Secure Your Future: Password Management + 2FA!
Password Headaches
Do you make creating, storing, remembering passwords for all of your online accounts a full time job! There is a better, easier and more secure way! Lean on a tool to do all the heavy lifting for you. I have seen several posts and comments about the frustration of dealing with passwords so I wanted to share what I do and how easy it actually is with the combination of 2 apps that I personally use!
Most of us understand that Identity Theft and securing our accounts is critical but do you still do any of these:
- Use the same password at multiple accounts because it's easy to remember.
- Do you use short familiar phrases for passwords.
- Use familiar answers to secret questions that others could guess?
- Do you track your passwords in Excel or even Post-It notes?
- Do you avoid 2 factor because you don’t understand it or how critical it is?
Overcoming ID Theft
I was a victim of identity theft about 8 years ago when my W2 Payroll data was stolen from a vendor my company uses. During this event they attempted to open new credit cards and file a fraudulent tax return using my information. I didn't do anything wrong, I was a victim of some other company getting all of their data stolen! It was a nightmare to work with banks & the IRS to clear this up. This experience forced me to take measures to secure accounts and I took it to the max! I have over 150 accounts in my password manager and NO two accounts share the same password. Everything possible also has 2factor enabled via token or SMS.
If you only take away one thing do this: Learn to leverage a secure password manager and enable 2 factor for everything that supports it!
Today Things Look Different! No more using simple passwords and having them all the same, I still remember the days (20 years ago) using my middle name with a single digit after it thinking how creative and secure that was!
I use LastPass + Authy
I have used many password managers but find the combination of how I use "Last Pass" password manager and "Authy" 2 factor token manager to simplify my life and be able to easily login from every device I have without knowing or manually tracking any password. That’s right, I do not know any of my passwords but can easily retrieve them for manual login if needed These 2 tools work seamlessly together.
I'll explain how and why, keep reading!
LAST PASS: (Password Manager)
I have been using LastPass for about 8 years, ever since that ID Theft event mentioned earlier, and still consider it to be one of the best or at least my favorite based on personal experience. Some popular alternatives to consider are Keeper and 1Password.
LastPass has a combination of mobile app and browser plugin to sync your passwords between multiple devices. This is done by using a MASTER password to secure your data. I want to point out that LastPass encrypts all of your data with your MASTER password that only you know! If you lose this MASTER password they may be unable to recover your passwords unless you have recovery options setup. Going forward this is the only password you will be required to remember!
I store all login information and secure notes in LastPass and use super strong UNIQUE passwords for all accounts.
For best security passwords should contain the following:
10+ random characters (I use 15 character in LP)
Contain UpperCase & lowercase LetTeRs
Contain Numbers 0123456789
Contain Special Characters (!@#$%^&*?~)
LastPass has a password generator built in that will create and store passwords for new accounts with a couple clicks.
You can also use the password generator for UserIDs, I use 10-12 letters & numbers for random UserIDs.
Below is an example of what LastPass would Generate for a new account and store automatically for me:
Sample New Account
User: hn9zv723t3
Pass: 2zz$FJHF*xqT7Rn
Using a secure password manager provides many other benefits including:
- Redundancy, don’t lose your passwords by storing them in 1 place.
- Auto login to sites and apps, the auto fill will not be captured by malware like key loggers.
- Generate and Store new passwords for new accounts taking the pain out of creating passwords.
- Assist with password changes, quickly change and store new passwords for your existing accounts.
- Forget passwords! You will never need to remember these passwords again, but can manually access if needed!
.
AUTHY: (2FA Token Manager)
Authy is my favorite little token manager that supports modern token types including push where you just click yes/no instead of type a code. A popular alternative to check out is Google Authenticator.
What is 2 factor authentication? It's a login method using something you know + something you have. The Password you Know, & the Token is something you Have. Using a combination of password + token makes it virtually impossible for hackers to directly access your account with your username and password if they get stolen.
I typically use code generator tokens that cycle a numeric code every 60 seconds. Authy stores all of your tokens and the app is easy to browse if you have MANY like me :) Some sites do not support tokens but instead use SMS Text message to your cell phone. This is a good alternative but keep in mind that the token is linked to your phone# so you MUST have your phone to use it where Authy can sync your tokes to multiple trusted devices making it really convenient to use.
I strongly suggest enabling 2 Factor authentication on All the following at minimum:
- Financial Accounts: make it impossible to directly login to your bank, savings, investment or brokerage accounts. Don't take any chances here!
- All Social Media: especially the big ones and any you use for business. How many things use login with Google or login with Facebook? These companies have direct access to device backups from your phone, personal tracking data, authentication tokens for MANY other apps and websites.
- Cloud Storage: Dropbox, iDrive, Google Drive, OneDrive, etc.
- Business Accounts: Amazon, GoDaddy, Namecheap, AWS, etc.
- Primary Email: If you use email for password recovery at any of the above accounts, that email should be secured with 2FA as well. Think a Gmail account. If your primary email gets compromised thieves may be able to reset passwords for many other accounts you have using email recovery.
How do these 2 tools work together?
I use LastPass to auto login to all my apps, websites and accounts, etc.
Remembering or tracking passwords is a thing of the past!
Authy secures all my 2 factor tokens making them accessible on my phone, tablet, laptop & desktop computers.
This configuration makes it impossible for someone else to login to anything if my password is compromised. And even with the enhanced security, once you get accustomed to using the tools they greatly simplify something that many people struggle with.
Don't make it easy for thieves! There are plenty of easy targets for Identity Theft. Don't be one of them!
Other Password & Security Tips
- Never click links in an email to login somewhere. Always go directly to the website to login. The only exception is email address verification emails that you were expecting.
- Never open email attachments unless it was something you were expecting.
- Never respond to SMS Text messages requesting personal information.
- Never give ANY personal information to any Bank or Government agency that calls you unexpectedly. These are 99% scams to steal your information. Hang up and call the company's main line to confirm anything even if it’s a collections call.
- Always use unique passwords for ALL accounts. Don’t make it easy for an intruder to walk across multiple accounts.
- Do Not store passwords in email, it's bad enough when email gets hacked.
- Do Not store passwords in cloud storage without encrypting it first. I know someone who uses text files in google drive, don’t be this guy!
Do you have other password or security tips to share?
Did you find this information useful?
Have questions?
Drop me a comment!
Secure Your Future!
Josh
Recent Comments
15
This is SO important. I’ve heard of Lastpass. Is there any cost involved? Thanks for such a great, in depth article!
Darlene
There is a free version and that's where I started for several years.. premium has a couple nice to have features but certainly not required.
currently I pay for family which allows 5 full featured accounts with password sharing. So joint accounts I share with my wife and media streaming services I share within my family.
It's still free for core password manager. New accounts get 30 day of premium to use the extra features.
This was an excellent read, Josh. Thank you for sharing. You've made some excellent points and suggestions. I'm just curious if you are concerned at all that those apps you've suggested might get compromised at any time...is there anything anymore that is completely secure.
Susan
Yes great question!
For LP there is a layer of encryption around your password store for syncing between devices and when you enable a very secure unique master password and 2FA for the password manager, that's about as good as it gets!
Similar for Authy, you register your cell as the trusted master device and you have to confirm from the cell phone app when you add another device for your tokens.
I think the biggest issue may be setting these types of tools up in a way they are less secure. Or not using tips to begin with. Example using insecure email for recovery, no 2FA, simple recovery answers, storing passwords insecurely, etc.
See more comments
Wow Josh I just wrote almost a blog in reply and I missed my battery warning and my computer crashed, DOH! Now for the short version. I love you advice it is sound but most people are indifferent until something bad happens like what happened to you. I used LastPass for years and it is great until but no free version anymore, I think it is the best. I now use the free version of Bitwarden which is very similar but not quite as smooth but FREE. 2 factor authentication is so important with all the Cyber Warfare theses days, which I use as much as possible even though and can be a bit inconvenient but worth it. I have not heard of Authy I will check it out.
THX Josh
Thanks for the comments Russell! I'll also check out bitwarden. There are several other new players in this space that look like great alternatives as well.
The LP website is confusing because they start you with a 30 day trial of premium. But to me it looks like the core password manager is still free. Icould be wrong though.
LastPass free is useless as you can only use it on one device or I would still have it
got it! I remember that change now, it was a couple years ago.. that's when I went premium lol To be fair to app developers I really do not mind paying a few dollars for a handful of useful tools.
For many things though l tend to lean on opensource apps, used keypass for many years. That is also a viable alternative but last I checked it was just a password store with encrypted db file. You had to sync the db with cloud storage and no auto login, etc. This gets to cumbersome to always copy/paste from the app to login.
I noticed I'm coming up for renewal next month so will check out your suggestion as well: Bitwarden