Last Monday, I got an email from Spotify saying that somebody in Brazil had logged into my account.
I checked. Sure enough: A stranger was using my Spotify to listen to Michael Jackson. I told Spotify to “sign me out everywhere” — but I didn’t change my password.
On Wednesday, it happened again. At 2 a.m., I got another email from Spotify. This time, my sneaky Brazilian friend was listening to Prince. And they apparently liked the looks of one of my playlists (“Funk Is Its Own Reward”), because they’d been listening to that too.
I signed out everywhere again, and this time I changed my password. And I made a resolution.
You see, I’ve done a poor job of implementing modern online security measures. Yes, I have my critical financial accounts locked down with two-factor authentification, etc., but mostly I’m sloppy when it comes to cybersecurity.
For example, I re-use passwords. I still use passwords from thirty years ago for low-security situations (such as signing up for a wine club or a business loyalty program). And while I’ve begun creating strong (yet easy to remember) passwords for more important accounts, these passwords all follow a pattern and they’re not randomized. Worst of all, I maintain a 20-year-old plain text document in which I store all of my sensitive personal information.
This is dumb. Dumb dumb dumb dumb dumb.
I know it’s dumb, but I’ve never bothered to make changes — until now. Now, for a variety of reasons, I feel like it’s time for me to make my digital life a little more secure. I spent several hours over the weekend locking things down. Here’s how.
A Brief Guide to Cybersecurity
Co-incidentally, the very same day that my Spotify account was being used to stream Prince’s greatest hits in Brazil, a Reddit user named /u/ACheetoBandito posted a guide to cybersecurity in /r/fatFIRE. How convenient!
“Cybersecurity is a critical component of financial security, but rarely discussed in personal finance circles,” /u/ACheetoBandito wrote. “Note that cybersecurity practitioners disagree over best practices for personal cybersecurity. This is my perspective, as I have some expertise in the area.”
I won’t reproduce the entire post here — you should definitely go read it, if this subject is important to you — but I will list the bullet-point summary along with some of my own thoughts. Our orange-fingered friend recommends that anyone concerned about cybersecurity take the following steps:
- Get at least two hardware-based security keys. My pal Robert Farrington (from The College Investor) uses the YubiKey. Google offers its Titan Security Key. (I ordered the YubiKey 5c nano because of its minimal form factor.)
- Set up a secret private email account. Your private email address should not be linked in any way to your public email, and the address should be given to no one. (I already have many public email accounts, but I didn’t have a private address. I do now.)
- Turn on Advanced Protection for both your public and private gmail accounts. Advanced Protection is a free security add-on from Google. Link this to the security keys you acquired in step one. (I haven’t set this up because my security keys won’t arrive until this afternoon.)
- Set up a password manager. Which password manager you choose is up to you. The key is to pick one that you’ll use. It’s best if this app supports your new security keys for authentification. (I’ll cover a few options in the next section of this article.)
- Generate new passwords for all accounts. Manually create memorable passwords for your email addresses, your computers (and mobile devices), and for the password manager itself. All other passwords should be strong passwords generated randomly by the password manager.
- Associate critical accounts with your new private email address. This will include financial accounts, such as your banks, brokerages, and credit cards. But it could include other accounts too. (I’ll use my private email address for core services related to this website, for instance.)
- Turn on added security measures for all accounts. Available features will vary from provider to provider, but generally speaking you should be able to activate two-factor authentification (with the security keys, whenever possible) and login alerts.
- Turn on text/email alerts for financial accounts. You may also want to turn on alerts for changes to your credit score and/or credit report.
- Activate security measures on your mobile devices. Your phone should be locked by a strong authorization measure. And each of your individual financial apps should be locked down with a password and any other possible security measures.
/u/ACheetoBandito recommends some additional, optional security measures. (And that entire Reddit discussion thread is filled with great security tips.)
You might want to freeze your credit (although, if you do, remember that you’ll occasionally need to un-freeze your credit to make financial transactions). Some folks will want to encrypt their phones and hard drives. And if you’re very concerned about security, purchase a cheap Chromebook and use this as the only device on which you perform financial transactions. (Believe it or not, I’m taking this last optional step. It makes sense to me — and it may be a chance for me to move beyond Quicken.)
Exploring the Best Password Managers
Okay, great! I’ve ordered a new $150 Chromebook and two hardware-based security keys. I’ve set up a brand-new, top-secret email address, which I’ll connect to any account that needs added security. But I still haven’t tackled the weakest point in the process: my text document filled with passwords.
Part of the problem is complacency. My system is simple and I like it. But another part of the problem is analysis paralysis. There are a lot of password managers out there, and I have no idea how to differentiate between them, to figure out which one is right for me and my needs.
For help, I asked my Facebook friends to list the best password managers. I downloaded and installed each of their suggestions, then I jotted down some initial impressions.
- LastPass: 16 votes (2 from tech nerds) — LastPass was by far the most popular password manager among my Facebook friends. People love it. I installed it and poked around, and it seems…okay. The interface is a little clunky and the feature set seems adequate (but not robust). The app uses the easy-to-understand “vault” metaphor, which I like. LastPass is free (with premium options available for added cost).
- 1Password: 7 votes (4 from tech nerds) — This app has similar features to Bitwarden or LastPass. The interface is nice enough, and it seems to provide security alerts. 1Password costs $36/year.
- Bitwarden: 4 votes (2 from tech nerds) — Bitwarden has a simple, easy-to-understand interface. It uses the same “vault” metaphor that products like LastPass and 1Password use. It’s a strong contender to become the tool I use. Bitwarden is free. For $10 per year, you can add premium security features.
- KeePass: 2 votes — KeePass is a free Open Source password manager. There are KeePass installs available for all major computer and mobile operating systems. If you’re a Linux nut (or an Open Source advocate), this might be a good choice. I don’t like its limited functionality and its terrible interface. KeePass is free.
- Dashlane: 2 votes — Of all the password managers I looked at, Dashlane has the nicest interface and the most features. Like many of these tools, it uses the “vault” metaphor, but it allows you to store more things in this vault than other tools do. (You can store ID info — driver license, passport — for instance. There’s also a spot to store receipts.) Dashlane has a free basic option but most folks will want the $60/year premium option. (There’s also a $120/year option that includes credit monitoring and ID theft insurance.)
- Blur: 1 vote — Blur is different than most password managers. It quite literally tries to blur your online identity. It prevents web browsers from tracking you, masks email addresses and credit cards and phone numbers, and (or course) manages passwords. I want some features that Blur doesn’t have — and don’t want some of the features it does have. Blur costs a minimum of $39/year but that price can become much higher.
- Apple Keychain: 1 vote — Keychain has been Apple’s built-in password manager since 1999. As such, it’s freely available on Apple devices. Most Mac and iOS folks use Keychain without even realizing it. It’s not really robust enough to do anything other than store passwords, so I didn’t give it serious consideration. Keychain is free and comes installed on Apple products.
Let me be clear: I made only a cursory examination of these password managers. I didn’t dive deep. If I tried to compare every feature of every password manager, I’d never choose. I’d get locked into analysis paralysis again. So, I gave each a quick once-over and made a decision based on gut and intuition.
Of these tools, two stood out: Bitwarden and Dashlane. Both sport nice interfaces and plenty of features. Both tools offer free versions, but I’d want to upgrade to a paid premium plan in order to gain access to two-factor authentification (using my new hardware security keys) and security monitoring. This is where Bitwarden has a big advantage. It’s only $10 per year. To get the same features, Dashlane is $60/year.
But here’s the thing.
I started actually using both of these tools at the same time, entering my website passwords one by one. I stopped after entering ten sites into each. It was clear that I vastly preferred using Dashlane to Bitwarden. It just works in a way that makes sense to me. (Your experience might be different.) So, for a little while at least, I’m going to use Dashlane as my password manager.
The Problem with Passwords
My primary motive for using a password manager is to get my sensitive information out of a plain text document and into something more secure. But I have a secondary motive: I want to improve the strength of my passwords.
When I started using the internet — back in the 1980s, before the advent of the World Wide Web — I didn’t spare a thought for password strength. The first password I created (in 1989) was simply the name of my friend who let me use his computer to access the local Bulletin Board Systems. I used that password for years on everything from email accounts to bank sites. I still consider it my “low security” password for things that aren’t critical.
I have maybe eight or ten passwords like this: short, simple passwords that I’ve used in dozens of locations. For the past five years, I’ve tried to move to unique passwords for each site, passwords that follow a pattern. While these are an improvement, they’re still not great. Like I say, they follow a pattern. And while they contain letters, numbers, and symbols, they’re all relatively short.
As you might expect, my sloppy password protocol has created something of a security nightmare. Here’s a screenshot from the Google Password Checkup tool for one of my accounts.
I get similar results for all of my Google accounts. Yikes.
Plus, there’s the problem of account sharing.
Kim and I share a Netflix account. And an Amazon account. And a Hulu account. And an iTunes account. In fact, we probably share twenty or thirty accounts. She and I use the same easy-to-remember password for all of these sign-ins. While none of these accounts are super sensitive, what we’re doing is still a poor idea.
So, I want to begin moving toward more secure passwords — even for the accounts I share with Kim.
The good news is that most password managers — including Dashlane — will auto-generate randomized passwords for you. Or I could try something similar to the idea suggested in this XKCD comic:
The trouble, of course, is that each place has different requirements for passwords. Some require numbers. Some require symbols. Some say no symbols. And so on. I don’t know of any sites that would let me use four random common words for a password!
For now, I’m going to take a three-pronged approach:
- I’ll manually create long (but memorable) passwords for my most critical accounts. This is the XKCD method.
- For the accounts I share with Kim — Netflix, etcetera — I’ll create new, memorable passwords that follow a pattern.
- For everything else, I’ll let my password manager generate random passwords.
This seems like a good balance between usability and security. Every password will be different. Only the ones I share with Kim will be short; all others will be long. And most of my new passwords will be random gibberish.
Final Thoughts on Cybersecurity
In this short video from Tech Insider, a former National Security Agency security expert shares his top five tips for protecting yourself online.
You’ll note that these are similar to the Reddit cybersecurity guide I posted earlier in this article. Here are the steps he says to take to keep yourself safe:
- Enable two-factor authentification whenever possible.
- Don’t use the same password everywhere.
- Keep your operating system (and software) up to date.
- Be careful with what you post to social media.
- Do not share personal information unless you’re certain you’re dealing with a trusted company or person.
I won’t pretend that the steps I’m taking will protect me completely. But my new system is certainly an upgrade from what I’ve been doing for the past 20+ years — which was, as I’ve mentioned, dumb dumb dumb.
And I have to confess: I like the idea of restricting my online financial life to one computer — the new $150 Chromebook. I’m not sure if this is actually doable, but I’m going to give it a go. If this works, then I may see if I can find a money-management tool that I like for the machine. Maybe then I can finally leave Quicken 2007 for Mac behind!
What have I missed? What steps have you taken to protect your online accounts? Which do you feel is the best password manager? How do you create memorable, secure passwords? How do you handle shared accounts? Help other GRS readers — and me! — develop better online security practices.