How to manage and protect your passwords in the post-Heartbleed era

Security threats are making the news quite a bit lately, whether that involves situations where a user’s information either has been compromised or potentially could be compromised. The latest Heartbleed web security flaw has nearly everyone recommending that you update all of your online passwords.
LastPass Heartbleed checker
With this particular security threat however, you need to check first to see that the web site you are accessing has actually been fixed. LastPass, the makers of a password management service, have created a LastPass Heartbleed checker that you can use to see if the site you are about to change your password with has been updated. Changing your password before the site has been updated will still leave you vulnerable.
But even if there isn’t a clear and present threat, the Department of Defense has recommended that passwords should be updated at least once a year. Universities like MIT also recommend the same frequency for changing online passwords. So going through your accounts and updating all of your online passwords is a good idea anyway, even though it often takes a big security scare to remind us.
As you go through the process of changing your passwords, here are some tips that will help make you a bit more secure:

Choose a strong password

If you use a password that is easy for you to remember, chances are it is not a strong password. The strength of a password is based on how easy it is to either guess or generate using brute force attack techniques involving a computer.
The US-CERT team, a division of the Department of Homeland Security, has come up with some good recommendations when it comes to choosing and protecting passwords:

  • Don’t use passwords that are based on personal information that can be easily accessed or guessed.
  • Don’t use words that can be found in any dictionary of any language.
  • Develop a mnemonic for remembering complex passwords.
  • Use both lowercase and capital letters.
  • Use a combination of letters, numbers, and special characters.
  • Use pass-phrases when you can.
  • Use different passwords on different systems.

Your best bet however is to just use Wolfram Alpha to generate a strong password for you. These randomly generated, strong passwords can be set up with different properties like allowing mixed case letters, numbers, and even special characters. You can specify the password length and I would recommend setting it to the maximum length supported by each online service you use. To check the strength of an existing password, Wolfram Alpha has you covered there as well. You can use their service to check password strength.
wolfram alpha password strength

Remember with a password manager

You can’t just stop at generating one strong password and think you are done. Each online service you use should have its own unique password associated with it. Especially when you use the same username, like your primary email address, across multiple sites. And that is where password managers come into play. With a good password manager, all you really need to remember is that one master password that you use to unlock your password manager with.
I have reviewed password managers in the past, and my personal favorite has been mSecure for quite some time now. But any one of the following five password managers will get the job done, and they each support Mac, Windows, iOS and Android:

The good thing about these password managers is that they will also securely sync your password information across multiple devices.  That way you will always have a backup of your passwords on at least one of your devices.
two-factor implementations

Use two-factor authentication

Having a strong password that is unique to each account is still not enough. Additional security measures like two-factor authentication can help secure your online accounts even more.
Two-factor authentication requires two stages in the process of logging on to your account. The first stage involves the computer that you are using to log on to a site or service using your account information. The second stage uses a separate device like a mobile phone or other personal device that you must be in possession of at the time you are logging on. This second device will typically produce a key that is used to unlock your account.
While in principle the mechanics of two-factor authentication are basically the same, in practice each online service has a slightly different implementation. The following links will take you to each site’s documentation on how to set up their particular flavor of two-factor authentication:

Update your recovery plan

Finally, while you are accessing all of your online account settings to update your password, you should also check to see what is required to recover a lost or forgotten password. Many online accounts offer a secondary means of resetting your account password. This can sometimes require the registration of an alternate email address, a cell phone that can receive text messages or even a personal phone number that only you have access to.
When using two-factor authentication along with very strong passwords that are difficult if not impossible to remember, knowing how to recover your locked account is a must. If implemented properly, even tech support will not be able to unlock your account when you forget all of the security related information associated with your account, and no longer have access to your secondary device. So be sure to have this established before it is too late; and make sure that only you have access to this potential account back door.