In mid-December 2020 and as my New Year's Resolution for 2021, I decided it was time that I finally switch over to using a Password Manager.
This post is not so much about why YOU should use a Password Manager (because you can find plenty of those articles out there on the Web) but more about my experience of switching to a Password Manager. Hopefully, with some personal experience and insight I can help answer the following questions for myself and you:
Why did I switch?
What took me so long?
How did I make the switch from using a spreadsheet?
Why did I switch over?
In mid-December of 2020, three things happened that made me rethink how I was handling the digital security of over 300 online accounts that I manage for my business and my family.
First, I learned that someone in Tennessee opened a bank account in my name! They used just three pieces of my identity; my full name, current address, and Illinois Driver License number, to open a checking and savings account at a bank. Thankfully the bank sent me a postcard in the mail to notify me that I had opted in for overdraft account protection. Only then was I aware that my identity had been stolen and used. That’s scary.
Second, while submitting the fraud claim with the bank regarding my unwanted checking and savings account, I logged into Experian.com (one of the three credit bureaus) to put a freeze on my credit. It was at this time that I became even more concerned because I learned that my credit report had been pulled for a Small Business Administration government loan that was submitted (and rejected) back in November 2020 under my business name. Then I ran a Dark Web search on all of my email addresses and discovered that one of my frequently-used, weak passwords, associated with my business, was listed on the search results. The situation was getting worse and it really concerned me.
Third, there was a major cyberattack breach of our US government agencies in December 2020, specifically the Energy Department and National Nuclear Security Administration – the agency that’s in charge of our nuclear weapons stockpile. That’s really scary.
Here I am, a tech consultant, not practicing what I preach when it dealt with digital security. I was re-using passwords and some of them were weak as well – only eight characters, no symbols, just upper and lowercase letters. I was just being lazy and definitely not being digitally secure.
What took me so long?
Back in my early software consulting days, I created an “Accounts” spreadsheet to start tracking and managing my work and personal online accounts. After getting married, the spreadsheet evolved and it was now managing over 300 online accounts with columns to track not only Usernames and Passwords but everything from Account Numbers to Website URLs to Secret Question Reminders. This spreadsheet set up seemed perfect. So much so, I even shared my template layout with my family and friends.
Then when web browsers like Google Chrome, Mozilla Firefox, and Windows Edge started to handle password management, I thought I would treat my passwords like how I backed up my files – I have a master copy, the “Accounts” spreadsheet, and a working copy, the web browser password manager. Plus, I didn’t see (at the time) how a Password Manager could also track all the extra *important* account information that I was saving within my tried-and-true spreadsheet. This extra information (i.e. meta-data) is what kept me from even trying or testing out a Password Manager. My thought was that my digital life was OK but I knew, deep down, that I was not practicing what I preached.
We live in the “Age of Digital” – digital life, digital marketing, digital currency, and digital espionage. And after I ran that Dark Web search on my credentials through Experian.com and saw one of my frequently-used, weak passwords displayed, that’s when I had enough.
The time was now and it was way past due. That’s when I switched over and started using a Password Manager so every online account that I needed access to had a unique and secure password.
How did I make the switch from using a spreadsheet?
Assessed My Password Issue – Because my primary email is Gmail and I’m signed into Google Chrome to sync my web browser data (across all my devices), I had the benefit that all of my passwords (valid and some accidental entries) were being saved to my Google Account – https://passwords.google.com. Once I was there, I used the Google Password Checkup to check the security of all of my saved passwords. This is where I found how many of them were compromised, reused, and/or weak. This was very helpful because it provided me with a starting point and how much work I had ahead of me.
Selected a Password Manager – From doing my online research about which Password Manager I should use (learning the pros & cons of each one), the two that kept coming up most frequently were LastPass and 1Password. Both are equal in capabilities and have robust security features but in the end, I selected LastPass for these five primary reasons:
FREE LastPass user account.
Created by LogMeIn – an IT/technology company that I knew and trusted.
Secure notes that will allow me to continue tracking all the extra account information and details that I was saving within my “Accounts” spreadsheet.
Share passwords securely with another FREE LastPass user account. This was important to me because I plan on setting up my parents on LastPass to make their digital life easier, including mine when they need my web/tech support help.
Insight on my at-risk passwords and FREE Dark Web monitoring on 10 email addresses within the LastPass Security Dashboard.
Installed LastPass on All of My Browsers and Devices – For work and at home, I’m a multiple web browser user: Google Chrome, Mozilla Firefox, and Windows Edge. I also have four devices: a phone, tablet, Chromebook, and a PC laptop. For each browser and device, I installed the LastPass extension from the LastPass download site.
Decided Not to Import My Passwords into LastPass – LastPass has multiple options to import your current passwords, including from the Chrome Password Manager, under More Options > Advanced > Import. In my case, I opted not to import my passwords because I wanted to see my progress in LastPass grow while also learning how LastPass worked and graded how I was adding or updating a password.
Changed/Updated My Most Important Passwords First – Naturally, the first online accounts that I added to LastPass and updated with a unique and secure password were my banking, financial, and email accounts. After that, I decided to address the passwords that Google’s Password Checkup warned me about (see above).
Used 16 Characters When Generating a New Password – LastPass has a display tool called the Security Dashboard. This is where you are graded in percentile when it comes to your security practices – multifactor authentication, password reuse, etc. You are also graded in percentile when it comes to password strength. All of my unique passwords that are less than 16 characters have a percentage score below 60%. Passwords with a percentage score above 90% all have 16 characters or more.
How Fast Would I Tackle this Updating Task? – My general rule is twofold:
Update a password as soon as I needed to access the online account.
Select three to five online accounts to update each day with a unique password.
Kept Password Saving/Syncing ON in Google Chrome – Because I have a Google Pixel phone and I also use Google Workspace for my business, the idea of my Google Account syncing my updated LastPass 16-character generated password was appealing, especially when it came to situations like logging into Chromecast on my TV – i.e. a unique device login situation when Google Account sync works and where LastPass would not be able to help me easily log into my streaming accounts like Netflix, Amazon Prime, Disney+, etc.
Hence, every time I update a password with the help of LastPass, I allow Google Chrome to save the updated password as well. My strategy here is to use LastPass as the master location for all my passwords and secure notes but also leverage the convenience of my Google Account to sync passwords for faster/convenient password access on other Google-specific devices that cannot leverage LastPass – e.g. Google Chromecast.
Turned OFF Password Saving/Syncing in Mozilla Firefox and Windows Edge – In my situation with Google, this setup works for me. On the other hand, if you were a primary Mozilla Firefox user, for example, you could do the opposite setup as me – Firefox ON, Chrome, and Edge OFF.
Purged Accidental Passwords and Cleared Browsing Data – Because I decided not to import my passwords into LastPass from Google Chrome (see above), I am using the Google Account Password Manager https://passwords.google.com as a checklist of passwords that need to be updated or in some cases purged because they were accidentally entered and saved. With that said, I’m also clearing all password browsing data from Mozilla Firefox and Windows Edge because I have turned OFF the password saving/syncing options in these browsers (see above).
Some Online Accounts Don’t Like Symbols (or Specific Symbols) for Passwords – When you update an online account and generate a unique 16-character password for it, you might find that the input field does not want you to use any symbols (or specific symbols) in your password. If this is the case, turn OFF the “Symbols” option in the LastPass password generator and proceed.
Note: If the password input field wants at least one specific symbol, like a dollar sign ($), you’ll have to copy and paste the password from LastPass (not use Fill) and then add the symbol. In this case, because most of the time the password will be hidden (cannot see the characters), my suggestion is to type the symbol at the end of the hidden password after you pasted it in the input field.
There you go. I just shared with you my trials and tribulations of what spurred my New Year Resolution to not reuse passwords anymore and switch to a passwords manager to help me stay the course with my online digital security.
Like exercising or eating better foods, the hurdle to get over (using a password manager) seemed annoying and tedious but once I started updating my passwords, each one has provided me with a positive and rewarding feeling - unlike reviewing a Dark Web search.
I hope you found this post to be an honest wake-up call to the importance of your digital security, including your family. Happy New Year to you and yours.
Web pages that I referenced and leverage for my switch to LastPass