Let's face it, people are terrible at passwords. We use passwords that are easy to guess, we re-use them across sites, and we keep all sorts of terrible password practices. Given how much sensitive information is kept in our online accounts, the first thing you can do to beef up your security is to secure the way you log in online.

The risk: You use a password at a mom-and-pop website to create an account. That website gets hacked, and it turns out the company stored your password in plain text in their database. If you re-use that password for another sensitive account (bank, social media, email, etc.) an attacker can use it to access your other accounts.

General Password Practices

  • Use a unique, random password consisting of 16+ characters for each account.
  • Include uppercase, lowercase, numbers, and characters.
  • Manage the passwords with a cloud password manager such as LastPass, OnePass, or others.
  • Change all the passwords at least once per year.
  • Implement 2-factor authentication (2FA) for all sites that offer it. 2FA adds an extra level of security, often requiring an SMS message or code from your phone when someone tries to log in from an unknown device.

Get a Handle on All Your Accounts

The first thing to do when securing your logins is to get a comprehensive list of all the places you have online accounts. This can be daunting and can be upwards of 100 and more, but this is the true scale of our online profile.

The risk: An online service account you no longer use has an old, insecure password and stores sensitive data. This account may also belong to a website that has poor security practices and is vulnerable to hacking (especially if you're not using it anymore). Places to look to get a list of all the places where you have passwords to secure:

  • Chrome saved passwords: Google Chrome can give you a readout of the saved passwords it has for you.
  • Your email: many of the places that email you have accounts.
  • Your phone: every app you have probably has a login. Write it down.

Don't forget to check the following:

  • Adobe
  • Airlines (Delta, United, JetBlue, etc.)
  • Apple
  • Banks / Credit Unions (Chase, Bank of America, etc.)
  • Craigslist
  • Dropbox
  • eBay
  • eCommerce Stores
  • Eventbrite
  • Facebook
  • Github
  • Google
  • Groupon
  • Healthcare (Cigna, ZocDoc, etc.)
  • Heroku
  • Hotel Loyalty (Hilton, SPG, etc.)
  • Imgur
  • Internet Providers  (GoDaddy, CloudFlare, etc.)
  • Intuit
  • Kickstarter
  • LinkedIn
  • Lyft
  • Mailchimp
  • Meetup
  • Mint
  • Mobile Phone (Verizon, T-mobile, etc.)
  • Netflix
  • Online Training Providers (Udacity, etc.)
  • PayPal
  • Publications (WSJ, NYT, etc.)
  • Reddit
  • Slack
  • Spotify
  • Square
  • Starbucks
  • Student Loans
  • Tableau
  • Tax Services (TurboTax, TaxAct, etc.)
  • Ticketmaster
  • Trello
  • Tumblr
  • Twilio
  • Twitter
  • Uber
  • University Email
  • UPS
  • Vimeo
  • Yahoo

Password Manager

If you haven't been using a password manager:

  • We highly recommend migrating all your passwords to one, and systematically going through to change every password to a unique random one.
  • Every new account you create can also have a unique random password tracked by the system.

If you have one already, do the following every year:

  • Change the LastPass master password.
  • Change the password on every account in your password manager.
  • Implement 2-factor authentication, if available. We are a fan of Authy for any 2FA that uses an authenticator app (because it backs up the codes, which is useful if you switch phones).
  • Check that any backup codes you have for 2FA are up to date. Print, and store in a safe place. You'll need these to get access to your account if you ever can't access your 2FA device.
  • If the site allows, log out of all open sessions on all devices. This will force you to log in again but will disable any unauthorized open sessions you may have missed.
  • Remove any unnecessary data in your account.
  • If you no longer use the account, have the account deactivated or deleted.
  • Review the connected devices to your account, and remove any devices that you no longer use.
  • Log out, and make sure that you can log back in successfully with the new credentials.
  • Remove any duplicates of the password in your password manager, to make it clear which one to use.
  • If the site offers third-party access to the account, check the list of sites that have authorized access. Revoke any access that isn't needed.
  • In general, take note of the data that is stored in the account. If the account were to be hacked, how bad would it be?

Once you're done, run a security challenge through your password manager. This will tell you:

  • If any of your accounts re-use the same password.
  • If any have been involved in a known compromise (i.e., the server of the company got hacked).
  • If any of the passwords are old.
  • If any of the passwords are insecure (too short, etc.).