If for some cruel reason I was forced to rewrite that mid-‘90s viral essay / hit single “Wear Sunscreen,” I would replace the titular advice with a simple plea: use a password manager. Like sunscreen, it can be a hassle to apply, but it’s an easy way to stop yourself from getting burned.
The reasons are simple: you need strong, unique passwords for each of your online accounts, otherwise the chances they’ll get hacked by some unscrupulous character are much higher. If your passwords aren’t strong (e.g., if they’re one of these, or if they use information like your spouse’s name and birth year) then hackers can guess them. And if you use the same ones for different sites, when some big company gets hacked (like they do all the time) your digital keys are basically available online for anyone to grab.
If I could offer you one tip for the future, password managers would be it
Password managers remove both of these problems by generating and storing complex passwords for you. The password manager lives in your browser and acts as a digital gatekeeper, filling in your login info when you need to get on a certain site. You just have to remember one (very secure!) master password for the manager itself, and everything else is taken care of for you. (For a quick introduction on creating a secure but memorable master password, check out this article.)
For this how-to, we’re focusing on three of the most popular password managers available: 1Password, LastPass, and Dashlane. They’re all easy to use and have pretty much the same features, but if we had to pick one to recommend it’d be LastPass, which is the cheapest and is available on the most platforms. (For a full comparison of these and other password managers, you should check out this guide from PC Mag and this one from The Wirecutter.)
Where do I get one?
- LastPass. Free to use with the most features (including, importantly, free syncing and two-factor authentication to mobile devices). Going premium costs $2 a month and adds password sharing and priority tech support.
- Dashlane. Also free to use with pretty much the same features, but you have to pay $3.33 a month for syncing to mobile devices, two-factor authentication, and more.
- 1Password. Free 30-day free trial, after which you can pay $2.99 a month for a personal account or $4.99 a month for a “family” account that supports five people. You can also buy a single lifetime license for $65.*
(*Notably, out of all the options we looked at, 1Password is the only one that lets you store passwords locally rather than in the cloud. The company has side-lined this feature lately, which has annoyed the security community, but it’s still available. For an in-depth look at this topic, check out this Medium post and this one from 1Password.)
Where are my passwords now?
Once you’ve installed your password manager of choice, you’ll need to get it set up. The first step is finding out where your password are now. Here are the most likely scenarios:
- Your passwords are in your browser. Chances are, the browser you’re currently using has a basic, built-in password manager that’s been quietly hoovering up your logins as you surf the web. Some password managers will automatically import passwords from your browser (see the guide on how to “import/export” below), but with others, you’ll have to manually find where your browser is keeping your passwords, and copy them over yourself. Here are guides for where to find your passwords in Chrome, Safari, Firefox, and Internet Explorer. (And these built-in password managers aren’t necessarily bad, they’re just not good enough.)
Remember: once you’ve transferred your passwords over, delete them from your browser and stop saving passwords there. This is your password manager’s job now. It’s time to move on.
- Your passwords are elsewhere on your computer. Both Windows and macOS have system-level password managers, the most common of which is Apple’s Keychain app. You can find this using Spotlight, and then just copy over or export your stored passwords like you would with your browser. You may also have your passwords stored in another password manager, in which case you’ll be able to export them in one go.
- You’ve written down your passwords in a notebook. Actually not the worst start! It means you probably have all your logins in one place, and can transfer them by hand. See the guide on how to “transfer manually” below.
How should you transfer them?
Once you’ve found your passwords, you need to get them into your password manager. You have a few different options:
- Import / export. LastPass and Dashlane let you import passwords from a number of browsers. (1Password doesn’t do this, and it’s very annoying.) This is the easiest way by far to get started. If you’re using a Mac, you might also have your login info stored in Apple’s Keychain application; export your data using the guide here.
- As you browse. If you don’t want to hand over the keys for everything to your password manager immediately, this is the best option. Just go about your business normally, and when you get the chance to enter a password online, your manager will pop up and ask if you want to save it. However: if you’re perma-logged in to lots of accounts, you’ll need to log out and log back in to upload your passwords this way.
- Transfer manually. You know how in The Karate Kid the karate kid is forced to do a series of repetitive tasks, only to learn their true value at a later date? Well, this is that part. Each password manager has a clear way to enter new credentials. Get copying.
How do I make my passwords safe?
So, this is the tedious but essential part of setting up a password manager that makes the whole thing work. Once you’ve transferred your logins, you need to make them secure. To do this, you’ll probably have to change a lot of passwords. We won’t go into what makes a good password here because, thankfully, we don’t need to! LastPass, Dashlane, and 1Password all have built-in password generators that will come up with random alphanumeric strings for you to use instead.
Use audit features to find and replace weak passwords
You will have to change the password, however. LastPass and Dashlane both have automatic password-changing tools in their apps, which claim to get the job done with a single click, but they can be a little hit-and-miss. If a company has changed the URL for its password settings, for example, you’ll still have to trawl around their site looking for the right menu. But really, you need to do this. Otherwise you may as well have never bothered with the other steps at all.
Thankfully, all these programs make this work easier with built-in password-auditing tools. They’ll check through the logins you’ve stored and point out the duplicates and easily cracked entries. Blast them all away, and with them, your security fears.
What about my smartphone?
Here’s where things can get a little bit annoying. LastPass, Dashlane, and 1Password all have mobile apps, all of which will autofill your passwords on the most popular sites and apps. However, Dashlane won’t sync your passwords to your mobile unless you pay for it, and the autofill functions on each app won’t work for some of your more obscure logins. (Or, sometimes, they just don’t work at all.) For those, you’ll have to copy and paste your password from the app itself. It’s a bit of a hassle, but you usually don’t need to log in to an app more than once, unless you lose your phone.
That’s it! Once you’ve loaded all your passwords into your password manager of choice and audited them, you’re all done! You’re the best, in fact: you’re the bee’s knees, the cryptographer’s keys! You’re so completely safe online that you never have to think about your passwords ever agai—
Wait. Have you set up two-factor authentication yet...?
Correction, July 24th, 13:00PM ET: A previous version of the story stated that local storage on 1Password as only available in the single license version of the software — it’s also available in the subscription model. We regret the error.
Update, August 3rd, 11.33AM ET: Updated to include information on LastPass’s new pricing scheme.
On the Converge podcast, Google’s Mark Risher tells us why everything we know about passwords is wrong.