How to Update Your Insecure Passwords and Make Them Easy to Use

How to Update Your Insecure Passwords and Make Them Easy to UseYou know how important strong passwords are, but you’ve got a huge backlog of passwords—some you can’t remember, others you’ve been using for years. Here’s how to securely update, create, and manage your passwords on any computer.

Image via kobakou.

It’s not necessarily a 10-minute job, especially if you’ve got a lengthy backlog of passwords you’ve abandoned or rarely use. But it’s a multi-step process you can break up, and it’s actually pretty simple:

  1. Set up a smart system for creating passwords
  2. Recover your old, barely protective passwords in a secure fashion
  3. Install a single extension/plug-in across your browsers and mobile devices
  4. Stick with the new system across all web sites

It’s hard to understate the importance of having uniformly strong passwords that aren’t the same on every site. Simple passwords, or those with words in the dictionary, are easy enough to crack on their own. There are, however, seemingly legitimate web services that can betray your password, and if you’re using the same or similar passwords on your email, banking, or other sites, you’re pretty much done for.

The same domino-falling theory applies to sites that email your password back to you when you request it. If you simply archive or let those emails fall into the depths of your inbox, anyone with access to your email can simply search something like “requested password” or “password recovery” and dig a huge tunnel under your entire online life.

So let’s set up your passwords so that no person or computer can guess your passwords, no inadvertent password revelation uncovers your entire system, and your secure passwords are still easy to use—you don’t even have to enter them, in most cases.

Step One: Create Your Password System

One of the most frequently linked features from Lifehacker’s early days is Gina’s guide to choosing and remembering great passwords—and for good reason. Gina’s system is secure enough that a computer can’t break it, but logical enough that a human can remember it.

How to Update Your Insecure Passwords and Make Them Easy to UseIn a nutshell, Gina suggests coming up with a base password that you use for every site. It can be anything but a simple word, and it should be easy for that person to memorize. If you’re a huge fan of The Smiths, for example, you might end up with $ppplmgwiw$ as your root password—the first letters of “Please, Please, Please Let Me Get What I Want,” of course, book-ended by or interspersed with non-alphanumeric characters for added security.

The next step suggested is to “combine this base with some extra information unique to the service.” In other words:

You may use your base password with the first two consonants and the first two vowels of the service name. Say your base password is “asdf.” … Then your password for Yahoo would be ASDFYHAO, and your password for eBay would be ASDFBYEA.

Something simpler—but along the same lines—might involve the same letters to start (say, your initials and a favorite number) plus the first 3 letters of a service name. In that case, my password for Amazon would be GMLT10AMA and for Lifehacker.com GMLT10LIF.

It’s a smart idea, but I’d add just a little more paranoid security to the mix. Rather than always tacking your site-specific variations at the end of your password, consider adding them in the middle of your base password, or using them along with special characters to bracket your base password. So if your base password, as a lifelong Electric Light Orchestra fan, was **elolynne**, and you were creating a password for Amazon.com, you should try something like **amelolynneon**, with the first and last two letters of “amazon” surrounding the password, or **aaoelolynne**, using the first three vowels of Amazon in front of your password.

Why the slightly more paranoid setup? Because we are, every so often, forced to give up our passwords—either to close friends with our permission, or when it’s given up inadvertently by site security mishaps or our own dumb moves. If someone saw that your password for Amazon.com was **elolynne**zon, they’d pretty quickly guess that you’ve got a common root and a pretty simple last-three-letters scheme going for all your passwords. It’s much harder to guess from **aaoelolynne** what’s going on, unless someone has heard your in-car rendition of “Strange Magic.”

What about sites where special characters aren’t allowed? Or sites that cap passwords at a sadly small number of characters? Simply adapt as best you can. Switch in a significant number in place of your special character brackets, or fill out the password as usual to the character limit. You’ll just rely on your password storage system, detailed below, to remind you of such exceptions to your rule.

So, there we go—we know how to create secure passwords for sites, which neither hackers nor overly snoopy friends can hack open all at once. Once you’ve picked out your password management system, you can start tracking your new logins with ease. But you’ve already created a bunch of passwords for sites, so let’s go fix those first.

Step Two: Recover and Change Your Old, Busted Passwords

Now it’s time to do the drudge work. You’re going to go back through web site usernames, passwords, and security questions, and clean them up. There is, unfortunately, no magic tool to make this easy, or save you the click-click-click work, but we do have some tips that can help.

  • First off, clean out your email inbox as best you can, or at least make a note of when you started doing password cleanup. That makes it easy to find and entirely delete the emails you’ll receive when recovering passwords you can’t remember, or authorizing password changes.
  • If you’ve got an older, hardly-ever-used email address that a lot of passwords are tied to, it’s time to consolidate that email address into Gmail, or use the IMAP settings in Yahoo, Hotmail, or your other preferred email client to import that old address. Otherwise, it’s probably time to log in one last time, set up auto-forwarding to your newer address that you actually use, then close that account forever—it’s nothing but a security liability.
  • On those sites where it is possible, change over to a standard username, so you can use your new password system without having to guess at the other piece of the puzzle.
  • Similarly, protect your accounts from security question hackers by changing up the answers to your security questions. The standard questions—middle names, maiden names, childhood streets and schools—can be researched and discovered—sometimes very easily—so choose your own questions, whenever possible, or use commenter Srwight’s tip and answer different questions entirely, with a translation key.

How to Update Your Insecure Passwords and Make Them Easy to UseNow it’s up to you to go ahead and change your password on the sites where you can remember your original password, and recover your password from the others. The “Forgot password?”, “Need help logging in?”, and similar links are usually located under or next to the boxes for entering a username and password. Click them, grab the email or text message, log in again, and delete the email immediately after changing your password. This is crucial—you don’t want anyone who somehow gets into your email knowing how you changed your password to a site, or, even worse, recovering even an old password from sites that make the dumb move of sending your password to you.

The most important sites to fix, right up front, are those where bad people could get at your personal life, your work, and your money. That means, as a short list, you should prioritize your email, banking, work-related, and primary shopping sites. Head to every site you can think of using regularly, recover your password, change it to use your new system, then delete the emails that resulted from your change.

Step Three: Keep Your Passwords Stored and Safe

Every modern browser offers some kind of system for saving your passwords and automatically filling them in when you next visit a page. This is, as you might guess, a pretty bad thing to have enabled if your laptop ever gets stolen, or if the wrong people get access to your computer some other way. Here’s a look at a few of your much better options.

Firefox: Master Password, Password Timeout, and Sync
How to Update Your Insecure Passwords and Make Them Easy to Use
If you’re a Firefox devotee, you’re good to go using Firefox’s built-in password saving system. When you enter your new passwords, go ahead and click “Remember” on the drop-down bar that appears. Just be sure to enable the Master Password feature from Firefox’s preferences, then use a master password that has more than eight characters, includes special characters, and no dictionary words—basically, like your password scheme invented above. In fact, it’s not a terrible idea to use the root of your password scheme as your Master Password, as that helps reinforce the scheme in your memory.

How to Update Your Insecure Passwords and Make Them Easy to UseBeyond that, you might want to install the Master Password Timeout add-on, so that if you step away from your computer or leave Firefox idle for a certain period, your system won’t betray your password scheme.

How to Update Your Insecure Passwords and Make Them Easy to UseFinally, if you want to ensure that your passwords are backed up and hard-drive-crash-proof, install Firefox Sync. It’s a built-in feature of the upcoming Firefox 4, but it works well now to keep your passwords backed up to the cloud (or your own server, if you’d prefer). Using Sync for passwords requires both a standard password and a “secret phrase,” so you might want to use your standard password root for the password, then write down your secret phrase on paper and store it securely, just in case.

Every browser: LastPass
How to Update Your Insecure Passwords and Make Them Easy to Use

If you’re on a browser other than Firefox, or use more than one browser, we see LastPass as the best way to store your passwords and easily access them to automatically log into any site. I’ve previously detailed the winning characteristics of LastPass in a post on the easy, any-browser, any-os password solution. The short version: LastPass offers browser plug-ins for all the majors—Internet Explorer, Firefox, Chrome, Safari, and Opera—along with stand-alone apps, portable apps, and bookmarklets for use on other systems. You can also just get at your passwords by logging in at the LastPass site, and if you’re ever in a cafe or other spot where you’re not quite sure about the security, LastPass supports one-time passwords for extra security.

How to Update Your Insecure Passwords and Make Them Easy to UseAfter signing up for a LastPass account and installing a plug-in for your current browser, you can save yourself a good bit of time by importing your passwords from that browser’s password manager—look in the Tools section of the LastPass preferences for the option. You can also import passwords from nearly any notable browser or password/encryption manager through your “vault” on the LastPass site. But you’ll likely populate LastPass as you go along, filling in your new, stronger passwords and allowing LastPass to save them. Once you’re set up and comfortable, you’ll also want to disable your browser’s own password-saving system, so it stops nagging you, and wipe out any passwords already saved internally through your browser’s preferences.

How to Update Your Insecure Passwords and Make Them Easy to Use
Finally, you’ll want to take the same precautions with LastPass as we took with Firefox—set up a kind of Master Password to enable all the handy auto-filling. It’s a setting (“Automatically logoff when all browsers are closed …”) in the General section of the LastPass add-on preferences, and you should set a reasonable timeout for it—15 minutes is about fine by my standards.

Other Password Systems

How to Update Your Insecure Passwords and Make Them Easy to UseFirefox’s built-in password manager and the LastPass plug-ins are far from the only computer tools for managing passwords. KeePass is a reader favorite, and a system we’ve previously featured in a how-to guide. It’s also a good bit more hands-on than LastPass or Firefox, and requires the user to be in charge of the “vault.” But if you like that kind of independence, or want to try something different, check out KeePass or any of the best password managers out there.

Keep the Practice Going

The hardest part of fixing your faulty passwords? Having the will and conviction to recover, change, and update your passwords on sites where you still remember your old, cruddy password. Password security is one area of computing where leaving well enough alone is a terrible idea.

My wife once used a simple nine-character password, with a cute name involved, to protect most of her accounts, including Gmail. After she got hacked and sent every single friend, co-worker, previous co-worker, and even long-ago Craigslist contacts a message about “Hot Electronics Deals!3!#,” she started gradually updating her web passwords whenever she had the time. You, too, should keep in mind that while it’s an annoying five minutes to click a link, check an email, and save a new password, it’s an excruciating week of apologies, fixes, and account recovery if your web life falls prey to a simple brute force password attack.

How have you fixed up your passwords without too much pain? What tools or tips made it simple to create a new security scheme? We welcome your tips in the comments.

Send an email to Kevin Purdy, the author of this post, at kevin@lifehacker.com.

  • Follow us to see the most popular stories among your friends — or sign up for our daily newsletter below.

track‘);
track


Your version of Internet Explorer is not supported. Please upgrade to the most recent version in order to view comments.

LastPass is good, but don’t forget to export all your passwords so you have local copies. Sometimes you need them when LastPass is unavailable. The locally cached versions are fine for short outages, but I’d want the encrypted full export to – just in case they get bought out and I don’t like the new owners.

I just let KeePassX (FLOSS) generate long random passwords for me now. I’m not tempted to remember them and I KNOW they are stored securely in 5 different locations. Every login is different. There’s been a bunch of discussion that 12 character passwords are enough if you use upper/lower/numbers and punctuation characters. When it comes to encryption, I usually double the current recommendation, so 24 characters in a min.

Reply

One more thing: Document your system and place it wherever you keep your Will. Otherwise, you could be leaving your loved ones with a giant headache.

Reply

I’ve been using 1Password for Mac and RoboForm for PC. I heard that 1Password is beta testing a PC version of their software. Would be nice to have one software across all platforms.

Reply

Step 1: Start using KeePass with the database in your Dropbox/other sync location. Generate a password for your database and write it down. Burn the paper once you memorise it.

Step 2: Continue using KeePass.

Step 3: There is no step 3.

Step 2 is arguably the hardest.

Reply

I was reading LH’s article on Collections which prompted me to review my list of add-ons. In doing so, I was reminded that LastPass does not have a free Android version so I started looking at KeePass, which I knew did. Then I refresh LH and BAM! This article is up. I have now added aluminum foil to my shopping list and will be consulting a papercraft website for instructions on creating a nice hat. No thanks on the Zelda or Mario hats. I’m already going to be wearing an aluminum foil hat; do I really need to look like a bigger idiot than that?

Anyway, can anyone offer me some insight on exporting passwords from Lastpass so I can import them into KeePass? Is the LastPass CSV sufficient?

Reply

<div class=”noscriptbar”>
In order to view comments on lifehacker.com you need to enable JavaScript.<br /> If you are using Firefox and NoScript addon, please mark lifehacker.com as trusted.
</div>

In case you’re planning on doing any online shopping this holiday season, you really want to be sure ALL of your passwords are secure – it only takes one loose password for the bad guys to get to your others pretty easily. Here is a thorough guide to creating easy to remember, and secure passwords for all of your sites.