We do so much online now. Unless we very much limit our internet activities, we make ourselves vulnerable to crooks so clever that they would have gotten rich if they were honest.
But for whatever reason they aren’t honest, so we need to take precautions. If we don’t, given the portion of our lives that takes place online, we face catastrophes not far in effect from the house burning down.
Most of us — all of us to some degree — hand online security over to luck. A few of us are rightly paranoid but paralysis is our reaction. We limit our online life because of the bad guys who are certainly lurking, waiting to make us victims. Every day, if you follow such things, you’ll find yet another story of a big corporation whose database got cracked, revealing the personal and financial information of all of its customers and employees.
I try to keep things secure, but keeping up with it all would be a full-time job, leaving me no time to look at cute cat pictures. A few days ago I got yet another direct message from an account claiming to be owned by an attractive young woman in Malaysia. I’ve sometimes let these play along for awhile, just to amuse myself. The script is always the same, so after a bit I can send a message that is the next message the “girl” would have sent to me. Merriment does not usually result, but it is satisfying.
And stupid. Asking for trouble.
“I block them all,” my friend said. “They will try to hijack your account.” The advice was good, so blocking them it is. (At that point I didn’t even know how to block someone. Though I have been around a bit I can still be incredibly naïve.)
There are some slightly inconvenient but obvious things I do. One of them is to have a pre-paid debit card. I keep an amount of cash on it. When I make a payment online I use it. It is not connected to my bank account or anything else. It exists for one purpose. So even if crooks get in, the most they’ll get is the amount that’s on the card.
The reason bad guys win is most often because of our own lazy choices. We click on a link without checking it out first. We provide the information requested in email that looks genuine. (Email programs do us no favor here: more and more of them hide the originating email addresses by default.)
I maintain different email accounts under a variety of made-up names at a variety of dead-end email services who themselves have no idea who I am. These are not always easy to set up, but they are worth it. If some place I use — but created my account using one of those addresses — gets cracked, the crooks have gotten no information about me. Anonymity is your friend. Sometimes there’s good reason for a site to know who you are, but usually there isn’t, except for the site’s desire to sell your information.
We are very sloppy with passwords. The worst offense is to use an easily guessed password — and then use that password for everything. This is about as secure as SMS texting: you might as well hire a skywriter to spread your information across the heavens to everyone. Bad password management is probably the bad guys’ single greatest friend.
The answer is to use a separate, unique, long, complicated password for every site to which you log in. The goal is a password that no one could guess in a million years — literally — and limiting that perfect password to one account. So you don’t need one perfect password, you need lots of them, never re-using any of them. Then if a service to which you subscribe gets cracked and the user passwords get exposed, the bad guys have gotten nothing from you because you use that password for only that site.
You’ve heard these warnings before, probably, and have thought that yeah, I’ll have to do something about that sometime. Maybe you have even tried to do something toward reforming your own password management, gotten a little way into it, and walked away with a sense of doom because it seems hopelessly complicated. Perhaps you have created elaborate passwords and entrusted them to your browser, which will automagically fill them in. You’re very proud of your utterly random, 512-character passwords. Then you’re away from home and need to log into an account via your phone. Even if you had the password you probably couldn’t accurately type it in.
Enter the class of applications called “password managers.” These store — and usually offer the option to create — passwords as elaborate as you please. They are stored in a heavily encrypted file that you need a long password to access. This way you need to memorize only one password. It will be long and complicated and require memorization. You can do it.
That master password file is usually stored online — “in the cloud” — which makes me a little nervous. With good reason, it turns out: A year ago the popular LastPass password manager company got cracked and the information of some or all of its more than 25 million users was stolen. (Astonishingly, the company is still in business.)
The alternatives to storing your master password file in the cloud, though, are few. If you keep the file on your desktop computer, notebook machine, tablet, phone, or whatever that damn thing Microsoft makes is, you’re limited to that one device, and if it breaks or gets lost you’re locked out of everything. But you would want to keep that file on all of your devices, meaning anytime you add an account you need to update every device as well. Good intentions easily get sidetracked by reality, and soon your gadgets are out of sync.
There is one highly regarded password manager that stays out of the cloud. It is called KeePass. It is free. It was initially my first choice in a password manager, despite the hellish aspects of syncing multiple devices. My plan was to keep my master file on a very secure dab of cloud storage I have, so updating the files locally on each device wouldn’t be like the old days of carrying software updates from computer to computer on floppy disk.
The problem I found with KeePass is that the thing is incomprehensible and there is no one to hold your hand. Often one can resort to YouTube for help in configuring and using tricky software, but the videos on KeePass are unhelpful, with either people saying how good it is without ever showing how to use it, or guys demonstrating way too fast the tricks they can do with it, the subtext being “see? I’m really cool, so why can’t I get a girlfriend?”
I downloaded and installed KeePass but never used it. Never figured it out. (To be fair, I never really tried — the possibility of an error leaving me locked out of everything was too daunting.)
The most highly recommended password managers now are 1Password and BitWarden. If I had to choose one it would be the latter because people I respect respect it. But until a year ago the most highly recommended password manager was LastPass.
So I’ve been treading water. If you have read this column for any length of time — thanks and where appropriate my apologies — you know of my strong liking of the Proton security products. I’ve used them exclusively for five years, beginning with the secure ProtonMail and expanding to their VPN and cloud. They are, best I can tell, very good people in a safe place. There is no runner-up in these regards, in my estimation. (And in a world in which reviews and commentary are almost universally corrupt, no, I receive no consideration from them at all. I pay for their products, which they then provide. Sometimes I think they don’t even much like me.) When I was looking among password managers I dropped them a note. I said I thought that they ought to get into the password-manager business. The reply was a pleasant but foggy note to the effect that they were working on it, translation, “Don’t hold your breath.”
So it was a pleasant surprise when, at 5:30 this morning (yes, I was still awake), I got an email message from Proton: “We want to make sure you have the best tools to protect your security and privacy online and are pleased to announce that your plan now includes the full version of Proton Pass, our new end-to-end encrypted password manager, at no extra cost.
“For those of you that don’t know what a password manager is good for, we’ve created a short video demonstrating what Proton Pass can do. Proton Pass is more than just a password manager, it’s also an identity manager . . .” It even lets you provide email address aliases. These guys are good.
What’s more, it is free. There’s some doo-dad here and there that I get because I’m a paid subscriber. But I haven’t been able to find anything I would use that free users don’t get. The problem of moving from device to device has disappeared. Over five years I have come to trust Proton more than I do any other online entity. They are good at doing things that I want done. And their encryption is so comprehensive that even if the bad guys somehow got my master file — knock yourself out, bad guys. I’ll check back in a million years to see how it’s coming along.
I haven’t set it up yet — hey, I was still awake at 5:30 this morning! — but will do so this week. With that caveat, it has jumped to the top of my list of password managers.
Whether you choose Proton or some other password manager, you really should get one.
And use it.