After every big hack or security glitch — like when Twitter said this week they accidentally stored passwords in plaintext — experts tell us to stop using the same password for every website. In fact, they tell us to stop memorizing our passwords altogether.
Instead, they tell us to use something called a "password manager."
And that's where most of us stop reading.
Because here's the thing: It's really hard to think about passwords in a different way. But it's a hugely important step in keeping your information secure.
This cartoon is going to walk through how we think about passwords, and how we should be thinking about passwords.
How we think about passwords now
We currently think of passwords as something we keep secure in our heads.
But we're really bad at remembering random things. So we can only keep so many different passwords in our heads.
This sucks because when a hacker figures out what one password is, he knows how to get into many other sites — with the same key.
Sure, you could try having slightly different variations of the same password. But hackers know you'll do that — so they use simple computer programs to figure out these transformations.
How to think about passwords correctly
The biggest thing we need to do is stop keeping our passwords in our heads. Instead, we need to put them somewhere else — and lock them up.
This way, the only thing we need to remember is the one password to get into this safe.
This is what a "password manager" is
A password manager is an app that keeps your passwords very, very secure — behind a digital safe that only you can unlock.
When you open the app, it looks something like this. In this system, you only need to remember one master password.
And once you unlock this digital safe, you can see all your passwords in an interface like this:
Since this is an app, you can access it from any device you’ve installed it on. You can also access your password manager from an internet browser.
Another benefit is that since you're not keeping all these passwords in your head, they can now be as complicated as a site will allow. In fact, these password managers can generate very complicated passwords for you. Here’s an example of one mine just made:
This password is so strong that it would take longer than the existence of the universe for a super computer to randomly guess it.
What happens if this password manager is hacked?
Then a hacker would have logins to all of your information, right?
Not really. The password manager encrypts your data, so when a hacker looks inside that safe, all they'll see is scrambled passwords.
If you're using long and complicated passwords, it is virtually impossible for them to unscramble them.
One popular password manager was hacked last year, which meant users had to change their master password. But passwords inside were safe because of this encryption.
Why not use paper and pen?
You can. It’s better than just using one password for all your sites.
In fact, my colleague Timothy B. Lee prefers papers and pencil because you don’t have to trust another company to keep your data safe. Tim really does have a compelling argument.
I just prefer a password manager because a) it encourages me to use long and random passwords and b) it also ensures that my information isn’t tied to a physical piece of paper, which could get lost or stolen. (I recently lost my paper — and misplaced a second copy of the paper.)
But isn't it annoying to retrieve the password for every site?
Yes, a little bit.
But what's really great is that both password managers and your web browser make this process easier.
Most password managers know when you need to fill in a password, and then automatically retrieve it for you.
And most browsers will save passwords for you, so you don't have to log in over and over again. Of course you only want to enable this on your personal computer, and not a shared one.
The most annoying thing you'll have to do is open your password manager, then copy and paste the password into your login. But this is easy.
Okay, so how do I get a password manager?
But if you don't want to pay, LastPass is now free and will do the job just fine.
When do I have time to do this?
This is a great holiday project. Think of it like building an internet castle with your valuable data inside.