In the end, I just had to ask him by saying “Can you do it for me, please?”
Finally, My Parents
I can understand their pain.
They have spent half of their lives in the world when there was no TV or mobile phone. Anything with the word “smart” scares them.
I remember, one day my father came home from the office mentioning that his office is installing computers everywhere. He was almost forced to use it because of the need for survival. Loggin on to a computer and using Mircosoft Word was the biggest challenge for him at that time.
It was the survival of the fittest so he had no choice but to learn how to use computers.
He spent hours exploring and learning. It wasn’t easy for him. At every step, he had loads of questions. Some of them were almost impossible to answer because that’s how things work, and there is no explanation for it.
Until recently he wasn’t using online banking, because someone may steal all of his hard-earned money. He feels more comfortable doing things the old-fashioned way rather than learning something new from scratch and understanding the pitfalls to take care of.
My only advice to this generation is to consider this same as if you are being forced, just like my dad was forced to learn computer and Microsoft Word in his office. It is not that you can’t learn, it is just the willingness and going through the pain of learning something new from scratch.
It is as simple as using WhatsApp, Facebook, or Twitter. Remember that at first, it was not easy to understand and use these apps, but you did it, right? Similarly, you can learn how to use password managers. It’s not rocket science.
The Most Common Concerns:
How can I give my password to someone else to store?
I don’t want to make this answer technically complex to understand, but without going into technicals I may not be able to answer. But, let me try:
Password Managers use the Zero-Knowledge encryption method.
In a nutshell, Zero-Knowledge encryption means that service providers know nothing about the data you store on their servers. They encrypt it before it can be stored on their servers.
It’s a kind of a sealed envelope. They don’t know what’s inside. Even if they or anyone else opens the envelop, they will not be able to read it, because it is encrypted using the master password, which only you know.
For a more detailed and simple explanation, you can read about Zero-Knowledge Encryption. In order to use the Password Manager, you don’t need to understand how zero-knowledge encryption works.
What if I lose access to the Password Manager itself?
This could be the only or one of the biggest reasons people usually are scared to use Password Managers.
The only way you can lose access to the Password Manager is if you forget the Master Password.
You can not afford to forget your Master Password. Actually you will not because that’s the only password you need to remember going forward.
What if your Master Password is a phrase like this: “The quick brown fox jumps over the lazy dog”
Yes, any phrase like this can be your master password. No one will ever be able to crack this password as long as you are alive.
You can use any such phrase, which is long enough to crack and you can mix it up with small & capital letters, numbers, and special characters. That’s how the passwords should be, but somehow most of us are still stuck in the old days.
In a worst-case scenario, if you forget your Master Password, you will lose access to all the stored passwords. Because of the zero-knowledge encryption, there is no way to read your password without your master password.
If we forget any other password, we usually have the habit of using “Forgot Password” and we get that reset. Well, you can’t do that in the case of Password Managers. Even if you reset the Master Password, you will not be able to get your previously-stored passwords back. You have to start from scratch. This also means that now you can’t log in to any of your accounts and you need to go through the pain of resetting the password on all your accounts.
What worst can happen? You will never lose access to any of your accounts either because of the Password Manager or otherwise. There are always ways to recover.
The worst experience I had so far was losing my access to the Facebook account. I had to submit a copy of my passport in order to prove my identity and also proving that it is my account. I’m actually happy that I had to do that because Facebook is trying it’s best to protect my account from any unauthorized access. Isn’t it?
But, please don’t make it an excuse for not using the password managers. I’m using Password Manager for more than 10 years now and this has never happened to me.
Until you remember your master password, you can write it down on a piece of paper (don’t store it on your computer) and keep it somewhere safe e.g. in the drawer of your cupboard.
However, it is not advisable. Why? We will not go there in order to keep this topic simple. Just understand that
You should NEVER write down your Master Password but memorize it.
However, it is okay to write it down on a piece of paper and keep it safe until you are confident that you have memorized it. Don’t keep it forever.
Is it really worth taking the pain?
Yes, I don’t want to argue, debate, or discuss this. Just do it. Well, I’m just kidding. Here are the reasons:
Read these 2 articles to get an idea about data breaches:300+ Terrifying Cybercrime & Cybersecurity Statistics [2020 EDITION]With global cybercrime damages predicted to cost up to $6 trillion annually by 2021, not getting caught in the…www.comparitech.com107 Must-Know Data Breach Statistics for 2020 | VaronisAs more and more companies experience crippling security breaches, the wave of compromised data is on the rise. Data…www.varonis.com
Data breaches are growing at a rapid pace. Even big companies like Adobe, Yahoo, LinkedIn are not safe and can be hacked anytime. Even financial institutions like Banks, Insurance, and Credit Bureau (like Equifax) can’t protect themselves. A data breach is inevitable. The only way you can protect your information is by protecting your password.
Basic guidelines for the Password
Use a complex password.
A password is considered complex if it uses the combination of everything mentioned below:
- Small Letters
- Capital Letters
- Special Characters
- Numbers
Every password you create should have at least one character of each, else it is not complex enough.
Length of the Password
If you are using all four types of characters mentioned above, you are good with a decent length of 12–16 characters. As of today, almost every website or mobile app allows you to create a password between 8 -16 characters at least. Some websites also allow you to create a password up to 99 characters long.
If any website or mobile app allows you to create a password that is less than 8 characters, you should seriously doubt the security practices they are following. You should also try to avoid using such a website or mobile app.
If you don’t want to or can’t use all four types of characters in your password, you should increase the length of your password to 20 or more characters.
A decent GPU processor-based computer can crack 10.3 billion passwords per second using the brute-force method. I don’t want to go into the technical complexities of what, how, and why. We don’t need to. Just understand that more the length and complexity of your password, harder it becomes for the hacker to crack it.
So, if you are 16-years old today and if your password is of 36 characters long, and using all four types of characters, no one will be able to crack your password in your lifetime.
However, quantum computers are coming, which will not just impact you and me, but it will make every existing logic to secure the world useless including CIA/NSA, so let us not go there right now.
Remember,
“The quick brown fox jumps over the lazy dog”
is the better password than
“3*U$z12D”
Why better?
- because of the length of the password. It’s 43 characters long.
- It uses a special character “space”. If any website doesn’t allow space as the special-character, you can use something else.
- It uses a Capital letter. You can use any character as a capital letter or the first letter of every word as a capital letter.
- The only thing it doesn’t use is the number, which is fine because of the length of 43 characters.
- It is easy to remember because it is a phrase anyone can easily remember. That’s how the passwords should be. Easy to remember. Right?
- It is a passphrase and not a password. That’s is what is required nowadays, passphrase, and not the password.
Don’t Reuse the Password
This is the most basic thing everyone talks about, but people don’t listen. The problem is that from the very beginning we started by using the same password everywhere and we still follow that bad practice. Resuing the password is one of the worst things you can do today with your password.
Using the simple password like the ones you have seen in the video or reusing your password on more than one website is a complete NO-NO. You can’t do that anymore. Seriously.
Data breaches are growing every day. If your user id and password are compromised in any one breach, then hackers can have access to your multiple accounts using the same password. If you are using a unique password for every website or mobile app, you only need to change it for one website in case if your password is ever compromised.
Has any of your email and password already been compromised? I’m pretty sure it did. You can check at Have I Been Pawned? or try Firefox Monitor. Both will give you the same results.
When you can’t reuse your passwords and need to use the unique password everywhere, that’s when you need a password manager.
I use LastPass. As you can see below, I have a total of 682 passwords. Now, if I have to create a unique password/passphrase for every site, there is no way I can remember each of them, right?
Password Manager helps me create randomized unique passwords for every login. The additional benefit you see is that it also tells me how many passwords are duplicate, or compromised, or weak, etc.
You can use any password manager of your choice. My top three recommendations are LastPass, 1Password, or Dashlane. Password Managers help you create a random password for each website you use. They will remember it for you. You just need to remember one password, called Master Password, it’s a password for all of your passwords.
Password Manager also has a feature called Security Challenge, which tells me where do I stand against the world.
Two Factor Authentication is the next thing you can do further protect your accounts. But, it is a separate topic of discussion for some other time. For now, just remember that two-factor authentication can’t and shouldn’t be an excuse for not using the Password Manager to create unique passwords.
Start using anything new for the first time always comes with its own challenges. If you run into any issues and not able to get the support required, please feel free to message me. I will be more than happy to help.