I have a confession to make. I don’t know the password to my email account or our bank account. In fact, I don’t know the passwords to any of our online accounts. All I know is that the passwords for our accounts are super long, really complex, and change often.
I am not paranoid (too much)
When I was preparing for us to travel during our gap year, I feared having our online accounts compromised at the worst possible time, such as on a weekend while traveling to a new spot. I feel it was a rational fear given the frequent news reports of security breaches ranging from Target to the U.S. government. I was also concerned that if I had our passwords on our laptop that we could lose our ability to log into accounts if our laptop was stolen, lost, or damaged – not to mention exposing our log-in credentials to being stolen by spyware, hackers, etc.
The main problem is that people commonly repeat passwords and/or use easy-to-crack ones.* Further, to make it really easy for someone to hack their accounts, some people will write their passwords down in notebooks or sticky notes on their desk. This is their poorly implemented solution to the problem of really good passwords often being also hard to remember.
I thought more about my initial concern of securing our accounts while we were traveling. I came upon a solution that has worked really well for us both at home and living elsewhere. I’ll go into specific details below but here is the summary of the solution I used:
- First, I bought a metal-encased USB stick that can go on my keychain.
- I then downloaded the free, open source program called KeePass.
- After I set up KeePass on my USB stick, I went through all our online accounts and changed the passwords to very strong, complex passwords that are stored in KeePass.
- Finally, I keep a copy of my KeePass database elsewhere.**
Specific steps for securing your online accounts
Step 1: Get a robust USB stick
I felt that for a password solution to be secure I needed to treat my passwords the same as I treat my physical keys. I don’t leave my keys laying around for anyone to pick up. Likewise, I decided I should secure my passwords on a USB stick attached to my keychain. I now make sure to never leave my keys with my laptop. If I am leaving my laptop somewhere then my keys come with me. Always.
Last year I searched for a robust USB stick that I could put on my keychain. The Amazon reviews for the Silicon Power USB stick fit the bill. Over a year later, my USB stick is still cranking along. The metal case has some scuff marks on it but it is showing no signs of falling apart.
Step 2: Install KeePass on your USB stick
KeePass is pretty simple to set up. You will want to download the Portable version of the Professional Edition. The program is free and open source with high ratings from users and the open source community. After you install it on your USB stick, you’ll need to come up with your master password. You will enter this master password every time you start KeePass. Thus, I highly recommend you come up with some long phrase and compress the words together eliminating white space. You can then substitute or add numbers and symbols to make it much stronger. There are many good guides online for helping you come up with strong passwords. You should invest time in coming up with a good one since this is master key to unlock all of your passwords.
You can organize your accounts into folders in KeePass, add custom fields like which email address is associated with an account log-in, and even type notes about the account. It will become your always-with-you storage vault for your online keys.
Step 3: Change your online accounts to use strong passwords generated by KeePass
Now, the power of KeePass is not just aggregating your credentials behind a secure door but also giving you a feasible way to implement super strong passwords with all of your online accounts. It is far more likely that your online accounts will be subjected to break-in attempts by hackers versus your KeePass database residing on the USB stick on your keychain.*** By using a single strong password to prevent access to KeePass you can then just let KeePass generate passwords for you to use with your online accounts.
You will want to change the passwords of each of your online accounts to a strong, KeePass-generated one. When you add an entry in KeePass for an online account you can generate a new password for the account. By double-clicking on the password field in KeePass for the particular online account you will put the password into your computer’s memory for 12 seconds. This allows you to paste the password into your online account’s “new password” field to change the it. Following this method, you can change your passwords fairly quickly to new, strong passwords that are securely held in KeePass.
Step 4: Make a backup copy of KeePass
If you lose your keychain and have a really strong master password for KeePass then I wouldn’t worry as long as you have a backup of the database somewhere else. You do have a backup, right? Without a backup you’ll have a tedious path ahead of you to reconstruct your KeePass database. You can keep your backup wherever you want – a safe deposit box, online storage account, with your traveling partner, or on another USB stick in your travel bag. I would not worry about copying the KeePass database every time you make a change to it. Perhaps just create a calendar reminder to back it up every month or whenever you change your email account password, whichever happens first. The reason why I selected any email password changes as a backup trigger point is because your email account will be used by the “Forget Password” function of any of your other accounts if you ever lost your KeePass USB stick. You would use the password recovery functions of your online accounts to reset the passwords that had changed since your last backup of KeePass.
Small investment of time
I estimate it will take you about an hour for you to set up and get comfortable with your KeePass solution. It may take you about a few minutes per online account to change the password to a strong password and record the details in KeePass. Thus, I recommend setting up KeePass in one session and then work on converting your accounts to it over several weeks. Perhaps, aim to convert just one or two accounts per day starting with your most sensitive ones first (i.e., email and financial accounts).
If you come up with any better solutions for securing your credentials or ways to use KeePass then please post in the comments below. My solution is just one possibility and certainly not the only right way.
* Well, the blame for hacked accounts is not always due to users with poorly constructed passwords. Many websites, including banks and providers of other financial accounts, severely limit the length and complexity of passwords used with their systems. I’m at a loss as to why. So are others.
** This is the weak spot in my solution. You could keep all copies of your KeePass database completely offline by having a duplicate copy of it residing on another USB stick that you keep separate from your keychain one (such as with your traveling partner or in your travel bag). This would work well except if you lost both copies. Alternatively, if you store your KeePass database somewhere online then you do open yourself up to a potential compromise if someone was able to get to the database and guess your KeePass password. However, if you make your online storage spot password and KeePass password very long phrases of many words, numbers, and symbols then you can mitigate your risks. I recommend following this guide for creating your strong passwords. Regardless of whichever path you choose, you will still be far ahead of the general population when it comes to securing your online accounts.
*** Yes, I am sure I could envision various scenarios involving key logger spyware, but, seriously, I’m not Jason Bourne no matter how cool I think I am. Get some good antivirus software and use your head when clicking links and opening email attachments. You are just trying to stack the odds of security in your favor. Unfortunately, nothing in the world of security is perfect.