Four realistic steps to upgrade your online security


This article is a preview of The Tech Friend newsletter. Sign up here to get it in your inbox every Tuesday and Friday.

The entire system of online passwords is dumb and broken.

Demanding that you create hundreds of unique, complicated passwords is error-prone, insecure and annoying. Most of the advice you hear about passwords — including from technology journalists like me — is unmanageable, scolding and sometimes outdated.

I have tips for better password practices, including if you’re dealing with a recent breach of a password vault called LastPass. Know that perfection is unrealistic. Your goal is to make a small improvement within today’s stupid password reality.

I also want you to have this long-term mission in mind: Passwords must die.

There is hope. Just in the past few months, iPhones, Android phones and popular web browsers incorporated technology that is starting to let you securely access your online accounts with no password. Instead your phone, fingerprint or face are proof that you are you.

Technologists have been promising a password-less future for a long time. This won’t happen soon. But we need to move past the password.

In the meantime, you are a security star if you take just one of these steps:

Aim for longer password phrases rather than shorter passwords

To create the best password, try to pick something that is at least 16 characters. The more characters, the more time hackers need to guess your password. Don’t worry so much about having symbols, capital letters and numbers.

Many security experts recommend using memorable phrases as passwords, with a twist. If you like nursery rhymes, try the password, “L1ttleMi$sMuffetSatOnATuffet,” with a number and symbol replacing a couple of letters. Or mush together four words into nonsense like “TumblerElbowMerinoWoodpecker.”

Not every online account lets you set up passphrases like that, because of requirements derived from obsolete government security guidelines.

Again, the basic problem is you’re set up to fail. You know you’re not supposed to create easy-to-guess passwords like “RedSox04” or reuse your passwords on multiple sites. But no human can invent and remember unique, complex passwords for all our accounts.

Try to prioritize by creating strong passwords or pass phrases for your most important accounts such as email, financial accounts and password managers. (More on them in a minute.)

Consider two-step authentication on your important accounts

Adding a second step to log into your accounts — such as a one-time code that is texted to you — protects you in case crooks steal your password or you’re tricked into handing it over.

This is common online security advice that most people do not take. Don’t blame yourself. It takes work and not all online accounts let you use two-factor authentication. (This website lets you look up the options for websites and apps you use.) And two-step authentication is a necessary Band-Aid on a broken password system.

Again, if you can manage it, your security is significantly improved if you add a second step to log into your important accounts like email, social media and your bank accounts.

Using a dedicated app for one-time codes like Authy, Microsoft Authenticator or Google Authenticator is more secure than receiving codes by text. But don’t get too hung up on how you do two-factor authentication.

Use a password manager if you can

There’s a reason my colleagues have repeatedly recommended password managers. Services like 1Password and Dashlane generate strong passwords on each of your accounts, store them safely and fill them in automatically when you’re on websites and apps.

You save a single password to your password vault, and these services save the rest.

Password managers aren’t foolproof. I’d also rather scrub my bathtub than set them up. But they are a smart investment in your online security.

I have used Dashlane for years, and while it’s not cheap — I pay about $65 a year — I find it dramatically improves my online experience and is well worth the peace of mind.

As a backup to memorizing my Dashlane pass phrase, I have it written down on two slips of paper, one that I keep in my desk drawer and another in my wallet.

If you’re thinking, what if a thief steals my wallet and has access to all my passwords? Nothing is zero risk, but what I’m doing is probably far more secure than most people’s passwords. Don’t let perfect be the enemy of good.

Read more advice on how to get started with a password manager or alternatives like saving all your passwords in a notebook. That’s good, too! (Some of these tips are outdated, but the basics still stand.)

LastPass, one of the better-known password management services, recently disclosed an alarming security breach.

The company said hackers stole copies of usernames and passwords. LastPass told customers that they’re probably safe because essential information including passwords was scrambled, which makes it harder for the crooks to make sense of what they stole.

Chester Wisniewski, an internet security researcher with the firm Sophos, told me that there have been so many red flags with LastPass that he recommended users consider switching to an alternative.

Wisniewski said he feels confident in password managers 1Password, Bitwarden and Dashlane. Those three companies have features to move passwords from LastPass to them.

I asked LastPass representatives to respond to Wisniewski’s advice. They pointed me to the company’s recent blog post.

Wisniewski also said that sticking with LastPass might still be a good option for you. An alternative like using your child’s name as your password on accounts is less secure.

The future you want: No passwords

Have I mentioned that the system of passwords is dumb and unsafe and you can only do so much to protect yourself in this broken system? Yes?

Okay, here is where things start to get hopeful.

Some companies, including Microsoft, Best Buy and PayPal, have started to give you the option of setting up your account with no password.

This isn’t totally novel. Some apps ask if you want to log in with just with your thumbprint or face scan — but you still have a password somewhere. Now imagine you use your phone or other device, thumbprint or face scan as the sole way you log in anywhere you access your accounts.

This password-less system, which the technology industry is calling “passkey,” is not yet as easy or foolproof as it should be. It’s getting there.

Passwords will be with us for years. Change is hard, even if we’re switching away from a dumb password system. But security experts said that this year and in 2024, you will start seeing more options to access online accounts by proving your identity with a phone or another device rather than a password.

“The breakthrough moment is here,” said Sam Srinivas, a Google executive who oversees online security and passkey projects.

Srinivas and others security experts told me this method, which uses standard cryptography, is more secure than the password systems in use today. Hackers can’t steal or guess passwords or trick you into giving them away if there are no passwords at all. And even better, it’s simpler to access your accounts with just your phone, finger or face.

Microsoft for about a year has let people choose to access accounts such as Outlook email without a password. The company told me that about half a million people have chosen to remove passwords from their Microsoft accounts and log in another way.

I will say that a password-less log in didn’t work perfectly for me with Microsoft. Baby steps. If your accounts give you an option of the password-less log in called passkey, definitely try it.

I usually roll my eyes when I hear that magical technology will fix a broken existing technology. In this case, yeah, passkey might be the magic fix.

You can make yourself safer within the dumb password system we have today. But it’s even better to end the tyranny of passwords forever.

After speaking to online security experts for this piece, I realized that I could make a couple of changes to improve my password practices, too.

With the help of Dashlane, I made longer passwords to my Google account and my financial accounts. I also replaced the 10-character Dashlane password with a 20-character pass phrase of four mushed-together words.

I have known for a long time that I needed to make a stronger Dashlane password. I just didn’t do it. Give yourself a break. Everyone can benefit from a small security improvement or two, and it’s never too late to start.

Brag about YOUR one tiny win! Tell us about an app, gadget or tech trick that made your day a little better. We might feature your advice in a future edition of The Tech Friend.