It's holiday shopping season, and it's time for me to nag you about security. You'll likely be shopping online a lot in the coming weeks, and many of the sites you visit will require passwords. None of us have solid-state memory inside of our heads (yet), so it's easy to be sloppy with passwords. Don't. Seriously. People get hacked all the time, and it's a major pain in the butt.
Some simple advice: Use a password manager.
Password managers are applications that store all of your passwords in encrypted spaces. If, for example, you store a username and password for your bank, the manager automatically fills in the appropriate fields when you visit your banking site. Password managers can also generate passwords, fill out forms and share passwords across multiple devices.
They all require master passwords. If you lose yours, you're out of luck. The companies that sell passwords managers do not store master passwords, and there are no backdoors, at least none that I know of. Researchers say password managers aren't completely secure, but the risk they represent is infinitely smaller than the risk you take when you use the same password over and over again.
Over the years, I've used two manager apps – LastPass and Roboform – and both work quite well. I switched from Roboform to LastPass because LastPass used to integrate better with my Firefox browser. Roboform has since caught up on that front, though.
LastPass comes in two consumer versions, one free and one that costs $12 per year. Both work the same way: When you visit a site and register for the first time, LastPass captures your login info. The next time you visit, you're automatically logged in after you enter the master password. Both versions work across multiple computers, but only the premium version works on mobile devices.
The premium version also supports two-factor authentication, which means that when you log in you get a text from LastPass containing random characters you need to enter to complete the process. That adds a step, but if a password has been hacked, the extra authentication keeps the intruder out.
Roboform has most of the same features as LastPass and works similarly. However, it isn't free, despite what the company says on its website. If you read the fine print, you see that the free version is only good for 10 saved logins. To use it for more sites, you need to buy a yearly license for $9.95.
Roboform has a few additional features, including a Windows-Explorer-like interface you can use to edit your passwords and forms.
In my experience, I don't see all that much difference between these two password managers. I suggest trying the free versions to see which one you like better.
I've heard good things about a third popular password manager called 1Password, but it's expensive at $49.99 for the Mac or Windows version, and $17.99 for the iPhone app.
Regardless of the service you pick, do not use the same password across multiple sites. Hacks often occurs on sites' servers and not your computer. So, for example, if your bank is hacked and the Bad Guys get your password, you don't want them to be able to use it to access your brokerage account or medical records.
Oh yeah, also make sure your master password isn't something lame like "123" or "password." But you knew that, right?