Sunday, February 16, 2014

7 Steps to Password Safety


Wow! I said to myself. This message, coming from a trusted friend of mine, intrigued the hell out of me. I clicked the link. It was all spam! My friend apologised and said she'd been hacked. "You should change your password," I told her. "Yes, I did, I'm safe now," she replied.

The NEXT DAY she sent out the exact message with the exact same link. Hacked again!

This article was written for her benefit. I sent her a draft and she said, "Yeah, it's not very funny and it doesn't make me want to install password software."

Go figure.

Why My Easy-to-Hack Friend is Idiotic About Passwords

Until a few days ago, my online safety was laughable. Not laughable in a good way, like my joke about Hitler's favourite boy band. Laughable in a bad way, like "You've used the same password on every website you've ever been on" kind of laughable.

My password used to look like this:


Now I have a different one for every site, and they look like this:


Looks hard to guess? Correct. It would take a Commodore 64 over ten trillion years to hack that. By then, the sun will have exploded and killed us all and if there is still a universe of some sort, the only lifeform will be the ghost of French smugness, which is eternal.

Being careless and lazy about passwords is stupid. You're making it easy for people to ruin your reputation, steal your identity, and spend your money.

I knew there was password management software out there. They do two things: they generate impossible-to-guess passwords and store them in a database which is more or less unbreakable. Unbreakable even to freedom-hating governments who spy on their citizens.

I've wanted to get a grip on my password situation for a long time, but it seemed like too much work. When I forced myself to sit and do it I found it was easy enough. I showed my girlfriend how to do it and wrote this guide based on that conversation.

7 Steps to Online Peace of Mind

Step 1.
Go to and download the version you need. Jen and I wanted to make our PCs safer, so we started with:

Binary bundle for Windows 2000, XP, Vista and 7

Jen: "This website is ugly."

Step 2.
Once that's installed and launched, you get a somewhat unhelpful screen.

Jen: "Ugh. This is worse than the website. What is this, 1996?"
Me: "Stop moaning. Just click that icon on the left. No! The other left!"

(I'm told the look and feel of the Mac version is much nicer.)

Step 3.
Next you need to choose your master password. This is the most important thing! This is the one password that rules them all.

Jen: "What do I do?"
Me: "Choose an awesome password. Don't let me see. You know, in case they torture me."
Jen: "I'm bad at passwords. All my passwords have the word Unicorn in."
Me: "All right, I'll choose one for you. I'm changing the vowels into numbers and making sure there's a mix of upper and lower case. Okay. Memorise this."


Jen: "You're such a child."

Step 4.
Start building your database.

Me: "Log in to Amazon."
Jen: "Done."
Me: "Okay, go to the password change bit."
Jen: "Right."
Me: "You need to know your current password to change it."
Jen: "It's PinkUnicorn2."
Me: "Sigh. So let's generate a new one. Go to the Keepass thing. Choose Entries, then Add New Entry."
Jen: "Waah! It looks complicated. Let's quit and watch Deal or No Deal."
Andrew: "Stop being a baby. Click the generate button. You can use the eye button above it to show the password."

Jen: "Jesus. This is even worse than the one before. What's all this stuff?"
Me: "It's all about how complicated you want the password to be. Just click generate."

Jen (eyes boggling unattractively): "24 characters long?"
Me: "The longer the better."
Jen: "Giggle."
Me: "Some websites have limits on how long it can be, which is beyond stupid. And some don't like special characters. Amazon likes safe passwords, so just copy and paste that new password onto their website."
Jen: "It says it's changed."
Me: "Ace. Now fill in the rest of the Keypass form. Click ok."

Jen: "Done."
Me: "Log out of Amazon. Go back to the login screen."
Jen: "Wait! I don't remember the new password."
Me: "Don't stress. Right-click on the Keepass screen where it says Amazon."

Jen: "Oh... That's clever. I get it now."

Without further prompting, she used the Ctrl+C function to copy the 24-character password and Ctrl+V to paste it into Amazon. When her browser asked if she wanted to save the new password, she said no.

Jen: "So I have to load this Keepass thing everytime I want to use Amazon?"
Me: "Yes."
Jen: "Well, it's a little bit more work, but not much. It's just ten seconds, really, isn't it? It's probably worth it."

Step 5.
Keep building your database of new passwords, but don't let your browser store them.

For a couple of days, every time I went to a website with a login, I changed the password and added it to my database.

A lot of those ones I let the browser store the new password, because now that each password is different, I don't see the point of adding inconvenience to my life. The ones stored under 'money' - including the many, many charity websites I donate to - I keep more secure.

Me: "You're using Firefox, which is as unsafe as all the other browsers. Do you want to see something terrifying? Go to the 'settings' panel and find the passwords section. Good. Now click the 'show passwords' thing. Now I can see all the passwords you've used from all the websites you've been on. Jesus, you weren't joking about the Unicorn thing!"
Jen: "This is bullshit! Anyone could get all these passwords in, like, a minute!"
Me: "Yep. But not when you switch them over to the Keepass database. Just make sure you don't let the browser store important passwords."

Step 6.
Make a backup of the database. You could put it on a usb stick, or on your phone. For iPhone users, go to the App Store and get MiniKeePass, for free.

Done? When you plug your phone into your PC and iTunes opens, go to the App bit where it shows all the apps you've got on your phone. Scroll down and you'll see something like this:

From there, use the Add... button to locate the database you made.

Jen: "I can't find the database! Danger zone!"
Me: "It's just because you haven't saved it yet."
Jen: "Oh, right. Good point. What filename should I give it?"
Me: "JensPasswords or whatever. No big deal."

Once you've synced your phone to iTunes, open the MiniKeePass app on the phone. You'll see your database there, just like on your PC. Use your code to unlock it. When you click on Amazon and on Password, it automatically copies it, so you can paste it into the app or website. But mostly this is just a backup.

Step 7.
You are now safe. Completely and utterly safe. So you can go ahead and be complacent.

Jen: "You don't need this bit, do you? This is just because you want 7 points instead of 6. I'm right, aren't I? Aren't I?"

Relationship-saving disclaimer: While Jen accepts the need to present her as being computer illiterate for the purpose of entertainment and education, she would like me to point out that she is amazing at computers and technology, visited Xenox PARC before Steve Jobs, and can type at over 15 words per minute.


No comments:

Post a Comment

Note: Only a member of this blog may post a comment.