There's one foolproof way to protect your information online. But you're not going to like it.
It involves paper.
News of the Heartbleed vulnerability has made a lot of people interested in better password management. Most of us know that our passwords should be random mixtures of letters, numbers and characters, and that we shouldn't re-use the same passwords on multiple sites. In other words, we're supposed to memorize a huge number of passwords designed to be impossible-to-remember. There's no way most people will do that.
So in recent weeks, a lot of computer-security experts have begun recommending password managers like Dashlane, 1Password, Lastpass, and Roboform. There are some major advantages to these services. They basically generate and remember your passwords for you. You use one master password to access them. The information is saved onto your devices and powerfully encrypted so it's almost impossible to hack.
If that appeals to you, it's worth giving it a try. But there's another alternative that's simple, reliable, and everyone already knows how to use it: paper. To keep your passwords safe, just write them down on a piece of paper and put it in a safe place like your wallet.
You can't hack paper.
Choosing a low-tech solution for a high-tech problem seems counterintuitive to a lot of people. Shouldn't we be using the most powerful technologies to safeguard our online lives?
But security mistakes happen when people are using systems they don't understand. Password managers are powerful, but their complexity can also lead to problems. In contrast, everyone understands how a piece of paper works.
If you forget your password manager's master password, the rest of your passwords are gone forever. Of course, a lot of people write their master password down somewhere on their computer. That creates an opportunity for hackers to grab their data, or, more mundanely, a risk that their hard drive will malfunction and they won't have a backup.
So for many users, writing passwords down on paper is a better solution.
"If what you're concerned about is people coming in over the internet, they can't do that if your passwords are on paper," says Lorrie Cranor, a computer scientist at Carnegie Mellon University who says writing down passwords is a perfectly sensible security strategy. Managing passwords on paper is endorsed by a number of other security experts, including well-known security researcher Bruce Schneier.
Paper has its dangers, of course. If you're the kind of person who is prone to losing your wallet or accidentally putting things in the washing machine, trusting your passwords to a piece of paper might be a bad idea.
Paper can also be taken. If you have a nosy boyfriend or teenage kids who might be inclined to snoop through your accounts, that's a cause for concern. If you travel internationally, a search at the border could reveal your passwords to a foreign government.
But for many people, threats from strangers online are a much bigger concern. Paper can't be hacked. You can't be tricked into sending a piece of paper to hackers on the other side of the world. And as long as your wallet doesn't go through the washer — or as long as you keep a couple of different sheets of paper safely hidden — technical problems are unlikely to unexpectedly erase the contents of a piece of paper.
None of this is to say that password managers are a bad idea. They're not. But for many people, storing passwords on paper is a great solution.
Why do I need so many passwords?
Password re-use is bad because it means that compromising one site can expose you to attacks on other sites too. For example, if you use the same password on a sketchy internet forum as you do for your Gmail account, then if the forum gets hacked the hackers might gain your password and be able to log into your Gmail. From there, they may be able to compromise other accounts and get access to your whole digital life.
So your most important accounts should each have its own unique password. And because most people can't memorize a a lot of passwords, the best way to manage that is by writing them down.
On the other hand you probably don't have that many important accounts. Your primary email address, your bank, your credit card, and your retirement account probably need their own passwords. If you use a cloud storage service like Dropbox or iCloud, your passwords for those services should be unique. You might also want a unique password for your Facebook and Twitter accounts. But the total number of high-security passwords is probably a single-digit number.
For other sites, some password re-use is fine. There just isn't that much damage someone can do if they gain control of a video streaming account, for example. So pick two more passwords: one password to use on sites with a moderate level of security concern, and a second one for low-security sites like online forums and games.
In other words, you should be able to get along with few enough passwords to fit them all on a business card.
What's the most secure way to manage passwords on paper?
The great thing about writing down your password on paper is that you don't have to worry about picking passwords that are easy to remember. So you can focus on picking the most secure possible passwords. The best approach is to choose passwords that are a random sequence of lower-case letters, capital letters, numbers, and symbols. Make it a minimum of 12 characters long. For example, "Ah6&p5v*tt9B" is a good password (though obviously you shouldn't use this specific one!).
It's a good idea to avoid using the numbers 0 and 1 and the letters i, L, and O, since these can easily be mistaken for each other. It's also a good practice to underline the capital letters in each password to make sure you'll be able to decipher which letters are capital and which are lowercase.
Finally, write down as little identifying information as possible. Don't write down your username. Write "E" instead of "gmail" and "B" instead of "Bank of America." Hopefully, if your wallet does get stolen, the thief won't realize he's holding the keys to your online identity — at least until you've had time to change your passwords.
Don't leave the paper somewhere where people can copy it. It shouldn't be a Post-it note on your monitor or even under your keyboard. Store it in your wallet, or in an unmarked folder in your filing cabinet. You might want to consider keeping two different piece of paper: one at home that has every password, and a second one in your wallet that just has the passwords you need every day. That minimizes the damage if you happen to lose your wallet.
I'm already using a password manager. Should I stop?
No, password managers are a perfectly reasonable option. But here are some things to be careful of.
First, make sure you make regular backups of your hard drive (you should be doing this anyway). Some password managers (like 1Password) don't store an encrypted copy of your passwords on their servers. If you're using one of those programs, then a hard drive crash could mean you lose your password data forever.
Second, memorize the password to your primary email address. There's always a small risk that a technical snafu or a forgotten master password will lock you out of your password file. If that happens, you'll need to activate the password-recovery features on all the websites you use. Most websites do that by email. If your email password is stored in your password manager, you'll be out of luck.
Most password managers allow you to synchronize your data across multiple computers. That's a convenient feature, but it needs to be used carefully. Never log into your password manager from devices you don't trust. For example, if you're traveling abroad, it's a bad idea to log into your password manager from an internet cafe. If that computer happens to have spyware installed — and many do — the bad guys will be able to access all of your accounts. Also, be wary of fraudulent "phishing" emails and websites that try to trick you into divulging your master password.
I want to use a password manager. Which one is the best?
There are several good password managers on the market right now, but after testing the Mac versions of several of them I was most impressed with Dashlane. It's easy to use, has all the features ordinary users need, and seems comparable to the other options in terms of security.
The other programs I tried were 1Password, Lastpass, and Roboform. (I didn't try a fifth option, Keepass. It's primarily a windows application but a Mac version called KeepassX is under development). I had trouble some trouble getting Roboform to work, but 1Password and Lastpass are both great options with a lot of satisfied customers.
One of the most important differences among these apps is that some are designed to store your encrypted passwords on your local computer, while others store them online. If you spend most of your time on one computer (for example a laptop you carry around), then a local-storage app such as 1Password is probably a good choice. Local-only storage provides some extra security because it's harder for anyone to access your passwords remotely. On the other hand, if you regularly need access to your password from multiple devices, then a cloud-based service such as Lastpass might serve your needs better (though 1Password data can be synced using third-party services such as Dropbox and iCloud).
Even the password managers that store your password file online are designed so that your master password never leaves your local computer. Instead, the encrypted password file is downloaded and unscrambled locally. Companies like Lastpass never directly handle your master password, providing an additional degree of security. Still, if your passwords are stored in the cloud, it's the much easier for hackers to get them, especially if you log into your password manager from an untrusted computer.
Dashlane supports both locally-stored passwords and a cloud-based version. It's free to use on one computer, compared to $24.99 for 1Password. But Dashlane is pricy for people who want to keep their passwords synchronized across multiple devices. That costs $29.99 per year with Dashlane, significantly more expensive than the $12 per year than Lastpass charges for the same service.
How often should I change my password?
Some organizations require employees to change their passwords as frequently as every 90 days, a policy Cranor describes as "just silly." You should change your password if you know or suspect it has been compromised. But otherwise, changing passwords just doesn't provide much security benefit, especially if you're using a different password on every site. And when users are forced to change their passwords a lot, they wind up choosing less secure passwords or re-using the same password across many sites. That's not helpful.
What else can I do to secure my online accounts?
Two-step verification. Two-step verification. Two-step verification.
It's always possible that someone will find your password sheet or crack your password manager and try to log into your accounts. That's where two-step verification comes in. On most sites, the second authentication step involves texting a security code to the user's cell phone. That improves security because a hacker who gains access to your password would also have to get ahold of your cell phone in order to compromise your account. Most leading internet companies and many major banks offer two-step verification. The Wall Street Journal has a handy guide to enabling 2-step verification on 11 popular websites.