NPR logo

Lazy About Your Online Passwords? Take Control With These New Tips

  • Download
  • <iframe src="https://www.npr.org/player/embed/361137779/361197226" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript
Lazy About Your Online Passwords? Take Control With These New Tips

Privacy & Security

Lazy About Your Online Passwords? Take Control With These New Tips

Lazy About Your Online Passwords? Take Control With These New Tips

  • Download
  • <iframe src="https://www.npr.org/player/embed/361137779/361197226" width="100%" height="290" frameborder="0" scrolling="no" title="NPR embedded audio player">
  • Transcript

Alexis Madrigal suggests you turn on the two-step verification on any site that has it. iStock hide caption

toggle caption
iStock

Alexis Madrigal suggests you turn on the two-step verification on any site that has it.

iStock

It's time I admitted something: Though I've written about the Internet for years, my online security practices are not good. Despite constant warnings from knowledgeable friends, I persist in doing all the things with my passwords that you're not supposed to. I don't make them complicated enough. I reuse the same ones over and over. I don't change them very often. And I keep a list of important ones in a file on my computer. Frankly, it's shameful!

This fall, though, I decided it was time to get serious. I made a resolution: I would come up with a system for dealing with my passwords.

First, I had to figure out what I wanted to protect — and email sits atop that list. Because if you have access to my inbox, you can probably gain access to everything else. The best way to secure an account like Google's Gmail is to turn on two-step verification. Basically, you link your phone with your account. And then, when you log in from a new computer, Google text messages a random six-digit code to your phone that you have to enter along with your actual password. This means that even if your password fell into the wrong hands, without your phone, would-be attackers would be thwarted.

Apple's data-syncing service, iCloud, offers the same protection, as do prominent social media services like Twitter and Facebook, so I enabled two-step verification in those places, too. My particular bank does not offer two-step — shame on it — but many do, and though waiting for the text message and then entering the code is a minor hassle, it's worth the peace of mind.

But that's only the very top security tier. Some sites are important, but not that important. And you might not want to introduce that level of friction into using them. For this tranche, I decided to generate really lengthy passwords using a specialized piece of software called, logically, a password manager. Three I've heard and read great things about are 1Password, Dashlane and LastPass. I chose to use 1Password because it's been around since 2006, and longevity seems like a good thing in the security industry.

The key to a password manager is this: If you don't have to remember all the dozens of passwords yourself, then you can use really, really tough ones for each site you visit and it'll remember them all for you. The whole program is controlled by a master code, which they encourage you to make sentence-length and essentially uncrackable. Basically, you make a deal with yourself: remember one really, really long tough password in exchange for the software remembering the rest.

Now, I'm not going to make the picture rosier than it is. 1Password is not the easiest software to use. You have to install the desktop program, then the browser extension, and (most likely) an app on your phone. Then, for every site you visit, you need to have it store that credential. Even more annoyingly, if you currently have weak passwords, you need to change those to something very difficult to guess, then store that login in the software.

Doing this over and over is quick, but a hassle. For my 15 key sites, it took 22 minutes of concerted effort to complete. For other semi-important sites, I'm just dealing with them as I go. I add a couple a day, at most. So, slowly, my security hygiene is improving.

But you know how in some diets, there are cheat days? I have cheat passwords. For sites that truly don't matter, where a login is merely a formality, I have used and will continue to use the exact same easy-to-remember password. If someone hacks these accounts, nothing really bad can happen.

I'd like to say that if you take all these steps, you'll be forever safe from malicious forces. But that's not true. In an effort to make customer service easier, many companies allow those security questions like, "Where did you go to high school?" to stand in for your password itself. With our ever-more Google-able identities and underground malicious services that traffic in social security numbers and other personal information, bad actors will continue to use this loophole to compromise accounts.

But none of this actually sends me running from the Web. All I really want is peace of mind that I did what was reasonable. My attitude online is the same one I have offline. Consider that we hand our credit cards to strangers every day. And our private mail sits in our mailboxes untended. Theoretically, we could take crazy precautions to prevent problems, but the odds are nothing horrible will happen — and people make that trade-off.

Perhaps one day, a fingerprint or iris or facial scanner will completely replace all the numbers and letters that unlock our digital lives, but until then a couple of hours will go a long way toward making your data secure from criminals. Simple precautions will fend off the dumbest of them, and nothing will stop the smartest.

Alexis Madrigal is a visiting scholar at Berkeley's Center for Science, Technology, Medicine and Society and is the Silicon Valley bureau chief for the Fusion cable and digital network.