Dealing with passwords is as nice as cleaning sewers or filing taxes. But it is equally important.
I hate telling people to eat their vegetables, even virtual ones. Still, if you don’t have strong, unique passwords for every online account, it’s time to dig deeper. Don’t wait until someone has stolen your identity or erased your bank account.
You’ve probably heard of password managers. They may seem complicated, but setting your password doesn’t have to be painful. These services remember all your passwords and can generate new strong passwords. When you access a login page in a web browser and even many applications, the administrator will automatically fill in what you need to access your account. Some even comb the web to alert you if any of your information appears in a security breach.
A significant change for one of the most popular administrators, LastPass, is why I have passwords in my brain again. On March 16, LastPass Free users will need to upgrade to the service’s premium plan, typically $ 36 a year, but currently offered for $ 27 a year, if they want to continue syncing passwords across their devices. While I am a fan of LastPass, their free plan is no longer a good option.
The best password managers work on as many platforms as possible, which is why we generally recommend standalone services rather than the password protectors built into browsers and operating systems. I tested the most popular ones, in a search for high security, extensive options, and ease of use. This is what I found:
• Easier to use:1Password ($ 35.88 a year for individuals, $ 59.88 for families of up to five) has an easy-to-use design and multiple layers of security built in at a good price. 1Password does not have a free tier; We think security is worth paying for. “Free software almost always involves compromises,” said a 1Password spokesperson. “We can focus our efforts on developing new ways to defend your data rather than collecting or exploiting it.”
Like other password managers, you can organize passwords into different collections: one for personal accounts, one for work, and one for shared family logins. The travel mode is exclusive to the service: it is for people who need to hide confidential information when traveling to countries where they fear that their phone will be registered.
Dashlane ($ 59.99 a year for individuals, $ 89.99 for families of up to five) is also easy to use and is a good option if you are interested in additional features such as a built-in VPN (also known as a virtual private network) to access the Internet in a convenient more secure and a dark web monitoring service that is on the lookout for hackers who may have your credentials.
I finally opted for 1Password, for the price. (I also thought that Dashlane’s Mac Safari browser extension, now in beta, was buggy. A Dashlane spokeswoman said the team is working on a fix.)
• The best service with emergency access: It’s a tie between Dashlane and LastPass Premium ($ 36 a year for individuals, $ 48 for families of up to six). Both allow you to grant access to your vault to a trusted contact if you are dead or incapacitated. Features like this are important because our lives are so tied to our digital accounts, as my colleague Joanna recently covered. If something happens to you, your designee can request access to your vault. You can set a specific delay period between three hours and 30 days, during which you can deny that access if you can.
LastPass Premium isn’t quite as fancy as Dashlane, but it’s a very capable password manager, also with dark web monitoring, plus a gigabyte of encrypted file storage (and a nice Safari browser extension). If you use Safari and don’t need the VPN, choose LastPass.
1Password considers this type of emergency access a security threat. In a forum post, a company employee explained that a domestic abuser, to enter a password vault, could hold a victim against their will. He suggests keeping a hard copy of your secret key code and master password in a safe or with your attorney.
• Best free option:Bitwarden has a fully featured free plan for individuals and two-person businesses that syncs an unlimited number of passwords across all devices. The service has many key basics: end-to-end encryption, strong password generator, two-factor login, and apps for each desktop, browser, and mobile operating system platform, plus access via the web.
A premium membership ($ 10 a year for individuals, $ 40 for families of up to six) is required for the bells and whistles, such as a report of exposed passwords and enhanced login protection.
SHARE YOUR THOUGHTS
How do you manage your passwords? Join the conversation below.
“We are a for-profit company, but it is completely harmonious and compatible for us to offer a basic administrator for free,” said Michael Crandell, CEO of Bitwarden. Many users who start out with the free plan eventually decide to upgrade, he added.
Once you’ve chosen a password manager, you can manually add all of your old passwords. If you store passwords in your computer’s Chrome browser, you can export them and then import them into your new password manager. (Apple doesn’t have a similar password export option.) If you are switching from one password manager to another, exporting passwords is usually an option as well.
Password managers will improve your digital life. But whether you get one or not, there are four simple password protection rules you should know.
Rule No. # 1: Don’t just rely on passwords.
Use two-factor authentication, also known as 2FA, whenever possible. This requires an additional code or a validation sent to another device.
In general, turning on 2FA is better than not having it at all. But if you have a choice, use an app authenticator (I like Authy) in a plain text message. It works when you don’t have cellular reception and are not susceptible to SIM hijacking, where a hacker, targeting someone with a valuable account, scams that person’s phone number with the wireless service provider. You can call your provider and add an access code to your wireless account for added security.
Rule No. # 2: Create long passwords.
The term “password” should be removed. The new itch is the passphrase. “Password length is more important than complexity, because a longer password is more difficult to crack,” said Jameeka Green Aaron, director of information security at customer authentication company Auth0.
For example, the “Raccoon Doorknob Spacecraft” passphrase would take centuries to crack, according to Bitwarden’s free password security testing tool. Meanwhile, according to the proofreader, a 12-character string, with uppercase and lowercase letters, symbols and numbers, could take an attacker just three years to decipher. Most password managers allow you to set the length of automatically generated passwords.
Rule No. 3: make it unique.
Whatever you do, don’t reuse passwords. It’s the most common way to hack accounts, Aaron said. If hackers find out that your password is used in one place, they test it in other places. This is where password managers come in. Use them to create strong unique passwords and store them for all your accounts.
Rule No. # 4: Have a backup plan for your backup plan.
The key to your password manager is a master password, along with a device to authenticate your login. A good password manager does not know what your master password is and cannot help you recover your account.
So to be a good password parent, you need to think worst-case scenario: What if you lose the device your two-factor authentication codes are sent to? What if you forget your master password?
Authy syncs authentication codes across multiple devices (for example, your phone and your iPad), which helps if you lose one. Setting a physical security key, such as YubiKey, as an additional authenticator is another protection measure. When it comes to remembering your master password, the best solution is low-tech: write it down on a piece of paper and keep it with your other most important documents. It is safer in the physical world than in the digital one.
—For more analysis, reviews, tips and headlines from WSJ Technology, subscribe to our weekly newsletter.
Write to Nicole Nguyen at [email protected]
Copyright © 2020 Dow Jones & Company, Inc. All rights reserved. 87990cbe856818d5eddac44c7b1cdeb8