“A journey of a thousand miles begins with a single step.” Dao De Jing.
So what are the next steps? If you already have a password manager you’re comfortable with, use unique, strong randomly generated passwords for every account, and use 2FA where it’s offered, congratulations! There is little more to do. If not, here are some steps to follow. I assume you are new to password management and are starting from scratch.
- Choose either Bitwarden or NordPass and create a Premium account on their website. The annual cost will be less than a Venti Lavender Oatmilk Latte, with a croissant, for you and your significant other. Make sure your password is strong, easy to remember, and easy to type. If there’s any risk of forgetting the password, write it down (without identifying the purpose), put it in a sealed envelope, and leave it with a friend, in your safe deposit box, or unobtrusively among your other papers. If you lose the password, the product provider can’t help you recover it.
- Download the password manager app to all the devices you commonly use: desktops, laptops, tablets and phones. Check out new user guides and tutorials on the website. Take the app for a test drive. Enter one account (with userid and password) and make sure it synchronizes across your devices. Note that you need to be connected to the Internet to add or edit passwords in your password manager. This ensures your devices stay synchronized.
- Download and install browser extensions for the password manager on all your devices. If you store the URL for an account in the password manager (e.g.: “https://www.amazon.com/”), the browser extension will autofill your userid and password when you access that site. Note that URL may be called URI. Bitwarden and NordPass work a little differently, but it’s easy to learn. Check this capability using the account created in the step above.
- Transition all your passwords into the password manager. Depending on where you have them now, this could take some time. If you have them electronically, it’s likely you can import your passwords into the password manager. If they’re on paper, you need to type them in. Save the old copies until the passwords are changed or verified in a subsequent step.
- Generate reports provided by the password manager that identify weak, compromised or duplicate passwords. It’s likely you have all three. Don’t panic. Take one step at a time. Note that some “weak” passwords, such as the PIN to order a movie on Amazon Prime, are likely okay.
- Starting with your more sensitive accounts—financial, healthcare, insurance—replace the weak and compromised passwords for those accounts (on their websites), with strong randomly generated passwords, storing the new passwords in your password manager. Caution: the site will require both the old and new passwords to make a change. Copy and briefly save the old password before you replace it in your password manager with a new, generated password. Save the new password in your password manager before you change it on the website. This suggestion comes from experience.
- Once you’ve replaced weak, compromised and duplicate passwords, verify or strengthen the remainder by accessing the account website. This ensures you have a complete and accurate password database in your password manager. Consider strengthening the password for any account that holds your credit card. Shopping sites are an example.
- As you replace or verify your passwords for each account, capture the website URL in the password manager. This enables autofill of your userid and password when accessing the site.
- Make a backup copy of your password database on either on an encrypted external drive or on a virtual encrypted disk on your internal drive. The password for the encrypted disk can be the same as that for your password manager. If different, write it down and put the password in a safe place.
- Delete all copies of your passwords outside of your password manager. In particular, delete any passwords stored in your web browser. The process to do this varies by browser. A web search should lead you to instructions for your browser.
- If you have sensitive accounts that support TOTP two-factor authentication, set this up either in Bitwarden, if you’re using it, or Authy. The Authy site can back up your authentication database. I recommend you take advantage of this.
- For extra credit, use the Card and Secure Notes to store information for everything in your wallet. You can even store pictures of the front and back of the cards. This can come in very handy if your wallet is lost or stolen. For instance, the 800 number to call if your credit card is lost or stolen is likely different for each card, even if they’re issued by the same bank. Should you lose your wallet, heaven forfend, having the number to call in your password manager on your phone will be quite handy.
Wow, that was a lot. The good news is that you only need to do this once. And once you accomplish this, your privacy and security posture greatly improves.
Alice and Bob both use Bitwarden for password management and, being appropriately paranoid, religiously practiced good password management. Alice purchased the Premium version and installed Bitwarden on her PC, MacBook and iPhone, which synchronized her password database across all three devices and the Bitwarden cloud. She installed browser extensions for the web browsers on all her devices and created an external backup on her Apricorn Aegis Padlock drive.
Bob installed the free version of Bitwarden on his PC. I mentioned his eccentric backup strategy in a prior post.
In the next post, I will discuss measures you can take to avoid getting scammed.
Information provided in this post is subject to the disclaimer in the first post of this series.