I’ve read a ton of articles about password safety. I’ve even written a few of my own that talk about everything from how to create a safe password to how to create a formula that makes it easy to remember a very complex password that changes for each site you use it on. Each week you’ll see articles with new opinions on passwords, often suggesting that maybe they aren’t as safe as we thought, and that maybe even the long, complex ones aren’t quite safe. The fact is that given enough time, any password can be cracked—it just might take a couple thousand years or so. In any case, a strong password is something you’re better off having, as long as you don’t write it down.
Over the course of my life, I’ve accumulated loads of passwords. Some sites these days won’t even let you see what’s on the main page until you create account (I’m staring at you, Twitter), which means you’ve got to come up with a name and a password. If you’re following best practices, each password for each site should be strong and unique to that specific site. At first, I wrote them all down in a book I kept safe and locked away, even though I knew full well that writing any password down is a bad idea, but really, how else can you remember them all? Eventually, I wrote the article on how to create formulas. Hoping to practice what I preach, I came up with my own formula that allows me to use a secure password that’s unique and secure across the board.
The formula worked perfectly for new passwords I needed to create, but I still had the problem of all the old passwords I had written down. It was tough to find time to go through and change all of my passwords, so I decided I would slowly change to my formulaic version whenever I needed to visit each website. Eventually, I changed all of the ones I used most often, but then I started getting lazy. I decided I didn’t want to type in passwords each time I went to a site. And who can blame me? It takes like ten whole seconds! To remedy this, I decided to use the password management utility LastPass.
LastPass keeps all of your passwords inside of a cloud-based “vault” that is controlled by one master password. Since it’s crucial that you don’t forget your master password, I wrote mine down somewhere safe (along with all the others that hadn’t been switched to the formula) just in case I forgot it.
Everything was going fine for a while. All I had to do was type in my credentials to each site one more time and LastPass would remember it after that. LastPass will even remember your password from the moment you create a new account, and can even generate a super-secure password for you. Once it’s all set up, you can login to any site with one click, assuming you’re on the computer you initially used to set up LastPass, or one that’s equipped with the plugin. Since LastPass remembered everything for me, I started to think the formula no longer mattered. Eventually I had some passwords that followed my formula, some I never changed to begin with, some I let LastPass create for me, and some I just spewed out of my imagination. Luckily, none of that mattered because LastPass took care of everything. Until something awful happened.
For a few days I couldn’t find my notebook with the passwords. The notebook had all the passwords that had never been converted to the formula, but what’s worse is that it had my master password in it, which controls LastPass, which contains every single one of my personal passwords. Since I didn’t know if I simply lost my notebook, or whether somebody snatched it, I had no way of knowing whether somebody was about to gain access to every account I have for every website, all from having just one single password! Shouldn’t I know better than to have one point of failure by now?
Wait wait, this really couldn’t be that big of a deal, could it? Couldn’t I just change my LastPass password and be ok? Well, sure, but I forgot the stupid password—that’s why I wrote it down, remember? Since I never had to type it in after I created it (it was also a turbo-secure password, being the master password and all), I totally forgot it. LastPass has no password recovery tool for master passwords. It’s all up to you to remember it or you can’t change anything. In the end, I had to delete my entire LastPass account just to be safe—I couldn’t risk someone getting in. But deleting the account was the easy part.
Remember when we wondered who had time to change all of those passwords? Well, guess who has two thumbs and was forced to find time to change them all? Me. Since some of these accounts have credit card info (Amazon, Paypal, eBay, etc.), I had to change them immediately. This meant I had to inventory all of the sites I use and change every single password one by one. This time, I strictly adhered to my formula in order to keep everything standardized and so I could actually remember the dang passwords without writing any down. Now my passwords only exist inside of my brain where nobody can get them without torturing me like in a scene from Zero Dark Thirty.
So what’s the moral of this giant boring password story? Get a plan, stick to it, and don’t try to cut corners to save time or you’ll wind up wasting more than you can even imagine. It’s not so tough, really. Use your formula, and don’t write sensitive information down, unless you’re ready to seal it in a safe or physical vault or Fort Knox. I bet I could walk around my office and find at least one password written on a sticky note. It seems totally basic, but don’t write passwords down unless you want to risk somebody finding and using them.
If you do decide to use a password utility like LastPass (after my experience, I wouldn’t recommend it, but you’re probably not the careless idiot I am), be extremely careful not to forget your master password, and be sure you know that if somebody somehow gets that password, they’ve got access to everything. We know that having one point of failure means you’re asking for trouble, so it might be best to avoid using these utilities and just rely on your memory—it’s easy once you’ve got your formula set in stone.