Secure your online accounts and save yourself a lot of work too.
Most security advice I’ve heard is really just nerds yelling. Have you heard any of these before:
- “Change your password!”
- “Don’t reuse passwords more than once!”
- “Why aren’t you using 2FA, what are you nuts?”
- “Use a strong password.”
- “Your password MUST contain…!”
Do you know what any of these things mean? Most of us don’t. See, nerds…yelling. Not okay nerds. Stop it.
A little nerdy housekeeping
This is the problem with nerds. Full disclosure, I’m a nerd too (*raises hand slowly*). Nerds often forget that most people don’t live in the weird brainy place we do. We make terrible assumptions as if everyone knows the same things we do and then start yelling when they don’t. Sorry about that. Nerds are human too, and we’re not perfect (most won’t admit it). I won’t be doing any yelling here, I promise. I don’t think it is helpful or productive.
Technology can’t accomplish its goal of bettering your life if it is not understood clearly. You need to have tech and knowledge or neither works together. As a card-carrying nerd, I hereby give you full permission to refuse to use any technology if it isn’t clear to you why you should and how to do so. You shouldn’t be made to feel stupid because you don’t understand. That’s not fair. If you don’t get it, don’t use it. It is far safer and you’ll never get in over your head that way.
Case and point, online security. It isn’t very well known how you’re supposed to stay safe online and that it doesn’t have to be so complicated and upsetting. No one — including nerds — ever explains well enough how to stay safe online. Nerds need to do a better job of communicating in regular language and not getting too technical. This is my goal.
Who am I?
I’m a nerd who has spent my software engineering career trying to help people figure out technology in simple ways that involve no yelling at all. In fact, if anyone yells, I leave the room as a matter of principle. I try to make tech work for people, not the other way around. The purpose of technology is to make your life easier. See, just bold for emphasis, but absolutely no yelling. Bad NERD bad, sit nerd, down nerd, be a good nerdy…there you go. Whew.
With that out of the way, let’s talk about the issue at hand, how not to get hacked.
Why do people get hacked?
What is the problem here? How do people get hacked? How do you know if you’re safe or not? No one seems to know. Well let’s take a look at how this happens and what you can do to avoid it. Honestly, yes, there is always a chance that you will be hacked, but I’ll show you the best way to be nearly unhackable. Hmm, I might put that on a business card.
Let’s look at a scenario that happens often these days and how it can spiral out of control quickly. It will help us to see how and why we need to use smarter tools to secure our personal and financial information.
If you regularly sign in to any website like Amazon.com for example, you have to enter an email and password to do so. It is a common every day thing we deal with as humans in the digital age. This every day is sometimes ignored because it is so common, and yet the details of exactly what happens when you login are vitally important to understand. How did you come up with your password? Where do you store it after you create it? How many other sites do you use the same password on? these questions may not be easy to answer because we’re all so used to doing it, but they will show you how secure you are or not.
Usually, most people use very little strategy when dreaming up passwords. Mostly because no one ever tried to explain that there is a strategy or why you’d even use one to stay secure. The most prevalent ideas are to use personal details that are easy to remember to create passwords. Then you’d use the same password everywhere because it was too much mental work the first time to create a password, why would you do it twice? Life is too complicated already, we don’t need a password headache on top of everything else.
Despite this seemingly normal approach to security, there is a lot that isn’t helpful here because hackers who are prowling around the internet are counting on the fact that we randomly choose our passwords based on arbitrary ideas that have no logic to keep us safe. I want to help you upgrade your idea of passwords so it is far better for you, and will end up being far LESS work for your brain.
Most common passwords and how not to pick one
For a list of the most commonly used passwords and how NOT to pick a password, check out Cybernews.com’s Most Common Passwords for 2021. People use curse words, city names, months, days, seasons, food names, pet names, and sports teams, which are all bad ideas because they are predictable.
Let’s be honest with ourselves. Us humans are inherently lazy. No judgement, we are all this way and it’s okay too, we would rather not do things that are too complex or intense, and it makes sense. Instead of judging ourselves for it, let’s use our laziness as part of the solution. That is the smart thing to do.
Unfortunately hackers know how predictable and lazy humans are, and try to use that fact to their advantage. We’re going to use our own laziness to help us secure things and it will help us far more than it will help the hackers. Haha!
A Hacker’s Motivations
Hackers are looking for cheap thrills, respect, and cold hard cash. That’s pretty much the gist of it. “The thrill of the hunt” meaning breaking into something forbidden is the primary reason for most hacks. Closely followed by respect from other hackers, and scoring some cash (or something sellable for cash, your data). Pretty simple motivations, but they cause long-lasting ramifications for those of us on the other end of a hack. For this reason, we’ll take steps to deny hackers their aims long enough for them to go bother someone else.
It seems the odds are stacked against us as we live more of our lives online everyday. How do you win the fight against smart hackers with advanced tools and time on their side to test and exploit our weaknesses? What are we going to do to stay safe?
The name of the game here is to be less predictable and more of a moving target that isn’t worth a hacker’s time. That is what we’re after here. We want to be more secure, with less work to remember passwords. Again, playing to our laziness as a STRENGTH, not a weakness. How is this possible?
It turns out some of the things the nerds yell are the right idea and are useful for keeping you safe online. I know, super cringe isn’t it? The idea is right, but a nerd’s failure to communicate causes people not to listen which voids the express purpose of saying anything anyway. That’s why the yelling has got to go. I’ll explain what you need to know and how it works so you have the knowledge you need to make a good decision. Sound good?
#1 Nerds Yell “Use a strong password”
First, what is a strong password, and why do I care?
The strength of a password is its complexity and how difficult it is to guess. It is like the “guess a number” game we played as kids. “Think of a number between 1 and 10”. You pick 3, but my number was 7, and we try again. This is actually how passwords work, except in this case hackers are using an advanced program (almost like a robot) who can guess a thousand times a second and can try many different combinations you wouldn’t even dream of. This program knows what numbers humans use most often and will guess those first. Online security is essentially a game of keep away or capture the flag. If you can make your passwords too hard to get, hackers will usually move on to someone else. Here’s exactly which passwords are good or bad and why:
Bad Password Examples:
- 123456, 111111, or 111222333 – no guessing involved, it will be the first thing tried by a hacker because millions of people have used this for several decades running. Not hard enough to guess for our purposes.
- rover1987, bayside1994, or cassie1 – no guessing either, because hackers have learned from watching years of passwords that people use something close to their heart or an important time in their lives as their secret password, so it is very easy to guess. Also, whole words like rover, and numbers that are years are extremely easy for a computer hacking program to guess when it tries different combos.
- myl1ttl3p0ny15 (mylittlepony15)- a little bit harder but still super easy to hack because the pattern is simple enough for a hacking program to figure out, just replace all the letters with numbers and vice versa. Not a challenge for most hackers. Not enough randomness to be useful.
- curse words or body part names – Not a challenge, many people do this thinking it will be funny or hard to guess because “who would make that their password?” Millions of people do this, so hackers know to expect it. Easy pickins.
Good Password Examples:
- u&HAZ62GtMLe$4Fd – this is obviously much harder to guess and isn’t easy to remember. This is a good idea beacause it raised the hacking difficulty as high as it can go, and you can use a program to remember it for you. Most passwords are not filled with upper and lowercase, numbers, and multiple symbols like &, %, $, etc. making them low hanging fruit for a hacker looking to score. We’ll use a password manager to automate this process for us to be less work. More on that a little later.
- Hg5&6cZ#zx#eQ$G3 – same thing as the last one, much harder to guess. The length of it is also important. Most people use short passwords which makes it faster to guess for a hacker with super-tools. The longer you make the password, the longer it takes them to hack it. We’re talking about a difference between a few seconds and hundreds of years to guess. That’s a big difference. Anything around 12 to16 letters, numbers, and symbols is incredibly difficult to hack and that’s what we want.
You might see these passwords and think, there is absolutely no rhyme or reason in those. You’d be right, that is the whole idea. No rhyme or reason is exactly why they are secure. That level of randomness provides the smallest chance to be guessed because a computer aren’t good at guessing nonsense. Nonsense is the key to the best kind of security. Truer words were never spoken.
#2 Nerds Yell “Don’t reuse passwords more than once”
Why? The nerds are just trying to make life hard for the rest of us. Well, I wouldn’t put it past us nerds to do that because we love our detailed particulars. However, I’d also point out that there is an extremely good reason for this idea. It isn’t just the whims of those with too many action figures.
If your password is hacked once on website1.com, it can be also hacked on website2.com just as easily. What most people don’t know is that if hackers guess a password (or find it in a badly-made website’s data, also known as low hanging fruit) they will try the same one on several thousand other sites in a few seconds using special tools to see if you’ve used it in other places. Because humans are lazy by default, a password for one site is likely going to be used on another because hackers know we don’t want to do the mental math a second time, and they count on this. Reusing a password is perfect for them to get into everything you might have ever signed up for and ruin your day. Especially if they get into your email, it can be game over for your privacy in a heartbeat. Your email account contains everything they need to steal your money, identity, and even start legal and criminal trouble for you. Bad news bears.
Even if you use a great password on say Netflix or Amazon or Facebook or Twitter or another big company that does a great job of security, many small sites are very bad at security, so you will still be in trouble. Keeping each site separate with a different password is key to staying safe. You’re right if you think that sounds like way too much to keep track of. I agree. We’ll handle that. Small sites are hit or miss on security, so the best way to handle this is to have a different password for each one, so a hacking attempt will only affect that site, not your whole life.
This is a security practice the pros call compartmentalization (sorry for the big word), and it just means you don’t keep all the candy in one bucket for the bad guys to find, you make them work super hard to get your other passwords for every other site, which they never will (statistically speaking).
If you get your account hacked, at let’s say at MyAwfulWebsiteWithZeroSecurity.com but you don’t use the same password for Netflix, or Hulu, or HBO Max, you will only need to fix the MyAwfulWebsiteWithZeroSecurity one and reset the password there, not at all the other places. A lot less work if you ever do get hacked.
Compartmentalization is awesome for you, terrible for hackers. It is even protects you when websites are terrible at security, and trust me they are. I’ve spent 25+ years learning all the worst ways people leave security wide open and it isn’t pretty. I don’t want their issues to affect you if at all possible. You will never know if a website you use is bad at keeping your data safe. It is impossible to tell. Even the biggest companies have data breach issues all the time.
Stay secure without extra work
So here’s the good stuff. The steps to secure your accounts, be less stressed, and go back to not caring about any of this on a daily basis. Finally, after all my rambling.
to summarize our goals:
- We want to use a complex, unique password for each and every site we visit without having to remember them all. More secure, less work.
- We don’t want to have to think up new passwords all the time but have the computer do it for us. Less work.
- We want it to be free because why not? Less cost.
- We need a great tool that will work on all our browsers, computers, and mobile devices without too much hassle, so we can ignore security and live life. Less work.
- We want a tool that will know when there is a new password on a website and ask to save it, so we don’t even have to remember. It should also auto-fill in our logins when we sign in. Less work.
Allow me to introduce you to a great free tool called the “password manager”. It does what we want, is simple to use, and works everywhere on desktops, laptops, phones, tablets, all browsers, everywhere. It has a quick initial setup (about 10 mins or so) but after that there isn’t much you have to do at all, in fact it should save you a bunch of time every day you use it.
There are many password management apps, some better than others. Some are just not built as good as others. As a programmer I won’t use apps that aren’t built well, especially in security. The app I like the best is called BitWarden, but I’ll give you some top alternatives as well to use if you like them better. No yelling, no judgement, just doing what’s best for you. Nice, right?
OVERVIEW OF The Process
- Choose a password manager app to store all your passwords (we will generate them securely). This is like a secure bank vault that will keep all your password safe.
- Create a master password that is super secure and hard to guess. I’ll cover this critical step below in detail. IMPORTANT: Write it down in multiple places not easily accessed from the internet.
- Sign up for an account with the password manager using your master password.
- Download the browser addons and mobile apps, which will allow you to login without knowing any passwords except your master password.
- Change a few settings to get the most out of these apps and let it auto-fill logins for you.
That’s it, that’s the whole thing. I will of course add instructions and pictures of everything below to make it easier to setup.
Step 1: Pick a password manager.
I personally use BitWarden because they are open-source, meaning anyone can look at the code and verify that there isn’t anything shady going on. It also tells me that they are not just out to make a profit at any cost. Good signs for a security app. I have also heard some security researchers (aka the good hackers) I know of recommend it, which they wouldn’t do if it was a bad app or was insecure.
BitWarden password manager
Feel free to pick a different one if you like. I went ahead and did some research to make it easier on you. I found a list of the top password managers from a long respected computer magazine many of us nerds trust, PC Magazine. They have a good review of the top ones for you if you want to check that out. It is located here: PCMag’s Password Manager Review or you can just google “best password managers” to find the article. It looks like this:
I will use BitWarden here to show you the process, but almost all the other services will be very similar. I don’t like Keeper, Dashlane, or LastPass as much personally (I explain why at the end of this guide), but that is my opinion, use what you want. Please use one of them and it will be so much better than not having one. I will personally be happier if you are safer after this guide.
I am going to assume you are going to go with BitWarden because I said so, and it is the easiest to follow along with in this guide. #parentSkills (because I said so…joke, sorry).
Step 2: Create a secure master password
Creating a master password first is less confusing than trying to do it later, and is very important.
A master password is the only password that you need from now on. It is the key to the lock on the bank vault so it should never be stored online in your email or any other account (because it can be hacked). Let’s generate one that has never ever been seen before and will be very hard to guess for hackers and then we’ll keep it close to us and never put it online. We’ll use a free tool that will not make your brain hurt either. It is simple and it is called Random.org.
Visit this website link or type in your browser: random.org/passwords and you will see something like this:
Feel free to read the page, but it isn’t required at all. There is really only one thing to change before you get a shiny new password (or 5) delivered direct to your eyeballs.
All you need to do is change the “Each password should be ____ characters long” box to any number from 12 to 16 for best results (unhackability). That is the perfect length for your password. Click the “Get Passwords” button below that and you will get 5 shiny new passwords that no one else has ever seen before (5 of them lets you pick one you like the look of). Choose one to be your new master password and add a few symbols (!@#$%^&*) to it. Alphabet Soup, I choose you! (Pokémon joke for the young people). Using this password as your master password to protect all the others will greatly increase your security.
If you want to test a password to see how hackable it is, there is a tool here: My1Login’s Password Strength Test (see how long a hacker will need to run a program to guess your password)
Next, I cannot say this BOLD ENOUGH (still no yelling…) — WRITE IT DOWN PLEASE in notes or on paper, somewhere you aren’t likely to lose it. Post it in giant letters on your wall even, because having it in your home in plain sight is only slightly risky if you have super nosy neighbors or terrible family members who would steal from you. You will still be better off than putting it where millions of possible hackers can find it online. Be careful to not confuse similar letters and numbers like 1 (one) and I (I as in myself) or O (oh)and 0 (zero) or this will not work at all. In fact, you can underline any numbers to remind you if that helps or use a different color for numbers and letters. Please make at least 2 or 3 copies of your password, put it under your keyboard or in your wallet, in your home safe, you do not want to lose this password. You want backup copies in safe easy to find places should you lose it. Be aware that you may want to change it periodically too so I wouldn’t get it tattooed on you or anything. Again, it’s your life, so do what you want. It is all you.
Once you have your new password safe and sound you are good to go to step 3.
Step 3: Setup your password manager account
Now with your new shiny password (wherever you saved it) go to the bitwarden.com page and click “Get Started” (usually at top right).
- Type in email and name.
- Now type or paste in the amazing master password you made into both password boxes.
- Hit Submit and then you can login to your BitWarden account with your email and password.
- You might need to verify your email address too, which is pretty standard.
Step 4: Download apps for all your devices
There are simple apps for your phones, tablets, computers, laptops, and other devices to keep things secure for you. These apps are lightweight and won’t bog down your system. You can find them all in one place here: BitWarden Downloads
You can also find the mobile versions on the Google Play and App Store for Android and iOS Devices instead of on this page, it is easier from your phone usually.
Step 5: Recommended Settings to make your life easier
Web Browser ADDON Recommended Settings (Chrome, Safari, Firefox, etc)
Vault Timeout: This is set to “On Browser Restart” by default which means anytime you close your browser, and open it later, you will have to put in the password again. I find this very secure but personally annoying since I don’t have attackers bothering me all day and I leave my browser open a lot anyway. I don’t want to type in my password a lot.
I have mine set to “Never” because I am on the computer all day for work and home. That might not bother you if you use your computer less frequently. The reason I am not worried about “Never” is that I have my computer in my home and I’m not worried about anyone messing with my passwords. My wife and kids don’t really use my computer much. The real problem isn’t my PHYSICAL environment, it is the fact that people on the internet can attack me. That is the real danger. I have decent network security so I can do “Never” and get away with it. It depends on if you’ve got reason to secure your passwords more than that. It is your choice, but this is my reasoning in case it helps. You have to balance security and convenience.
Another good option that is better than “On Browser Restart” is the “On System Lock” option which will only require the BitWarden password if you lock your system, meaning the screensaver turns on or you lock it yourself, however that is setup on your computer. This makes it still very secure but slightly less often to unlock your passwords.
Mobile Recommended Settings (Android, IOS, IPAD, etc)
If you open the BitWarden app on your mobile, sign-in and you’ll see the settings icon (usually in the bottom right corner on iOS and Android). You are looking for “Auto-fill services” so BitWarden will fill-in any logins for you in web browsers or apps that you use. It is super useful. I turn on all the options in this section:
- Auto-fill service
- Use Inline Autofill
- Use Accessibility
- Use Draw-Over
I would try turning them all on and see what you think. This is the set of features that auto-fill all your passwords for you in websites and apps, which saves so much time every day. They do get in the way occasionally to be honest, but the pain isn’t as bad as the ability to forget all passwords and have them put into apps and sites FOR YOU. I personally think it’s worth it.
I also use Vault Timeout “Never” settings on my phone because it is easier to use all day long and I have my phone locked with a pass code and biometrics which are another added layer of security that makes locking my BitWarden not as important, at least to me.
I have “Unlock with Biometrics” turned on as well, it makes signing-in as easy as a finger press on the sensor, so I don’t even need my master password anymore most of the time. I still need it on my desktops and laptops.
There are a bunch of other settings to play with these are the ones that I found most useful. Feel free to experiment of course.
Conclusion: What happens next (not really a step)
Now that you’ve signed up for a password manager, the next thing to know is that BitWarden will generate passwords for everything FOR YOU without having to go to random.org all the time. This is so helpful. Now you’ll never need to even know what your password is for anything, as long as you have the MASTER PASSWORD WRITTEN DOWN! (borderline desire to start yelling, but not quite…still please make life easy on yourself).
When you go to a new website, and want to sign up, put in your email and then click the BitWarden icon on your browser (blue/white shield icon). As long as you’re signed into BitWarden, it will have a “Generator” button on the bottom bar for you, which will let you choose the length and complexity of the generated passwords. This is just like random.org but easier. I suggest using 12 to 16 character passwords which is a length nearly all websites will allow with the maximum security you can get (from complexity). I would leave the 0-9, a-z, and A-Z checked as that will allow enough randomness to be secure. You CAN add in the symbols “!@#$%^&*” checkbox too for much better security, but fair warning: sometimes websites and apps don’t like them so it can cause some issues. It is again — entirely up to you — but that is what I’d recommend for the best results (meaning less hackable) and the least hassle. Adding symbols greatly increase security.
Once the settings are good for the password generator, you can hit regenerate for another random password with your new options, or just copy the one displayed, and then paste it into the “password” boxes on whatever website you’re on. BitWarden will ask you if you want to save and remember that password automatically when you click “Sign Up”. You simply click Yes on the top right and it will remember your email, password, and what website to use it on FOR YOU. Next time you come here and need to login, it will PRE-FILL IT FOR YOU! (excited decidedly NOT YELLING sounds). It is great. All you will need to do is click Login or Sign In and you’re good. BitWarden is a huge time saver.
- If for some reason BitWarden doesn’t ask, you don’t see it, or you click No, you can still always save a website login yourself in BitWarden manually. Just click on the BitWarden icon in the browser, and there will be an Add Login link (big plus icon) to click. This only works if you still have the password in clipboard (which happens when you copy it into the login field). I wouldn’t wait too long if you can help it.
- Fill in the Username, Password, and URI 1 (the website address, like google.com) and click save. Then you’re good to go. You can add more website addresses by clicking the plus, for URI 2, URI 3, etc. if you need to, but usually you don’t. Just google.com works, and you shouldn’t need to do google.com/voice and google.com/mail, the main .com works for all of the pages that come after it with a slash.
Other things that might help you:
Using 2FA/MFA with BitWarden (Don’t worry I’ll explain what it is)
You might want to be sure no one can get into your password vault, and BitWarden offers free 2FA for that. Two Factor Authentication (2FA) is that thing where you use a text message, email, or phone call to verify yourself so no one else can get into your stuff because only you have your cell phone. It is a really good idea, but again you have to balance your security with the convenience of every day life. You can check out BitWarden’s page explaining this here: BitWarden 2-Step Login if you’re interested.
Checking A password IDEA to see how hackable it is
If you want to check a password idea to see how hard it is to hack, there is a great secure tool to try out here: My1Login’s Password Strength Test
Note: In general you shouldn’t type your passwords into any website or email ever because they can be used against you or hacked at some point. My1Login’s is safe as far as I can tell, but use at your own risk. I would type in password ideas not actual passwords to try out patterns.
Other BitWarden Features – Organizations and Shared Vaults
You can create an “organization” to store common passwords in so that your mate or kids can access your passwords securely on their phones/devices without having to send them in text messages or chat. This will also prevent a random password being accidentally sent to someone who shouldn’t have it on a messenger app. It is pretty simple to setup and only allows the email addresses of those you actually want to share with into your family group, for example. Quite a nifty feature. My wife and I have certain financial passwords we share and then only share the logins for Disney, Amazon Video, Netflix with the kids so it is all safe and easy for all 7 of us. Very sweet.
Why not Keeper, Dashlane, or LastPass?
Again, this is my personal preference, and because I write software for a living I won’t put up with what I consider a bad user experience and crappy interfaces. Keeper was fine I guess, but as a user when I just wanted to get things done it was in my way. Dashlane couldn’t import any of my logins from a perfectly formatted list (to their own specifications) to save its life so it was not useful for me, and that doesn’t inspire confidence in a SECURITY (read: precise and excellent) company. No thanks. LastPass, I actually used for a long time, but they had some issues with their apps that they did not fix and they force their idea of good interface on you, which I don’t appreciate either. Again, these are great services IF they work for you specifically, so don’t adopt my quirks. Feel free. There are plenty of others out there that are excellent. My goal here was to introduce you to using one at all. Please find one that you like.
Why not another password manager?
If I didn’t mention your favorite password manager it may because they are excellent but paid. There are amazing paid apps too, but my focus was on free ones and for people who aren’t aware of what a password manager is. You might be too smart to be reading this.
Note on screenshots – Dark Mode
Note that my BitWarden shown in screenshots here is in dark mode, so if yours has a white background, that is also perfectly fine, I just prefer dark mode. There isn’t anything wrong with yours if it looks a little different, all the same features are there.