We've made it through the first half of 2024. Congratulations! Also, thank you for sticking with me so far.
Let's dive into the first week of Security Month here in Tidy '24. I want to review basic data security and safety topics since we haven't touched these so far this year. Security in its various forms is an enormous subject in the digital world, and we aren't going to get very deep into it. There are entire training programs, books, courses, etc., that go into great detail. Instead, this month, I want to give you the most accessible recommendations that make the most significant dent in the problem. The 20% effort that provides 80% of the benefit, in other words. First on the agenda is passwords.
Security Week 1: Password Managers
This week, the message is simple. Most of you have heard it before, and many of you also use a password manager already. But for those who don't, there's no time like the present: use a password manager.
Password managers solve a well-known problem: they make it easy to use complex, relatively unbreakable passwords across dozens or even hundreds of accounts without our needing to remember them. The repository of credentials is protected by a combination of factors, usually a single very long (but memorable) password and one or more additional security tokens, such as a unique sequence of words or a special alphanumeric key that you keep in printed form in a safe place. This way, even if someone gains access to your "master" password for the password manager, they can't get into it without the other keys that only you have.
Why does using unique, complex passwords matter?
The problem with using the same password across multiple accounts is that data breaches inevitably happen, as you've undoubtedly seen over the past many decades. When that occurs, the exposed combinations of user names and passwords become available for hackers to try using across every imaginable online service. So, if you use the same password for online banking and your Facebook account, both can be taken over, even if only one suffers a data breach.
The other problem is that passwords that seem complex to people are, in fact, not so to computers tasked with guessing them. You might think "frankthepug" is insecure while "fr@nkth3pug!" is not, but they are not terribly different from a computational viewpoint. Such character/symbol substitutions are highly predictable, assuming the user is English-speaking.
(One of my favorite comics, XKCD by Randall Munroe, has a fun explanation of why our assumptions about password strength are wrong.)
Password managers mitigate both problems by automatically generating long, computationally complex passwords with no rhyme or reason--the hardest for a computer (or social engineering expert) to crack. All you have to remember is the master password to your manager. Then, it automatically fills in the username/password fields with convenient browser plugins or smartphone apps.
There are many password managers to choose from, including those built into common ecosystems (Google, Apple, Microsoft). Personally, I use a third-party tool called 1Password instead because it does exactly what I want and integrates well across all of the platforms I use, and I trust it more than, say, Google. It's not free, but it's also not too expensive for what it does, and I have a family account, so my wife can also use it with both independent and shared sets of passwords.
Here are some password managers you might look into if you don't already have one in mind:
The first three are cloud services with paid plans, while KeePassXC is an open-source, offline-first app and free. It's one of the most popular choices for people who want to have full control over the entire password-storage process. It's not quite as convenient as many others in some ways, but certainly quite usable.
NOTE:LastPassManyfeeldisclosing blog posts
The above password managers (and others) also allow you to store other particularly sensitive information, like bank account details, credit card information, driver's license details, software licenses, and even arbitrary text or file attachments like PDFs or images. They're great for digitally safeguarding all that kind of info.
And, for the morbidly minded among us, using a password manager in a family also gives you a dead-simple way (pardon the pun) to share access to important credentials either by keeping the account details in a shared part of the app or by making sure they have access to the offline account recovery details (1Password calls this the "emergency kit"). After all, the last thing you want to have happen in the event of your untimely demise is for your family to be unable to access all the accounts that are involved in managing your household, finances, communications, and so on.
So, what are you waiting for? If you're not already using a password manager, pick one of the above and try it out! Most paid options offer free trials, so you can see how it works without committing any cash. Trust me, it's worth it.
If you have questions, comments, or ideas about password management apps, just hit reply and ask away. I'd love to answer questions or consider new viewpoints.
Happy data-taming!
If you're not already subscribed, make sure to join the weekly newsletter email list with the simple form below. You can also bookmark the Tidy '24 Calendar page for a master list of every currently published Tidy '24 topic.