Marriott. Exactis. Under Armour. The list of online breaches marches on. You can’t prevent corporations from bungling security and leaking your data. But taking extra care with your logins can minimize the damage. Some best practices are obvious: For instance, you shouldn’t use the same username and password for multiple sites, lest hackers who break into one account can access others. And if you don’t store information–such as credit card numbers–in the first place, it can’t be breached.
However, the advice of security pros–such as to create lengthy, gobbledygook passwords–can seem a path to madness. Over the holidays I logged in to my Amazon Prime Video account to watch shows on an Apple TV at a vacation rental. Pecking out my exemplary password “JjV7h?cJ6o” with a remote control and onscreen keyboard was infuriating.
Then there’s the growing security trend of two-factor authentication (2FA). In addition to a username and password, you need to enter a temporary code–usually sent to your phone as a text message. But what happens if you lose your phone or it’s stolen?
With the right tips and tools, however, you can ensure reasonably secure logins with just a reasonable amount of effort. These three steps require some upfront work, but they pay off by reducing both security risks and daily hassles.
Generate and store logins with a password manager
It’s impossible to recall the dozens–perhaps hundreds–of unique passwords you need to stay secure. Fortunately, plenty of apps can help by generating strong passwords, storing them, and filling them in automatically to websites and apps–using browser plugins and integration with Android and iOS. You need remember only a master password to unlock the app.
Password managers can also fill in tedious online forms with lots of other data: names, addresses, credit card numbers, and more. This is a much safer time-saver than allowing each e-commerce site to store payment data, where it can be swiped by hackers in a breach.
Password manager apps typically sync through the cloud across devices, so you can log in to sites from your phone as well as a tablet or computer. You don’t lose all your logins if you lose a device. And unlike the password-management features built into operating systems and browsers, they work with all your gadgets regardless of what app or platform you’re using at the moment.
The selection of apps has exploded in recent years. Two of the best are Dashlane and LastPass.
Dashlane is the Ferrari of such apps, commanding a $60 annual subscription. It stores an unlimited number of passwords, synced across an unlimited number of devices–with apps for Android, iOS, Apple Watch, Windows and Mac, plus plug-ins for all major browsers. (A free version is limited to 50 passwords stored on one device.) Dashlane monitors up to five email addresses and checks them against a third-party database of known security breaches. It also evaluates how strong all your passwords are and can auto-log in to sites to update the weak ones, in bulk (a feature included in the free version).
The best justification of the cost is the integrated Virtual Private Network (VPN) service, which encrypts your internet connection to protect from hackers on public Wi-Fi networks, as well as from snooping internet service providers or governments. Purchased as a stand-alone service, a multi-device, unlimited-bandwidth VPN service can cost from about $35 to $150 per year.
Related: Why you should use a VPN in 2019
LastPass is the bargain champ. The paid version runs $36 per year, but the free option offers all that most people will need: unlimited passwords synced across unlimited devices. It provides apps for Android, iOS, and MacOS, a fully functional web-based version of the app, and plug-ins for all major browsers on Windows, MacOS, and Linux. Like Dashlane, LastPass also fills in forms and stores encrypted notes and documents–like credit card and passport details.
Main benefits of the paid version are nice-to-haves such as priority tech support, sharing passwords with other LastPass users, and designating someone with emergency access to your account.
Keep some passwords relatively simple
Even with passwords backed up to the cloud, you may not be able to recover them immediately if you lose your phone or computer. That was the takeaway when I recently left my phone in a cab in Paris, with the ringer off, the night before I was to fly out.
I tried logging in to Uber’s site from a friend’s phone to contact the driver, but I didn’t know my password. Uber offered to send me a password reset email, but I didn’t know the password for my email, either. (I finally called my roommate, nine time zones away, and asked her to log in to the password manager on my computer at home.)
The whole experience would have been less of a hassle if I could have at least logged in to my email without access to my password manager. So make sure you can remember the logins for a few key accounts, beginning with email. And if, say, you frequently log in to Netflix or Hulu from hotel TVs, you might want to make those passwords a bit more straightforward, too.
Without breaking your head, you can come up with a password much more secure than Kanye West’s infamous “000000.” The standard advice (and increasingly the requirement) is to create a password more than eight characters long, with a mix of letters, numbers, and symbols. That’s fine if you use a program to generate it, but for those few passwords you need to remember, there’s a much easier way.
Pick a phrase in plain English (or whatever your language of choice) that is uncommon but easy for you to remember. Perhaps it’s funny, or brings back a pleasant memory. When I asked security experts for advice, they pointed me to an installment of the web comic XKCD, which proposed the silly phrase “correcthorsebatterystaple.” At 26 characters long, it’s absurdly difficult for password breaking software to guess, but it’s easy to remember.
For good measure, you might add some memorable letters (maybe the year of some event) and punctuation marks–more to satisfy websites that insist on these than to add any more needed security. Say, for instance, “correcthorsebatterystapple92!” (Obviously, these published phrases are no longer good to use; the XKCD cartoon is so well known that some online services reportedly don’t allow anyone to choose “correcthorsebatterystaple” as a password.)
Before you craft your passwords, take a look at Dashlane’s study of the worst password mistakes people make.
Use a mobile authenticator app
Nearly every major site and online service now supports two-factor authentication (2FA). (A site called Two Factor Auth provides an extensive list of those that do.)
By default, services send text message codes that you enter to confirm your identity when logging in. This has several drawbacks, though. Aside from the problem of what to do if you’ve lost your phone, it’s also possible for people to take over your phone number through a SIM-card switch. With a bit of your personal information, they can impersonate you, buy a new phone (or just a new SIM card) from your mobile carrier, and have your number transferred to them. This even happened to the Federal Trade Commission’s chief technologist, Lorrie Cranor, in 2016.
Nearly every major site and online service allows you to substitute a code-generating mobile app for the text message option, using a gaggle of free authenticator apps.
Do this on a device other than your phone, because in the next step, the site displays a QR code that you scan with the authenticator app. That passes a copy of a shared, private key to your phone app. (Otherwise, you have to enter the long string of characters manually.) Both the site and the app use this key to generate identical 2FA codes–typically six digits long.
Apps tend to generate a new code every 30 seconds, but they actually remain valid for several minutes, so don’t panic if you are a slow typist. Entering the app-generated code into the website form confirms your identity. Even on the off chance that a thief has your login info, a password or biometric lock (such as Apple’s Touch ID or Face ID) on both the phone and the authenticator app should prevent them from generating a code to break in.
Many sites and apps make the process even easier by offering push notification authentication. When you log in to a website, you’ll get an alert on the authenticator app. Simply press a button on the app to confirm your identity, no typing of codes required.
To avoid the lost-phone peril, get an app that keeps a copy of your private key in the cloud and makes it easy to access from multiple devices. Authy is one of the slickest of these authenticators, featuring cloud-synced apps for Android, iOS, Windows, and MacOS. (LastPass’s Authenticator app has apps for Android, iOS, and Windows mobiles, with backups to the cloud, but no desktop component.)
Dashlane incorporates a code generator (even in the free version), allowing you to use one app for both passwords and 2FA (as well as VPN) on all the platforms it supports. Multi-platform password manager app 1Password ($35 per year) also generates authentication codes.
Unless you’re a geek, you probably don’t relish spending an afternoon, and some money, to remake your mobile and online security setup. But security is something we have to deal with on a daily basis, and these steps will make the process much easier, and safer, going forward.
This article has been updated with LastPass’s new subscription price.