Most people are aware that their password security is an issue. A US survey from four years ago showed 73% of consumers recognised the need to use strong passwords. This result came before Yahoo!, LinkedIn, and plenty of other headline-grabbing password breaches.
So if everyone knows, why did Mark Zuckerberg famously continue to use “DaDaDa” as his password on LinkedIn, Instagram, Twitter, etc.? Why are “123456” and “password” still by far the most common passwords (as seen in breaches)? Perhaps because knowing the problem is not the same as knowing what to do about it.
[Credit: Password Patterns, Predictability, And Psychology:
What ‘123456’ Says About You, WPengine.com, March 18, 2015]
Password security advice is often misleading, hard to understand, and too complicated for anybody normal to follow. Here are a few things that you do not need to do (and should not do!), but are often given as advice to the general public:
So what should you do? The key to solving the password problem is outsourcing. Humans are very bad at remembering things, very bad at thinking of good passwords, and very bad at keeping secrets hidden; luckily your computer and your phone/tablet are extremely good at all three tasks.
In practice, outsourcing passwords to your computer means using a password manager program or app. This is where most password advice articles stop: “use a password manager!”. This is unfortunate as I have seen many intelligent savvy users install a password manager, and then not know how to start using it, and not know what habits they should have in order to use it correctly day to day.
This article is for those users, the vast majority I suspect. I will use the example of the password manager that I use every single day, F-Secure KEY, to show you how to get started, and then how to continue with your good password habits.
F-Secure KEY can be installed for free on one device, with multi-device licenses available at more than reasonable prices. If your mobile operator or ISP has already partnered with F-Secure, you may be able to get KEY for even less, in some cases it may already be included in your mobile subscription package.
Before we start, we should look at two very important questions when choosing a password manager:
Your passwords can open your bank account and transfer your money; they can use your bank cards in dozens of online shops; they can access all of your photos and private documents you backup to cloud services; they can read all your emails at Gmail; they can read everything your family and friends put privately on Facebook and Instagram; and much more.
Your passwords are in many ways more critical to your life, and to the lives of the people you care about, than your house keys and your wallet combined. And like your house keys and your wallet, you need to protect them – you would not take keys and wallet advice from some random stranger on the internet, nor would you hand them over to some unknown company for safekeeping.
So who am I? I have been working in the IT industry since I was 15 years old, and from the start I was fascinated by information security and privacy. My first password included the first 10 digits of Avogadro’s constant, amongst other things. I have never reused a password, nor created a weak password. I have been using a password management system of some kind for almost 25 years.
In short, I personally do much more than is required or reasonable for any normal sane(!) person. While I previously used a strictly offline password manager, I recently switched my password management to F-Secure KEY for three reasons.
Reason 1: I kept my passwords strictly offline because I had never seen a password manager, nor a vendor, that I consider sufficiently trustworthy to allow access for backups, browser-based autofill, or other multi-device synchronization features.
However, when I examined the F-Secure implementation, for the first time I saw a product that takes into account these critical security considerations in a trustworthy fashion. This includes F-Secure directly refusing to develop certain user-friendly features of other password managers that in fact open what I consider as unacceptable attack surfaces to compromise the security of my passwords. For example F-Secure KEY does not have any web portal for your passwords, which is a very good thing for your security and privacy!
Reason 2: Another reason I kept my passwords offline is a lack of trust in the vendors that they do not provide backdoors to access user passwords, and that they do not exploit my personal data for profit, as is the model of most modern software companies. Such mechanisms are too easily abused, and too easily become unacceptable attack surfaces for what is my most private information.
Again, seeing the F-Secure implementation, I saw for the first time a vendor taking these considerations seriously, and creating a system that makes it strictly impossible for them to backdoor or exploit my private data.
Reason 3: With the security and privacy aspects correctly handled in a trustworthy fashion, I could now think about making my life easier. Taking care of my security and privacy manually was hard work, and not something anyone except an enthusiastic IT and security fanatic would do.
Moving to F-Secure KEY, allows me outsource my backups, protect myself better from bouts of amnesia, and make the everyday use of my passwords smoother. The added advantage is that now I have a password management methodology which is secure, protects my privacy, and is simple enough that I can recommend it to the people I care about.
Reason 4: Something that is not a reason for my switch: I now work at F-Secure as a security and privacy consultant. Why is this not a reason? I would never switch my personal information to any vendor’s product if I did not first trust their product and their integrity with my security and my privacy. My personal security and privacy, and that of the people I care about, will always trump any loyalty to an employer.
As a vendor, I have a lot of trust in F-Secure – they are a leading cyber-security company making consumer security products for the last 30 years; and their Finnish roots translate to a company obsessed with protecting consumers’ privacy.
Even with their free one device version, you are not paying with your personal data and privacy – the product is free because F-Secure believes improving password security worldwide is a social good, and we are very confident you will like our product enough to upgrade to use KEY on all your devices.
Now that long aside is out of the way, let’s start your journey to protecting and improving your passwords.
Installation is like with any other program or app – we will look at Windows PC and then Android, as those are the most common; of course KEY also works with iPhone/iPad and Apple Mac.
First go to the F-Secure website, download KEY, and run the installer:
Having downloaded KEY to your Windows PC, and run the installer/exe file, you will see something like this:
Click Create Master Password to set up one of the only passwords you will have to remember from now on. The only other passwords I remember are the one to decrypt my PC, the one to unlock my Windows, and the one to unlock my phone – after that, all my passwords come from the password manager, so I don’t need to remember them at all.
That is only 4 passwords in total to remember, which is much more manageable! Important rule: none of these passwords are ever used online in a website or another app, and none of them are ever shared with someone else.
This is where you enter this most important password – twice to confirm, as usual:
How should you choose and remember your master password? You are not going to remember some long random password full of numbers, upper & lower case letters, and special characters. And you don’t need to – only very silly people like me do that!
The easiest secure way is to make a passphrase that you can easily remember, but which is not easily associated with your personal information. The sillier the better, as something silly will stick in your memory easily and quickly. A fun example is “CorrectHorseBatteryStaple” (don’t use this one, it’s in password dictionaries everywhere, make your own!):
[Credit: XKCD, Password Strength]
And KEY is ready to use:
Now let’s do some housekeeping tasks that you will probably only ever do once – you do them now, and afterwards you can forget about them and get on with using your passwords.
The first task is to give yourself a way to recover access to KEY on one of your installed devices in case you are struck with amnesia. The way to do this is to create a QR code, which you can then print and store somewhere safe.
Go into the Settings menu, and the Create recovery code sub-menu:
Save the file and print it:
Don’t keep the file on the device where you have installed KEY – either only keep the printed version (which you can later scan and use to regain access), or only keep the file somewhere else that you trust – for example on the computer of a family member living elsewhere.
This will only let you get access to your passwords on a PC, Mac, or mobile device that you have already set up with your KEY account, and only after unlocking that device first. You do use a password to lock all your devices, right? 🙂
Now let’s extend your protection, and at the same time make your life easier. What happens if your PC is lost, stolen, stops working, or is destroyed in a house fire? The same that would probably happen to you today without a password manager: your passwords and accounts are gone forever – not good!
The solution is simple: install F-Secure KEY on more devices and synchronise all your passwords to those devices. Obviously, the more devices the better, and if at least one device is not always with you or at home (for example a computer that stays at work, or a device that you leave with a relative), all the better. This is just like backing up your photos and documents, it is just a good thing to do.
To get access to this functionality, you will first need to activate the premium version of KEY, which allows you to back-up your data to, and use your data from, all of your devices. Go to the Subscription menu, and chose how to upgrade:
Chose a provider allows you to see if your mobile operator or ISP has already partnered with F-Secure, and thus to get a discount. If not, you can purchase directly from F-Secure via the Buy a subscription option. If you have already purchased or received a voucher as a gift, you can enter that via Have a voucher?
Now that you are a premium user, let’s get installed and synchronised on your Android mobile phone or tablet. Like any app, you can find KEY in the Google Play Store – search for “fsecure key”, and install:
Now open KEY on your Android device and skip through the help to the login page:
Getting started on a second device is even easier than the first – you click Connect devices to connect your Android with the PC you just setup:
The Sync Code to Enter comes from KEY on your already installed device (your PC in this case) – go to the Connect devices menu on your PC, and you will see a code in the middle of the page. Type this into your Android device and click Connect:
To finalise the connection, you must enter your master password, and then you are synched – all your passwords are now automatically backed up on your mobile device!
Note that KEY will lock your passwords automatically after 5 minutes away. You will have to enter your master password to use your passwords. You can configure KEY to wait longer before locking itself, up to 1 week, but I really recommend you stick with the 5 minutes default: you don’t want people who manage to access your devices to also access all your passwords. For example I am sure you sometimes forget to lock your device at work and walk away, or G** forbid your phone gets stolen while out and about with the screen unlocked.
One last bit of housekeeping before we start with the passwords is to install an extension on your browser that will let you quickly fill your passwords into websites in a secure way. This is optional, but it does make daily use of a password manager a lot easier. In terms of security, it has both pluses and minuses, and has been something I have always avoided with other password managers.
However, as mentioned above, after looking at how F-Secure implements their browser extension and their service in general, I have decided to trust this feature for my own passwords. You can still use KEY without the extension, in the same way that I did in the past: using the temporary copy function and pasting by hand into webpages.
Go to the Settings page and tick the two Autofill boxes. You will then see buttons to install the extension – click the button for your browser, and your default browser will open to a download page, where you install the extension as usual:
Now that your extension is installed, you need to Authorize it to access your passwords – click the KEY icon at the top right of your browser, and paste in the authorization code that is at the bottom of the same Settings page in your KEY application:
And you are now set up – time to enter your passwords!
Hopefully you don’t have only one password everywhere (a very bad idea!), but it would make this step faster! Anyway, the first step in really using your password manager is to enter your existing passwords. Go to the Passwords page, and add your first account (for example your Gmail) by clicking the big plus button:
You will want to give the account a good Title, as when you have a dozens or even hundreds of passwords, it helps for searching. You should also put the login Website address, so that the browser extension can automatically find the right password for you when you go to that page.
This has the added advantage of protecting you from many phishing scams, as KEY will not propose your Gmail password on a fake Gmail login page, even if you clicked on that page by mistake.
Save, and congratulations, you have added your first password! Easy, right?
You should now continue and do the same for all your other passwords, and when you are done, get rid of any files or paper that you were using to store them previously.
Now that you have some passwords, let’s log into one of your accounts. You go to your login page (e.g. the Gmail homepage) as usual, and you will see KEY’s magic blue button in website’s login field:
If you see a bit of orange on the KEY button, that means your KEY is currently locked. Just go to the KEY application, enter your master password, and come back to Gmail. The orange warning will be gone:
Now click the button, and it will give you one or more of your passwords that are valid for this website. Click on the right account, and it will fill the fields for you, and log you in:
If you didn’t install the browser extension, or you are on a website where KEY doesn’t yet automatically find the password field, you can just copy the password from your KEY application. Search for your account, open up the right one, and click the Copy button next to password:
And then paste it into Gmail, and login as usual:
Whichever method you use, it is super simple, and from now on you will never again need to know, see, or remember any of these passwords.
How about when you go to a new website and need to make an account? Let’s create a Kickstarter account for your next brilliant idea. This is almost the same as when you added your existing passwords – add a new Password in KEY and fill out all the information except the password:
When you are ready, click the rolling die icon next to the password. this will pop up KEY’s password generator – you don’t have to think up passwords yourself, KEY does it for you. I always set the longest password with all the possible characters, because why not? When you are ready, just click Use, and the password field will be filled for you:
Now save the password, and Copy like before to the Kickstarter account creation page, and you are done:
Do this each time you have a new account to make – your passwords will always be unique, strong, and ready to use without needing to work your memory muscles!
Now that you are a password management master, you should think about improving your existing passwords, especially if you are using the same password everywhere. Start with your most important accounts, and check them one by one:
The idea is to either create a separate account in KEY for each service (in the case that you have been using the same password everywhere), or to change each password to something stronger, in case you already have unique passwords, but they are DaDaDa and 123456.
Changing your password is slightly different for every service, but you can usually find the option hidden somewhere under your Account Settings or Security Settings for your service. Usually you will be asked to enter your old password first – you already know how to do that! For example, let’s change our Gmail password from earlier:
Copy in your old password from KEY as usual, and now it asks you to enter your new password twice:
The new password is of course the one you generate from KEY. You already know how to create a new account in KEY, and to make a password – this is almost the same! Find the account, and click Edit:
Now do the same password generation step, re-Save your password, and click Copy. Simple!
Are we finished? Not quite! We have only changed the password in KEY, we didn’t change on Gmail yet – let’s go and do that:
And we are done! Congratulations, now you are not only a password management master, but you also have strong unique passwords on all your accounts.
Here are the habits you have learnt and will now put into practice every day:
That’s it. That’s what IT and security people mean when they tell you “just use a password manager”!
It’s as simple as how you already protect your keys and your wallet, as simple as how you close and lock your doors and windows at home, and how you close your curtains when needed. I would say good luck, but you’ve got this, so happy and safe internet-ing! 🙂
 A password breach is where a malicious attacker succeeds in breaking the security of a company (like LinkedIn) and steals the stored password information. This is often the result of badly made, and too often criminally negligent, websites that let visitors do things that they should never have been allowed to do. Once the bad guy has the passwords, they then use and/or sell your passwords – before long they all become freely available public information, if you know where to look.
 All accounts, passwords, and codes mentioned or shown in this article are no longer active. In addition, none can provide access to any stored data that could possibly be broken after the fact by someone who happens to have hacked me years ago and saved the information. One of the reasons that security and privacy online are so much harder than locking your door and closing your curtains at home is that information on computers and online can potentially live forever.
Malicious people, whether criminals or law enforcement, could save even encrypted data they find, and wait years until they can later break in using newer technology and recently acquired information. Protecting against this kind of problem is a fascinating and extremely difficult area of security engineering called “forward secrecy”.
Like with many things in security, technology is only part of the solution – the other part is adapting your own behaviour to protect yourself, something known as “operational security” or “OpSec” for short. The idea is very simple – just as you keep your wallet hidden when walking around a big city, and you don’t tell your bank card number to complete strangers; similarly with your passwords and accounts, you keep them as hidden and as protected as possible. The only difference is that your passwords could potentially unlock your house 20 years after you have already moved to a new home!
 Security is never perfect, all software and systems have vulnerabilities. This includes password managers. So how do you trust anything? There are two keys: how many vulnerabilities does the vendor have compared to similar products, and how does the vendor react to vulnerability reports? If the number of vulnerabilities is not way higher than everyone else, and if the vendor quickly and openly fixes them, this is a good sign. Another good sign is the vendor providing a bug bounty program for independent security researchers.
 For most people not using a password manager, you have two cases :
If you are lucky, you might regain access after a lot of work and time to prove your identity one-by-one to Google, Facebook, Apple, and others. However, just as in identity theft cases, you do not want this to happen to you – prevention is a million times better than treatment after the fact!
 Of course this is not magic, both devices need to be connected to the internet/data to synchronise and backup your passwords. As long as both are connected regularly, even if not at the same time as each other, your passwords will be backed up.
 To be properly careful, or stupidly paranoid depending on your viewpoint, here’s what to do:
For files, don’t just delete, but use a secure deletion program such as the excellent Eraser on Windows. This way your passwords won’t be recovered by a nasty opportunist some day in the future when you sell or recycle your old computer.
Similarly for paper, don’t just throw it out with the household rubbish. The best way is to use a cross-shedder (some workplaces have one of these for destroying sensitive documents), and then split up the results and throw each batch into a separate bin. Alternatively you can burn the paper thoroughly, and then douse it with water, until all the burnt parts separate out. If you want to be really silly, you can combine the two methods: shred then burn – this is the kind of paranoid thing diplomatic staff do to top secret papers when they must abandon an embassy in a hurry (although they probably have their own furnace etc. to speed up the process)
 Some irresponsible websites force you to create a weaker password, for example restricting you to only 8 characters, or not allowing special characters. For these cases, you can adjust and generate again. However, you should bear in mind that websites that make it hard to use a password manager are behaving irresponsibly with the security of your information. If they are doing this, they are almost certain doing other negligent things in their security engineering, and so pose a heightened risk to your digital life. If you decide to continue using a service like this, just bear in mind the risks, and minimize the information you provide to them.
This may sound like a nightmare or a Black Mirror episode about a dystopic future, but…
March 23, 2017