How to remember all your passwords without actually memorizing them
** This article is also available in Spanish **
You’ve just made an account on another app or service, opened a bank account, email account from work, an Instagram account… and all of them require you to remember some kind of password. What do you actually choose as a password? How to optimize security and ease of use for yourself?
Surely you’ve felt stressed at this exact moment without knowing it, glancing at the “Choose a password” field. It’s a choice you are being forced to make, that you would rather not, it’s a necessary evil, a way for services to avoid responsibility.
OK, you’ve chosen a hard password that you can actually remember, maybe you even like it because it’s meaningful to you (it might even be funny). So you decide you use it everywhere. Let’s try one: 0202chalah3adCha14. Impenetrable! Right? I typed in a lot of numbers, characters, solved the derivative with respect to my dog’s birthday.
Now I’ll use it everywhere. EVERYWHERE!
I don’t want to alarm you but…
…that essentially means that if for some reason, someone could obtain that password, he could have potential access to basically all your life.
There are two types of companies: those that have been hacked, and those who don’t know they have been hacked.
If we think about how secure popular services are, hackers would have a really hard time attacking Google or Facebook’s servers directly and obtaining your password. But what about those other companies and startups that don’t focus too many of their resources to protect your information? And what about companies that do, and have had major security breaches anyway? (Uber, LinkedIn, etc).
Databases with thousands of passwords are roaming free in the wild as of now. You can even download them yourself, or use an online tool to see for yourself if one of your passwords or e-mail is compromised:
I had to deal with this problem myself thanks to Skype not having two factor authentication as an option. My contacts started receiving spam messages containing suspicious links. They acknowledge this problem themselves:
That’s some scary stuff 🙈, what can I do about it?
Be calm! Not all is lost. A good first start would be to change that good old password that you use everywhere.
So then you decide to use a different password for all your accounts and services, maybe you come up with a nifty system, like a “base” password, adding something else to remember which service it belongs to. Let’s try it with Facebook: 0202chalah3adCha14FB and then Instagram: 0202chalah3adCha14IG , and… yeah, this is starting to get messy real quick :(
But OK, at least they’re different now. So where to store them? From here you’ll fall into one of 3 simple categories:
- My superb memory 👴 (or, nowhere, basically)
- Post-It notes! (or, almost nowhere)
- I’ll reset the password every time I forget! 🙅
**facepalm-emoji.png**
Your point being…
I’m kidding, there are several real solutions within your reach, and (finally), the point of this post.
There are services and platforms that help solve this problem, like 1password and LastPass, but I personally don’t like them because:
- They cost moneyz 💸 💸
- You’re trusting a third party with that control. And I’m a control freak, I admit it. And there’s the fact that some of those services have already had their dose of vulnerability… more than once.
My approach and recommendation: practicality + security with KeePass 2
We’re closely approaching better solutions, I can tell your instincts tell you maybe something like an Excel or Google Spreadsheet might do the job. That’s a little better, but you know deep in your heart there must be something already designed specifically for this job.
Lo and behold, there is! It’s called KeePass 2.
KeePass 2 is a cool little piece of open source software that allows you to create password database files with .kdbx extension. Let’s just say, without getting too technical, that it’s encrypted like a bajillion times forwards and backwards, barrel roll and everything, so that even if someone has your file, it’s useless if he doesn’t have the master password. So if there is one password that you must memorize and keep safe from everyone, it’s this one.
Let’s use it then!
First, you have to download and install KeePass 2
Windows (official client)
Mac OS
Kee Pass X (there are several clients available that are just as good, this one is a recommendation from Ivan Reyes):
o MacPass:
Once installation is finished, we have this screen:
Now we have to create a new password database file, by clicking on File — New… (or click the little icon 📄). It will ask for a location on the computer to save the file. Pro-tip: if you save it in a Dropbox folder, you can later use an app on your smartphone for easy access to your passwords on the go.
And now we set a master password. It’s really freaking important that you keep this password safe from now on, and I strongly recommend that this password is unique to this file, don’t share it with another account or service. Even if someone gets ahold of your file, it’ll be near to impossible to decrypt unless he has that password.
You can leave the next screen blank for now if you want to keep it simple. You can always change all of this information later:
A good practice that ensures that you don’t forget this password or make it available for a trusted friend or family member, is printing an emergency sheet and filling it out by hand. This is the next thing Kee Pass 2 will suggest, if you click on ‘Print’ it will provide you with this template automatically.
Now we cant start to transfer all that info from our brains and Post-It notes, those passwords. The most important thing to take into account is that you have to change your habits regarding passwords from this moment on. So, what I recommend doing every time you have to log again to a website, app or platform, is this:
- Open KeePass 2 🔒
- Create a new entry 🔑
- ̶A̶s̶k̶ ̶y̶o̶u̶r̶s̶e̶l̶f̶:̶ ̶W̶h̶a̶t̶ ̶i̶s̶ ̶l̶o̶v̶e̶?̶ ̶(̶B̶a̶b̶y̶ ̶d̶o̶n̶’̶t̶ ̶h̶u̶r̶t̶ ̶m̶e̶…̶)̶
- Ask yourself: Do I want to be able to forget this password? If the answer is yes, change it and generate a new one. If not, simply type down the one you already know. Either way, let KeePass 2 remember it for you.
Just like that, with these 4 (3!) easy steps, you’ll feel more secure each day that goes by when you register for a new account anywhere on the Internet.
There are two things that I like about this way of saving passwords:
- When adding new entries, KeePass 2 automatically makes a new difficult password for you (that you can change, of course), for example:
0rAi5OIK8RB2oAs85qbt. It’s different every time, so if someone gets that password from a public password database dump and the data breach is known publicly, you only have to change that password. - It does not show passwords on screen, you have to click a button to make it show it to you. This may seem like a drag, but it’s a good security feature if you sometimes share your screen. Also, if you click the *******, it copies the password to the clipboard, and it gives you 12 seconds to paste it wherever it has to go before it clears your clipboard (another security feature).
Going mobile
This app installs on your PC or Mac, so there’s still an issue to work out: I need all of these features on the go and have a backup of this file somewhere. You can accomplish this really easily if you first backup your .kbdx file on Dropbox. Here are a couple of options for each major platform:
iOS
Kee Pass Touch. I liked this app a lot because it allows you to unblock your password database using your fingerprint (TouchID).
Android
Final thoughts and recommendations
This whole changing and taking care of passwords thing, when not done right, is making me ask: is it that we are lazy or is it a product of bad interaction design? Maybe that’s a question for design gurus like Don Norman or Roman Mars.
It’s not an easy thing to do, maintaining passwords, and to a certain level it requires education and self-discipline. We usually focus on doing these things only when it’s too late e.g. “my Facebook/Twitter account has been hacked!”, but seriously, why does the world work like that? When will a solution come that lets us identify ourselves unequivocally and that at the same time is safe, private, incorruptible and untransferable? Is it blockchain based? Do biometric solutions have to become even cheaper?
What to do, in short
Natural mutual lack of trust isn’t going anywhere soon, so these are my punctual recommendations to protect yourself best while we, as a society, sort things out:
- Do NOT use 123456 as a password. EVER. Neither one of its variants like asdfgh, etc.
- Have different passwords for different accounts and services as much as possible. Especially if some accounts are more important than others. For example, do NOT use the same password for your Gmail account and the Nike Run app.
- Do not use obvious words in your passwords. There are automated programs that use dictionaries and cleverly combine short common words, numbers, etc. and try those first.
- If the service you’re using provides ‘Multiple factor authentication’ (SMS or phone call code confirmation when you log in in a new device, for example), always turn that option on.
- Try changing your habits to be a security aware person and be skeptical of everything online. If you become careless, you’ll regret it later. This has to be a personal decision, no software or solution can account for carelessness. A good starting point is asking yourself: if I were a hacker, how would I hack myself?
Questions? Comments? Feedback is welcome 😄
Shameless plug
If you liked this post, I’ll certainly be grateful for your awesome clapping 🙌👏 . If you know someone of whom you just KNOW always forgets his passwords and could benefit himself from changing some habits, let him know and share this with that special person!
If you’d like to know more about me: I’m CTO and founder of Tesel, a company dedicated to empowering businesses and individuals with innovation and technology. We are certified Google Partners and we’re ready to help you with anything you want.
Follow me on: Twitter: @aalkz | Instagram: alkz | LinkedIn
Cover photo by Camille Orgel
