I was one of the many performers who were about to open a show when the State of California prohibited gatherings of more than 50 people. Since that time, we’ve been ordered to “stay safer at home” and “shelter in place.” Because of these restrictions, many of our theatre, dance, and music companies have had to postpone or outright cancel performance schedules for the foreseeable future.
In thinking about what we could do to help, it struck me how much “free time” I now have in the evenings. I imagine a number of you are in the same situation. It seems like a good time to dust off that old “to-do list” and see what steps we can take as individuals or organizations to strengthen our digital platforms.
Fair warning…this is not about marketing. I’ll leave that to Michaela and Courtney. This will be a multi-part article about how to do some technical ‘spring cleaning’ in your digital life, such as:
- managing your accounts and passwords
- updating websites from both the small and large
- cleaning up your email services
- leveling up your skills
This week we’ll talk about managing your passwords because this is a really, really big deal. Please…don’t think of these tips as comprehensive advice but as the beginning of your journey towards a more secure digital life.
First of all, let’s repeat some commonly known high-level warnings about password management:
- never use family/friends names, dates or phone numbers
- never use a password longer than 9 months or so
- never reuse a password
“It has to be easy for me to remember it.”
Every security expert will tell you that using a single dictionary word for a password is a terrible idea and using personal information is a close second. First off, hackers will simply start by running through a dictionary to see if your password is there. Then they’ll start adding numbers to it and swapping letters for common numbers and then symbols. With the automated tools they have, this process doesn’t take long.
Using personal information, like family names, birth dates or phone numbers is also a bad idea because they’re easily guessed. Think about how much personal information you post to your own social media accounts. How much of that is related to any password you have? Then remember that companies like Facebook and Google collect and trade information about you daily, without you even being aware of it. Then they bundle and sell that data to other companies, many of whom, put that online. Just enter your name into Google and see how many pages show personal information. I bet you’ll be surprised by the volume of that.
“But I’ve used this password since college!”
There are differing opinions on whether it’s better to hold on to passwords for a long time or not. Those differences usually revolve around the tendency of users to reuse their passwords in part or in whole. So what should you do? Personally, I think it’s much better to change your password every 9 months or so. Why? The longer you use the same password, the more susceptible it is to being part of a data breach.
Wikipedia lists 37 data breaches globally since the start of 2019 alone! Approximately 7 billion records were breached and the data covered at least 19 years in one case. So if you have passwords on any sites that you haven’t changed within the last year, change them. Now. We’ll wait….
“I’ll just switch them between accounts every so often.”
Reusing passwords across various accounts, or even in a rotation on the same account, is another practice you should quickly abandon.
A 2019 report by the Ponemon Institute showed that 51% of people reuse the same five passwords across their business and personal accounts. That same report showed that 56% of respondents had experienced a phishing attack. So while it may make it easier to remember, reusing a password puts more than just a single account at risk if any of those attacks are successful.
Have you been a part of one of these data breaches? You can check by going to haveibeenpwned.com and enter your email address. This will tell you if your account was compromised in a breach. They’ll show you which breach your account was involved in, the approximate date, and what data was compromised. If you find your account is included, it’s definitely time to change that password.
“Ok smarty, what should I do then?”
My suggestion to handle all of these issues is to get yourself a good, strong password manager. These applications can work across devices and platforms, and simplify the creation and secure retention of all your passwords.
The basic idea is that you create a master password to open the program and then, from within the program, you’ll manage all your other passwords. You’ll generate new passwords for accounts, save those, update old ones and, in some case, even get notified when your password needs to be changed due to a data breach or its age.
For example, when generating a new password, you can generally decide if you want it to be in words or alpha-numeric characters, the length, and whether or not to use special characters. You can also edit the generated password prior to saving it. This randomization helps security immensely. In addition, since the manager is remembering all your passwords, and you only have to remember the one, you can make the complexity of each password far higher than you might normally. Just make sure your single password is strong and gets changed every 9 months as well.
With a password manager you can store thousands of logins or other information, such as credit card or bank account numbers, identity information or simple notes. You can secure any information that you think is valuable enough to be locked down.
All of these items are encrypted to your local machine and the data files can be saved to the cloud if you want to use them across all your devices. Most of the providers also have their own clouds now so you could simply use that and skip the local version if you chose.
Some people worry about the security of leaving this information in the cloud. Rightly so, in my opinion. Like many online services, it’s a trade off between your security/privacy and convenience. But ask yourself what you’re doing right now to protect this information? Do you have a spreadsheet with passwords on Google Drive or in Dropbox? Do you even have a written list? Are you one of those people cycling through the same 4 or 5 you’ve been using for years?
Think of it this way, a password managers whole business is based on your trust in them to secure your passwords. You can expect them to have plenty of safeguards in place and they should be able to explain them to you easily. Second, as I mentioned earlier, Google and Facebook are already tracking and your actions all over the internet, simply because you’re using their ‘free’ services as a convenience. In fact, you’re being spied on by Facebook when you use apps that have an agreement to provide them data even if you don’t have a Facebook account, and companies like Ring send data about you to Facebook and others.
A number of password managers also provide browser extensions that allow you to login or fill out web forms using your secured info. I think that’s a much safer option than saving all that information in your browser itself and it’s a really nice feature.
Another great feature that you’ll find in many of these programs, is the ability to notify you if your passwords need to be changed due to its age or if they were part of a known data breach. Some of the developers have integrated with haveibeenpwned.com to provide that information as part of their application. They may prompt you to change those passwords or simply put them on a list of compromised passwords and let you get to it when you will. You should look for the model you prefer.
There are a ton of password managers available, and I would suggest you ask friends and colleagues if they use one and if so, which one. To jumpstart your research, here are four that I particularly like in alphabetical order:
Each of these applications have the features I’ve been writing about and would be a great choice. Most of them have a free tier but they’re usually limited in their capabilities. They have monthly, and annual subscription services that you can get for individuals, families, small businesses or enterprises. These can be extremely reasonable and certainly the peace of mind you’ll get is worth a couple bucks a month.
One thing to mention for any techie-DIYers out there, BitWarden is Open Source Software (OSS) so in addition to using their Mac/iOS/Android clients for free, you can download and host your own BitWarden server, if you really are concerned about security and don’t mind getting your hands dirty.
So that’s the first thing I would do with some of my available time. Anecdotally, this article came out of an LA STAGE Chat I gave a few days ago. The day after that chat a very technically capable friend who had joined us said he’d gotten one of the password managers, it had identified numerous accounts that had been breached and he’d updated a bunch of his passwords. I’m almost embarrassed at how happy I was to hear that.
Little things, done daily, can make a big difference. What’s stopping you from taking these small steps to better secure your digital life?
My next article will discuss websites and steps we can take, both little and not-so-little, to make those better.
To watch Mark’s full LA STAGE Chat, check it out here!