On Sunday, it came to light that Gawker had experienced a long-term break-in that leaked the username and passwords for commenters on Gawker and its related sites like Kotaku, Gizmodo, and Lifehacker. Now we know that a lot of people use “123456” and “password” as their password.
Why should you care? You may not care about a Gawker account, but if you use the same username and password for that as for, say, your Amazon account, you could be in for a world of trouble. That’s why you should use a password manager.
Ideally you should use a different password on every site. Each of those passwords should contain 12 or more randomly-generated characters and include uppercase characters, lowercase characters, numbers, and special symbols. Now: try remembering all of those. Fun, huh?
That’s where a password manager comes in. You pick one strong password to encrypt all of your other passwords and let the manager generate random passwords and remember them for you. Ideally the password manager integrates with your browser so it can automatically fill in your username and passwords once you’ve opened your encrypted password database.
If you want a solid free option, try the unfortunately-named KeePass. It saves your password to a local database that you can put on a thumbdrive, and it has a Firefox plugin that automatically fills in login forms for you. If you’d prefer something more user-friendly, try LastPass. It’s web-based, which is a little worry-making, but given how they’ve set things up that I’m comfortable using them for web passwords to services other than my email or bank sites. Pick a password manager, install it, and select a primary password for your manager. It needs to be a strong one, one that’s hard to remember, so consider writing it down and putting it in your wallet. As security expert Bruce Schneier has long been pointing out, we know how to secure bits of paper.
Once you’ve installed your password manager, you should upgrade your “123456” passwords to something much stronger. LastPass and KeePass will both generate random passwords for you to use. It’s time-consuming and annoying, but it’s worth it. Use a password with a length of 14 to 16 — hey, the password manager is remembering it for you, so you might as well use something long and hard to crack — and use every symbol possible.
Update: The LastPass blog has a tutorial on replacing old, sad passwords with shiny new ones.