Passwords aren’t just “good” or “bad”. Just as there are different levels of online paranoia, there are different levels of password security. Find out where your password strategy fits and what you can do to make it even stronger.
Be sure to subscribe to the All Things Secured YouTube channel!
Would You Rather Read the Video Transcript?
Welcome to All Things Secured, my name is Josh and I’m going to start by saying that if you’re just using the same password for all your online logins…I’m not even counting that as a level of security.
Nowadays, that’s simply irresponsible. If that’s you, listen carefully to what I’m about to say and choose which direction you want to go.
Level 1: Writing Your Passwords Down
The first level is the most low-tech but not an altogether bad method: manually writing your passwords down.
This is what my parents like to do. You can either keep a password journal or a document on your device that you reference when you need to login. The obvious advantage with a password journal is that it’s not uploaded to the internet, but that also means you have to have that journal physically with you anytime you need to log in.
This first level of password security is great for those who know how to create strong passwords already. And for the sake of your loved ones, make sure you have some sort of backup of this password journal or document in case it gets stolen, lost or burned in a fire.
Here are two quick tips for those who feel comfortable at this first level of password security. First, don’t just use a scrap sheet of paper that you keep near your desk. Invest a few dollars in a password journal on Amazon and start using something that will remind you of how valuable these passwords really are.
Second, if you want a bit of extra security, don’t write down your actual passwords in the notebook. Instead, write out something that has meaning to you and helps you remember the password.
So, for example, if your password is your favorite NBA team followed by the street number for the first house you lived in, instead of writing Bulls.2508 you could write MJ.house. As long as you can remember that “MJ” stands for Michael Jordan who played on the Bulls and house reminds you of the number, the code works.
Now let me play devil’s advocate here: sure, you’ve added a bit of security to your password journal, but it only works if you can remember your code AND someone in your family can decipher it as well. Otherwise, your online accounts die with you.
Level 2: Password Manager App
Of course, you could just jump down to the next level of password security, which is the password manager. Sometimes the greatest advantage of a password manager is that it usually helps you to create stronger passwords by suggesting random passwords you would have never thought of on your own.
I categorize password managers into two camps: the offline and the online. Offline apps like KeePass and Password Safe are usually free but they don’t upload your vault to the cloud. In other words, you can’t sync your passwords between all your devices. Some would argue that this offline method is better for security since your password vault isn’t traveling through the internet, but I would counter that by saying that you still need to have a backup of your offline vault to minimize the risk if you lose your device, right? And your security is only as strong as how securely you store that backup. And on and on we go into deeper levels of paranoia.
Online password managers like Dashlane or 1Password, which is what I use, offer a slightly better user experience but do cost a bit of money. These companies store your vault online so that you can sync your passwords between devices and always have a backup in case you lose your device.
But wait, Josh…what if those companies get hacked? Well, that’s highly unlikely and there are security measures that still require my master password before the hacked vault is even usable.
But what if your master password gets leaked? Or what if these companies are lying about their data encryption or protection policies?
Gee whiz…do you have trust issues or what?
Ok, if you feel comfortable at this password manager level of password security, but you still feel a bit skeptical about trusting one company with all your passwords, here’s what I suggest.
I use a strategy called the “double blind password” where the passwords I store for my most valuable logins – stuff like my bank, my email and my investments – aren’t the real password. I allow my password manager app to create the first 12 to 15 unique characters of each password and then I always add in the last 4 to 5 digits myself. With this method, my password manager doesn’t know my full password, but then again, neither do I. It’s double blind.
This protects me against keyloggers or that crazy scenario where my password vault somehow gets hacked. I go into more detail about how to set up a double blind password in this video I suggest you watch here.
Here’s the bottom line, whether or not you use the double blind password manager: a password manager is an excellent way to create and store strong passwords and despite any perceived risks, I can easily recommend this as a secure option. Like I said earlier, I use 1Password, and I have an affiliate link in the description if you want to give it a try for free.
Level 3: Physical Password Key (Insanity!)
Ok, so there are probably a number of different directions I could head with this third level of password security, but no matter how you slice it, we’re moving into the territory of absolute paranoia. Pretty much close to insanity.
This last month I’ve been working with a new tool known as OnlyKey. The best way I can describe this is a cross between a physical password manager and a two-factor authentication key. This little device that I can carry on my keychain will hold up to 24 online login password combinations that aren’t stored in the cloud or on my computer. It’s only here and protected by a 7-10 number combination that I set.
I have to plug in the key, type in the correct password and then press the number that corresponds to the appropriate login. So if I set Twitter as the preset on number 3, which I’ve done, the key automatically logs into Twitter by typing in the username and password that I’ve previously set.
If somebody tries to hack the PIN code, the key auto deletes itself after 10 failed attempts.
Oh yea, and I can also set a dead man’s code that wipes the whole key clean if somebody forces me to open it for them.
Super paranoid, right?
It’s a novel approach to password security, I admit. But the setup process was a bit technical, so it’s not something I would recommend unless you consider yourself tech-savvy.