Get your passwords organized (in 30 minutes or less)
Set aside a half-hour, follow this three-step program. and you can dramatically improve your online security
Let’s talk about passwords, shall we?
They’re an inescapable fact of modern life. They’re also a nuisance. And most people commit a multitude of security blunders when it comes to passwords, like using passwords that are too easy to guess and reusing passwords across multiple sites.
One thing I consistently hear from readers, even technically sophisticated ones who understand the importance of securing online accounts, is that their password management strategy is a mess. Some of their passwords are stored in browsers on multiple devices, others are memorized, and a few are written down on a scrap of paper or perhaps in a notebook. At some point, they tried a password manager program, but the effort required to enter all those passwords was overwhelming and they gave up, leaving the job only partially complete.
Sound familiar?
This is why the conventional advice, “Just install a password manager,” is so unhelpful, as I wrote last week in the introduction to this series, “Getting your online security in order.” After you install that app, even with the best of intentions, you’re faced with an overwhelming task that is almost certain to result in you abandoning the work.
So, I propose starting with a more targeted and achievable goal: Identify the online accounts that are most important to you, and replace their current, weak login credentials with strong, unique passwords. You can use a simple online tool to generate random passwords or passphrases. Then, in a separate browser window, open each site on your list of important accounts, find its “change password” option, and use the freshly generated credentials, saving the results in whatever tool you currently use.
It shouldn’t take more than a minute or two to accomplish this task for each website. Even if you have two dozen sites that you’ve identified as important, the entire job should take 30 minutes or less.
Ready to get started?
This is Part 1 of a four-part series. Coming in future installments: Choosing (and using) a password manager, turning on multi-factor authentication, and advanced security options.
Step 1: Consolidate your saved passwords in one place
If you’ve currently got passwords saved in different places (like a password manager and in multiple browsers), this is a good time to pick one of those places and move your saved credentials from the other locations. Taking that step now will make it easier to accomplish the rest of the steps. Don’t worry about making the wrong choice here; it’s simple to export saved passwords and import them elsewhere if you change your mind later.
A number of the people who responded to my poll said they’re using 1Password (my recommended password manager) but also have some logins saved in their Apple keychain and others in the Chrome or Edge browser. That scenario’s one of the easiest to clean up.
1Password has some well-written support documents that cover how to get your saved logins out of those other ecosystems and into the password manager you’ve already adopted:
If you’re using a different password manager, or if you want to consolidate your saved logins into your browser’s built-in password manager, the generic steps are the same:
Export the saved passwords that you want to migrate, saving them as a file in CSV format. Important: this file won’t be encrypted, so you want to be sure it’s not inadvertently backed up to an insecure location.
Import the contents of that saved file to your preferred password manager. (Pro tip: If you’re using 1Password, use the Web importer, shown below, and choose the option to create a separate vault to save the imported credentials. That will allow you to quickly distinguish any duplicates.)
1Password’s web importer is the easiest way to move passwords out of a browser After you confirm the migration was successful, delete the old passwords and turn off the “save passwords” option in the browser you’re no longer using. This step helps ensure that you don’t accidentally re-create the mess you just cleaned up. On an iPhone, open the Settings app, tap your Apple ID, tap Passwords and Keychain, and slide the Sync This iPhone switch to the Off position. To clear out the Google Password Manager, follow the steps in this support article: Clear browsing data - Google Chrome Help.
Delete the export file. (And then empty the Recycle Bin/Trash, just to be sure.)
If you’re currently using LastPass, export your saved logins and import them into whatever you plan to use as a replacement. You’ll need to change all those passwords, of course, because the data stored at LastPass is known to have been compromised, but this step will help you make a sites-to-update list. If you need help, here’s a support article with step-by-step instructions: Move your data from LastPass to 1Password. The easiest way to do this is with the 1Password app, where you can enter your LastPass credentials to directly import everything from your LastPass account in one operation.
All done? Excellent! You can move on to the next step...
Step 2: Identify your most important online accounts
All online accounts are not created equal. If someone figures out how to break into your Netflix account, they’re not likely to do any lasting damage, except perhaps by messing with your recommendation algorithms. But some accounts are truly valuable—because they include sensitive personal information, for example, or because they allow access to financial resources such as bank accounts or credit cards, or because they give an attacker the ability to control email and phone accounts that are intimately tied to your online identity.
Take a few minutes and make a list of the online accounts you absolutely, positively need to keep secure. For most people, this list should be relatively short, probably no more than 20 entries (unless you’re an extremely online person like me).
Here are some suggestions of sites this list should include:
Your Google/Apple/Microsoft account These accounts are enormously valuable. Depending on your hardware platform and the services you use, they provide access to devices, to email accounts, to online storage, and to payment wallets. They deserve the most robust security you can provide.
Your email provider(s) You might have dealt with this in the previous item, but it’s worth emphasizing again. An attacker who gains access to your primary email address can usually reset passwords and allow access to any online account while also locking you out.
Your mobile phone account If a bad guy can get control of your mobile number, it’s game over for most accounts. Lock this one down.
Any cloud storage service For most folks, securing your Google/Apple/Microsoft account will take care of the associated cloud storage services (Google Drive, iCloud, OneDrive). Be sure to include any third-party services like Dropbox, especially if you store sensitive documents there.
Financial services Online access to banks, credit cards, retirement accounts, and the like is a tremendous convenience. These accounts are also prime targets for thieves. Make them as difficult as possible to break into.
Government accounts The United States Social Security Administration and the Internal Revenue Service are two of the most popular online destinations around. State agencies offer similar access for paying taxes. In recent years, bad guys have targeted fraudulent tax refunds as a lucrative revenue opportunity. In response, the IRS has tightened security tremendously. You should too.
Social media services Even if you use your Facebook and Twitter accounts strictly for posting cat pictures, they’re worth securing. If someone can impersonate you, they can exploit your account to defraud your friends and family using social engineering. And don’t forget that many sites allow you to use them to authenticate yourself for access.
Online shopping accounts This type of account can be monetized very quickly, especially if online gift cards are an option.
Home automation services If your home includes anything “smart” (light bulbs, TVs, speakers, even washing machines), that device represents an entry point to your personal life. Keep it secure.
Once you’re satisfied that you’ve got a good list, you’re ready to move on ...
Step 3: Create a strong, unique password for each of those crucial accounts
If you’re already using a full-featured password manager, this step is going to be easy, because “random password generator” is a checklist feature for every app in that category. But even if the way you manage passwords is to write them down in a notebook that you stash in your top desk drawer, this step doesn’t have to be difficult.
What makes a good password? I recommend reading Microsoft’s guidelines on how to create and use strong passwords. That article is short but informative, and its recommendations are clear. A good password consists of the following attributes:
At least 12 characters (but longer is better, with most experts I consulted recommending 14 characters or more).
Combination of upper- and lower-case letters, numbers, and symbols. You can use a random string of gobbledygook like 6pHwCGgNzznikY@*uKYE or a passphrase like attentive-coma19-Sharpness-grinch, which ticks all the boxes while still being reasonably easy to type.
Not a word that can be found in a dictionary or a proper name that can be looked up online.
“Significantly different” from any password you use elsewhere.
And I am about to piss off at least two readers (you know who you are) with this next bit.
If you’ve convinced yourself that you can create your own password-generating algorithm (“I use a base phrase and then add characters and numbers to so that it’s unique for each site”), just stop. That’s a terrible strategy and you shouldn’t do it. It might be acceptable for your I-really-don’t-care list of sites, but it shouldn’t be an option for any site that exposes your identity or your money to risk. Seriously, don’t do that.
For each site, you need to generate a random password or passphrase, a task that humans are really bad at. So don’t even try. Instead, use a software tool to supply the necessary randomness.
If you already use a password manager, use its built-in tools to generate a strong password and save it along with the entry for the site where you plan to use it.
If you prefer, you can use any of the following password generators, all of which are free and available even if you don’t use the associated app:
Bitwarden Password Generator This one might be my favorite, with options to choose a password or passphrase, specify the number of characters or words, and select checkboxes to customize the output.
1Password Generator My only quibble with this tool is that you can’t add a number in a passphrase. You can work around that by generating a passphrase, switching to the PIN option to add your own digits, and combining the two results.
XKPasswd This might be the geekiest option of all, with an interface that includes enough settings to satisfy even the crankiest password scold. But it’s based on the legendary XKCD comic, so all interface mistakes are forgiven.
You’ll also find password generators built into the Chrome and Edge browsers. They lack customization options but they do a fine job of generating randomness. Here’s Google’s version in action.
Use whichever tool works for you by signing in to every site on your list and using its “change password” option to replace your old, insecure password with one that you can trust.
And with that … you’re done, at least for now. You’ve generated strong, unique passwords for every site on your list. If you were previously a LastPass user, you’ve made the people who stole the LastPass database very sad, which should make you very happy.
Read the entire series
Introduction: “Getting your online security in order”
Part 1: “Get your passwords organized (in 30 minutes or less)”
Part 2: “How to choose (and use) a password manager”
Part 3: “Multi-factor authentication is easier than you think”
Thanks. I know I should do this & tried using 1Password. But going down the CSV list of hundreds of sites with multiple passwords for each site & not knowing which one was current was impossible 😬 & I gave up. This looks like a manageable approach. Thanks.
Loving this Ed. Are you going to be taking a look at Passkeys from a civilian's perspective?