The easy guide to bulletproof online security

Your online security sucks. I know, you think it’s good, but it’s not. But, all hope is not lost! Follow me down the rabbit hole, and I can show you how to fix everything much faster than you ever thought possible.

Your passwords probably all fall into some combination of the following:

• Easy to remember – easy to crack, and you’ve probably re-used them at fifty different websites.
• Hard to remember – likely more secure, but you’ve got them written on sticky notes all over your monitor.

Not only that, but you probably use your real email address for the vast majority of these logins — even though you know better.

So? What’s wrong with that?

Follow me through a little thought experiment. I’ll show you.

A small website that you created an account on last year gets hacked, and an attacker gains access to the site database (this happens hundreds of times a year). The site developers didn’t use hashing, so your password is stored in plain text right next to the email address you used to register. The attacker then attempts to log into your email account using the password that they stole. If you used the same password for your email account, they’re in.

From there, they attempt to log in to your bank. You were smart and used a different password for that, but you used the same email address (PS: don’t). The attacker requests a new password using the email account that they have access to. The bank promptly sends over a password reset link, which the attacker intercepts, and sets the password to one of their choosing. Now, not only do they have access to your bank, but they’ve effectively locked you out of it.

Their next steps are a simple continuation of the above. The attacker can use the same sequence of actions to do fun things like:

• …gain access to other email accounts you use, especially if you used this one as a recovery address.
• …transfer funds out of your Paypal account. If this is linked to your bank account, you can imagine it might cause problems.
• …sign up for a dozen credit cards under your name, rack up tens of thousands of dollars, and leave you with the headache.

If you think the above sounds far-fetched, you need to wake up. Granted sufficient access, I personally have the skills to accomplish all of the above in less than a few hours. Of course I’ll be doing this from 2am to 5am, leaving you no time whatsoever to take action against me. By the time you wake up, you’ve been cleaned out.

It’s a good thing I’m nice — but there are many, many people out there with skills that far exceed mine, and they might not be.

I don’t mean to scare you, but you need to be clear on what’s involved with security breaches.

Fixing all that crap would take forever!

And since you’re already rolling your eyes, let me tell you how exactly long it will take to fix this mess:

15 minutes	to install the app, set it up, connect your accounts, and define a master password
15 minutes	to secure your 10 or so most-used account passwords
a few hours	spread over a week or two, to secure the remainder

To look at things another way: dealing with a security breach takes dozens of stressed hours, possible financial loss, feelings of violation, and other fun stuff. Spend the time to get this set up; it’s worth it.

So, how do you fix this?

Choosing the best tool for the job

NOTE: This article was originally posted in 2014. Since then, I’ve moved away from Dashlane and over to LastPass for a number of reasons that I’ll be detailing in a future update. Most of the fundamental concepts explained below still apply, though a few of the minor specifics are different. Also, some of the links below are no longer working. My fault, I know. I’ll get around to fixing that eventually.

Trying to come up with a hand-rolled solution for this is a massive undertaking. This problem has been solved time and time again — you just need to use one of the solutions provided.

There are a number of big players in the online security space. You’ve probably heard of more than a few, such as Lastpass, KeePass,  and 1Password. After doing a few hours of research (of which I found my results basically mirrored here), I decided to go with the one I liked best: Dashlane.

There were a few key features that made this one a winner for me:

• Dashboard – this gives you an overall score of your online security. Lots of big buttons with clear calls to action. Red for bad, green for good. This makes it easy to watch your numbers go up — and everyone likes watching their numbers go up. The application interface is generally crisp and quite nice.
• Mobile integration – means that my passwords and auto-fill options are synced between my desktop and my smartphone, and automatically backed up to the cloud.
• Smart backup options – that let me export my data into either a secure Dashlane archive, or into plaintext CSV or XLS format.
• Not just passwords – this app handles credit cards, drivers licenses, passports, and other secure errata

Dashlane just solves the entire “secure info on the internet” concept for me — talk about a huge win. There’s also a bunch of other random stuff that I really like:

• Passwords are so secure that even I don’t know them – By default, all password field input is masked. When you go to auto-generate a password, you don’t get to see what it is. At first, I thought this was going to be frustrating. After using it for a bit, I realized that I don’t actually care what 99% of my passwords are, as I’m not typing them in anyway (more on this later).
• Dashboard shows weak and reused passwords – They also include some super helpful links that go directly to the “change password” page of the site in question. It’s pretty hit or miss on whether or not you actually get to that page, but it will at least put you on the domain you need to be at.

Let me hold your hand through all this

Installation is as simple as it gets: Download Dashlane, run the installer, pick a spot on your hard drive, and click “GO”. Once you’ve installed Dashlane, you’ll be prompted to enter a Master Password. This is the key that unlocks all the other keys. This is the one big password you want to memorize. But what to choose?

It should be easy to remember, reasonably secure, and fun to type. At least, that’s my criteria. To hit all three of these elements, feel free to use the ridiculous Password Finder that I built a few years ago. It loads a dictionary list of a few thousand 10-character words, does some B4s1C $ub$t1tut10n transforms, and ranks the passwords by a combination score of character complexity and “fun to type”, which I would explain here but it’s almost too nerdy even for me. Basically, pick a word in the left column that you like and call it good.

Let’s pick an example password: S3cR3tP4$$

With that step done, we’re ready to get to work. Before we do, however, let’s change a few settings to make things easier later on.

Just a few quick things to configure

By default, Dashlane creates passwords containing a mixture of eight upper/lower/numeric characters. According to it’s own “strength” metric, these default passwords are ranked at roughly the 70th percentile (If they’re going to show me numbers, I’m going to tweak things until the numbers are big). Changing the password patterns is actually accomplished in the Chrome plugin (which you should have been prompted to install during the previous step):

I found the above settings to be more than adequate: a length of 12, containing digits, letters, and symbols. We occasionally have to modify these, as I will describe below.

Also, given that my computer is physically secure (or at least, as much as is reasonable), I’m choosing to rely on my main Windows account to control primary access during each user session. To that end, I want Dashlane to keep me logged in whenever my main user is active.

You can change this setting in Tools > Preferences > Security.

While you’re in the Preferences menu, I recommend changing one of the more annoying options that’s enabled by default. Under General, uncheck “Save passwords with auto-login option by default” — I had this turned on for quite a while, and about 90% of the time it worked great, but the 10% of the time that it didn’t, usually involved some huge pain in the ass of accidentally resetting my password, or auto-locking me out of my account (I’m looking at you, every vBulletin install out there), or other such errata. Your results may vary, but my experience was that the hassle was not even close to worth the few seconds it occassionally saved me.

Also, if you don’t change this now, there’s no global option to change it later — it’s on a case-by-case basis, so turning this off after you’ve saved X00 passwords is a huge pain in the ass. Learn from my mistakes, people. That’s what I’m here for.

Secondary passwords

In working through the list of passwords that I needed to upgrade, I ran across more than a few that I knew would require either entry on a smartphone keyboard, I would need access to while I was away from my own browser/dashlane, or for whatever reason needed to be memorable and not insanely complex. Examples being my Google accounts, Facebook, Skype, etc.

Personally, the easiest way for me to remember all of these is to slightly modify the master password by appending a few letters, keeping each password unique. Using the S3cR3tP4$$ example above, I might use S3cR3tP4$$-FB for Facebook, S3cR3tP4$$-SK for Skype, and S3cR3tP4$$-G1 for my main Google account.

“But wait,” I hear you ask, “isn’t this almost as bad as reusing the same password?”

Not really. This is basically consolidating the point of failure. If your master password were exposed, all of these passwords would be compromised anyway. It’s not much of an additional risk. Also, the sites listed above all utilize one-way salted hashing. It sounds delicious, but basically means that it’s impossible for anyone to steal your unencrypted password from them.

That said, keep your damn master password secure.

Let’s get to work — this is the fun part

The first thing you’ll probably notice is your dashboard numbers are horrible. That’s because after Dashlane imported all your passwords from your browser of choice, it took a look at your so called “security” practices and is now laughing at you.

Now, you can click the big buttons at the top of the screen to take care of the biggest wins first (which I recommend even if just to get used to using the application). You can also pick and choose sites from the list that rank low, and click the “change password” link in the right column. This usually opens up a link straight to the user profile page of the site in question, or at the very least, opens a new tab with said site loaded. It’s not perfect, but it does a pretty good job overall.

Password workflow

To get started, open up whatever email clients you most often use. Plenty of sites only have “reset my password” options, so you’ll be getting a handful of emails that you need to click links in. Leaving your email open will drastically speed up this process. Speaking of, I have found the following to work quite well:

1. Choose a bad password; sort dash by safety level
2. Change the existing password, save the new one
3. If you need to re-authorize anything (i.e. mobile apps), do so now

Note: Sometimes a website, for whatever reason, imposes arbitrary restrictions on their password field. This is annoying, but we can get around it quickly: Click the Dashlane browser icon, uncheck “symbols”, regenerate a password, and click “fill” to enter the new password.

As I mentioned above, changing your ten most-used passwords should only take a minute or two each. As you do more, you get better and faster. Make a point to knock out two or three a day, and the entire process becomes comically easy.

Lather, rinse, repeat. Watch those colors go from red to green, and those numbers will keep rising.

If you’ve found the above helpful, enlightening, interesting, or somehow offensive — tell me about it! Please leave a comment or your favorite limerick below.