3DSC Day 8: Change Your Passwords

3DSC Day 8

Last week we primarily worked on securing your local computer.  Yesterday we focused on installing a local password manager.  Today our view will expand outward.  On this, the eighth day of the Thirty-Day Security Challenge I will challenge you to change your passwords on your online accounts.  Don’t rush in and try to change them all at once though – that could be a recipe for disaster.  Instead, try to change your passwords during your normal logins.  Time to check your Gmail account? About to settle in for some Netflix?  Getting ready to order that new book on Amazon?  Take an extra couple of minutes and change those passwords.   Your Dropbox account can wait until tomorrow when you will be logging into Dropbox, anyway.

When changing your passwords you should definitely pay attention to the qualitative aspect of the new ones.  All of your passwords should be:

  1. Unique.  Don’t use the same password on any two accounts.  Each account gets its own password – this is critical to good online account security.  This is much more important than even the quality of your passwords.  No ifs, ands, or buts.  This way if one account is hacked it won’t effect any of the others.  Mat Honan is an excellent example of why using the same password on multiple accounts is a bad idea.
  2. Long.  Use the maximum allowable length.  Google accounts allow you to use up to a 99-character password.  Your password manager does all the work and you’ll never enter it manually, so what do you care?  Max it out!
  3. Randomly generated.  Human-designed passwords are terrible, in the vast, overwhelming majority of cases.  We just have a hard time reliably generating truly complex strings of letters, numbers, and special characters.  Don’t try to make one up.  Instead let the password manager do the work and generate one for you.

The password manager you installed yesterday will be fairly critical to this task.  Without it you won’t be able to generate password meeting the above criteria…and if you do, you won’t be able to remember them.  Add each one as a new entry to your password manager when you change it.

This will be a carry-over task that won’t be finished in a day (unless you really work at it).  If you only change your passwords at your normal logins the process will be slower but it will also be more manageable.  By this time next week I bet that the majority of your accounts have been changed, and by the end of this month all of your accounts should have new passwords.

7 thoughts on “3DSC Day 8: Change Your Passwords”

  1. quick couple of questions…

    If you use a password manager on your main laptop and use it to change all your passwords, how do you address these issues…

    1.) What happens if you need to access your account when you don’t have access to your laptop, say if you lost your computer or it was stolen or just not with you? Do you just have to go through and do the lost passwords on all your accounts?

    2.) Also, can you download the free KeePassX on 2 separate computer (mine and my wife’s) and still be able to get both managers to give the same password to the same account? That’s the other issue I see using a password manager…if my wife tries to access say the bank account on her computer instead of mine…or do we just have to bite the bullet and buy a password manager that you can download onto multiple computers.

    Thanks for the article on Mat. I had no idea how easy it was to hack an account. Also, thanks for this monthly challenge, it has been awesome so far!

    God bless,
    Jeremiah

    1. Jeremiah:

      Thanks! Yeah, the article on Mat is a little older but sadly this still happens on a daily basis. Now on to your questions:

      1. This issue is serious, and no – I would not recommend going through the password recovery mechanism for all accounts. I strongly recommend having a backup of all your files, including your KeePass database. If you are using a cloud-based manager like LastPass this is not a concern because your database is in the cloud, but then you have a lot of other concerns, like LP being hacked. We will talk about encryption later but you should encrypt a USB flash drive, SD card, external hard drive, etc., and store a backup of all sensitive files on it. Your KeePass database will be in .kbd or .kbdx format. Find that file, copy it to your external media or cloud backup, and you’re good.

      2. Yes, you can use the same database on two computers. You just have to install KeePassX on both machines and transfer the database via removable media from one to the other (or use something like Mac’s AirDrop). The only issue would be if one of you changed a password or added a new account. It wouldn’t update in both versions, so you will want to implement some sort of version control (i.e. “we only change passwords and open new accounts on this machine, then we update the database on the other one”).

      I will mention LastPass again: I don’t like cloud storage but their security is incredibly good and it is hard to deny the convenience of their system. LastPass has been the victim of some (mostly unsuccessful) hacks and they are very responsive and responsible in their handling of such attacks. If you need to sync across more than two or three devices this is probably the way I’d go, and at $12/year it isn’t unreasonable.

      I hope that helps – please let me know if it doesn’t or if you need clarification, and thanks again!

      Justin

  2. Hi Justin,

    Thanks for the quick response! I am obviously very new to this whole idea of a password manager, so these answers help immensely! My project over the next day or two is to try to set this up and get it on both of our computers!
    I will look into LastPass as well! I agree $12/year isn’t that much at all in the whole scheme of things, but I do share your same concerns about “the cloud” in general.

    Thanks again!

Leave a Reply

Your email address will not be published.