Three rules for passwords:
1. Don’t type anything you want to keep private (including a password) into a website whose provenance you don’t know and trust.
2. Don’t use the same password for multiple site.
3. Use a random password if you don’t need to memorise it.
Easy to say, but hard to do. I recommend using a Password Manager to store all passwords securely, and because you’re not going to try to remember them, you can use randomly-generated ones.
Using a password manager.
A password manager lets you record your passwords in an encrypted file, so that no-one else can read them. The encrypted file has one password (you have to remember this one) but you use this to view all your other passwords and paste them into whatever needs them. No more typing them in. So you can make your passwords all different, as long and complex as you like, title them properly so you know what they are for, take copies (backups) for safety, and maybe view (and update) the same set of passwords from computer, mobile phone, tablet, etc.
There are free ones, there are ones that cost a little; some can generate new, random passwords for you, most can store other information securely – passport number, confidential notes and so on.
Three things to think about:
1. As always when downloading something from the Internet, is it safe? Might it include adverts or viruses?
2. Where does it store my passwords? Is there a possibility it is reporting all my passwords to someone else?
3. Do I want them stored “in the cloud” or locally? (There are pros and cons to each approach.)
Here’s the three I recommend to my customers:
This is the one I use myself. There are versions for Windows PC, Apple Mac, and most smartphones and tablets. The PC and Mac version are free, the phone and tablet versions cost $9.99 (to buy – that’s a one-off purchase, not an annual subscription or licence). All versions can sync with each other using Dropbox or (depending on version) Apple iCloud, Microsoft OneDrive, Google Drive etc.
Your passwords are stored locally (although if you sync them, they will of course pass over the Internet in encrypted form).
EnPass is a commercial product, made by a company called Sinew. You’ll need to decide if you trust Sinew not to be stealing your passwords, but I’ve checked to see if the product does any mysterious uploads (I couldn’t detect any) and I’ve been corresponding with Sinew and they seem fine (not always a good guide). I’ve been using the product myself for about three years and never had any problems, and certainly never had any passwords stolen. So it’s my favourite.
Another commercial product, but this one stores your passwords “in the cloud” which means you can get them from anywhere, which can be handy.
You have to sign-up and create an account to use it – it’s free on a PC or Mac (or Linux) but cost $12 per year on a mobile phone or tablet. The annual subscription put me off, but it has a large user base who all seem happy with it. Some of my customers have found it easier to use than EnPass. It integrates with your web browser(s).
This is an “open source” product – so no-one is trying to make money out of it, and anyone can download the source code and check how it works. This can be reassuring. It’s free, there’s no paid versions or hidden upgrades.
It stores your passwords locally and makes no Internet connection. It is probably the most secure of the three products here, and is very widely used.
The drawback with KeePass is that there is no version for phones or tablets.
And finally …
EnPass and KeePass will both generate strong, random, passwords (impossible to guess) if you want them to. (Maybe LastPass does as well, I haven’t checked.) But I prefer a standalone password generator, and the one I use is PW Gen (only for Windows).
Again, it’s free and open-source, and I find it works very well. Just saves me having to think up new passwords all the time.