On this hardly-known but highly-important World Password Day (https://www.passwordday.org/), let’s discuss my password manager of choice, LastPass, and why you should use it (or one of its competitors), too! I know, I know…how unsexy is the password!? But, the risk is too great for you to ignore today, so here’s how to get started with one now.
To start, here’s a little history of how passwords came to be the frustrating string of characters you must type to log into everything. First recognized occurring in ancient Rome, the military use of passwords (then called watchwords) are considered a security tool for managing fortifications, passed around on wooden tablets between officers up the chain of command.
Fast-forward to the early 1970s, Robert Morris, computer scientist and cryptographer, is attributed as the progenitor of the digital password, which allowed a password to be encrypted on the Unix operating system at the time. Simplistically, his method takes your email password, “password” (you know who you are!), and transmogrifies it into something like “5e884898da28047151d0e56f8dc6292773603d0d6aabbdd62a11ef721d1542d8”. Wild, right?
And finally to today, we use passwords to log into everything from websites to laptops and mobile devices, as well as make payments at the grocery/online store or ATM (using your debit card and PIN, or credit card (which embeds a password within the physical data chip on the card)).
Why Use a Password Manager
Passwords are both a blessing and curse. We need them to help keep us secure. But, most people don’t have proper passwords, or password management. In deference to convenience, they’re often far less secure than they can be. Further, as business owners, your security informs your entire company’s safety and stability, along with all the data you hold about your clients, customers, vendors, colleagues, and employees.
An aside about usernames and email addresses…
I explain to every business owner I meet about cybersecurity, that all your passwords are not all your passwords. In a way, your usernames are a kind of password, too. Every time you use your email address to create a new account on a website, you are, in essence, tying your identity of that website to your email account. Setting aside the password you create, each time your email address is used, it increases the value of your email account that controls all of the websites to which your username is the email address you use (for you and for cybercriminals).
For sites that use your email address as the username, beyond more vigilant email security, the only choice is to create different email addresses to segment your risk. You might have the following email addresses to spread out your “real” email account’s footprint among other, lesser accounts:
- [email protected] for all your Social Media profiles,
- [email protected] to log into your bank, accounting/bookkeeping/invoicing/payroll and other financial accounts, and
- [email protected] for any promotional signups that will add you to an email newsletter, and so on.
It stands to reason that [email protected] will be floating around the Internet in databases that are far less secure than your [email protected] email address. Using this logic, compromise of, say, your [email protected] email account would be an inconvenience, but not catastrophic to your business operations as it would be for [email protected]
Further, for sites that allow you to create a username on the platform (aside from Social Media sites, where your username is public and should be consistent and used for branding purposes), your username is another password, in effect. By creating different usernames for each service, if your password is compromised because a cybercriminal gained access to one email account, they could not quickly and automatically use the same username to overtake all of your accounts that share a similar email address to issue a password reset. Sometimes, it’s not only about keeping a cybercriminal or malware out, but also slowing it down in pursuit of accessing more of your business’s digital world.
…and now back to password managers
Security professionals all over the world are trying to doom the password. They’re writing new protocols and developing new tools to make the password obsolete. Governments are writing new laws that are implementing new security rules around passwords for companies taking payments. Some are claiming that it’s the death of the password because of these regulations, but that’s been happening for decades. And, cybercriminals and hostile foreign agents (here’s looking at your North Korea) are working diligently to circumvent the security provisioning of all of this. To say the least, akin to checks and credit cards, passwords are not going away anytime soon. As business owners, we need to care, but we also need to focus on operating and marketing our businesses! So, what are we to do?
How to Use a Password Manager, Using LastPass as an Example
Enter the password manager, LastPass. I have no material interest in the company, but I use them for all of my companies and in my personal life to manage my passwords. It is a password management software, that does a variety of functions, that are beneficial to your business productivity and cybersecurity:
- At its most basic, it saves your passwords so you can relax about remembering simple, insecure passwords and, instead, have complex, unique and secure passwords for every service that you never need to remember. You need to remember one long, complex password that gives you access to them all (and this should be the last password you need to remember).
- LastPass can generate secure passwords for you, of different lengths and permutations to match the limitations of sites that may or may not allow a particular length or certain characters (such as [email protected]#$%^&*:”;’ and other strange characters on your keyboard also).
- It audits your passwords to make sure you have at least different passwords for every software, service or website in your account.
- I can appoint a death beneficiary access to my LastPass account so he or she will be to gain access to my business and personal digital passwords all in one place.
- You can export passwords to others in case you sell your business. And, with LastPass Premium or Business, you can share and keep synchronized passwords for your business with staff, contracts, consultants, vendors, and clients.
The Bad of Password Managers
- Adding all of your accounts’ usernames and passwords into any password manager is a slog. Take time to add a few passwords per day, and over the course of six months, you will likely have all of your passwords in the system. A good part, is that LastPass’s browser add-on identifies when you put in a username/password and if it doesn’t have it in its database, asks if you would like to add it.
- This is my biggest gripe with password managers, they can be so buggy and unintuitive! Sometimes, the pop-up to autofill the password doesn’t appear on mobile, so you need to open the mobile app and synchronize your database, then go back to the app or website you want to log in. Sometimes the save functionality doesn’t launch so you must manually open it to add a new username/password. The interfaces on desktop, browser and mobile are getting better with each passing version of these tools, but they all still have a ways to go.
- With greater security comes greater loss of convenience. Every day or so, I have to log into LastPass from one of my devices, so it can authenticate me. It has made me keenly aware of what my LastPass password is, so it’s good that I won’t forget it. (I’ve printed and saved my LastPass password and other backup codes elsewhere for safekeeping.)
The Good of Password Managers
Even with all of the frustrations above, password managers are still beneficial for being able to:
- Remember ancillary information about passwords I can never remember. For example, to log into one of my banks, I always have to remember a specific image, plus answer several private questions. Of course, I make this stuff up because I don’t want financial institutions to know my grandmother’s maiden name or my favorite movie. To keep track of which image is the right one and the legitimate fake answers to these private questions, I simply annotate the login details in LastPass so I can answer them correctly and get into my business bank account. The added benefit is that if a cybercriminal does gain access to my real grandmother’s maiden name, they won’t be able to log into my business bank account!
- The password manager is available almost everywhere I need it to be, meaning in addition to software for desktop, browser-based add-ons, and mobile (for logging into websites and mobile applications), it has a website portal in which I can safely log into from anywhere with Internet access.
Getting Started With LastPass
- Sign up for the LastPass service (free or premium).
- Choose a long password that incorporates words, numbers and special characters for your LastPass account. Remember, it’s a password you will need to memorize and use often, so perhaps it’s a favorite music chorus line, quotation from your favorite book/speech, or a random family member’s full name with numbers and special characters where spaces would go.
- Save this somewhere securely in two places (someplace you carry with you, like a wallet, and someplace you store sensitive information (physical or digital, but make sure it’s really safe to store this password there).
- This account creation process includes making all parties who have access to your business’s digital systems, to also create LastPass accounts also. This may include family, staff members, independent contractors, and other stakeholders.
- Install the desktop (Windows and/or Mac), browser add-ons (Chrome, Firefox, Safari, Edge, Opera), and on your mobile devices (iOS and Android).
- In the LastPass website portal, create folders for each area of your business (e.g., marketing, social media, finances, legal, human resources, etc.).
- Next, visit your top 10 most commonly-visited websites (just check your browser history to see) for your business, and then log out and log back in while logged into the LastPass browser add-on. It will detect you logging in and ask you to save those passwords to LastPass. If these 10 top sites of yours share a password, now is the time to change them to unique passwords of different lengths with LastPass. (Even better, change the usernames to be different, too.)
- Make a list of other important sites you visit and log into with less frequency (i.e., once a week, monthly, quarterly or yearly). Every day of the week, pick one or two of those sites to visit while logged into LastPass and login so that LastPass will save it to your account.
- Finally, go into your browser(s) settings and turn off the built-in, insecure password-saving functionality. Your browser is not where you should store passwords.
If LastPass is not right for you, for whatever reason, there are alternatives such as 1Password, DashLane, KeePass, Keeper, and EnPass. In the case of KeePass and EnPass, they’re both open-source software.
And, if you want to really up the ante on your password security, consider implementing two-factor authentication / multi-factor authentication on your most important website and email accounts, including using LastPass for Google / G Suite, Microsoft Office 365, and many other services.
I know it may seem esoteric to talk passwords, but World Password Day reminds us to take this time to make our businesses a little more cyber-resilient, which means you’ll be more likely to be in business next year on World Password Day! And, I’d like that for you, your clients, and your employees.
That’s it! You’ve won the day, this World Password Day! You’re all set to start taking advantage of the power and security of a password manager. Let me know if you have any questions on your password management journey in the comments, via the live chat or contact page!