My Latest Automation: Password Management Plus Improved Security

One of the benefits I’ve found of going paperless is that it becomes much easier to automate things when the data in question is in digital form and not scribbled on a yellow notepad sitting on your desk. Since I am entirely paperless now, except that paper that comes in over which I have no control, I have been focusing my attention more and more on automating things in my life that shouldn’t require my time. I’ve done this a few time. I’ve automated how I captured data from my writing. I’ve also automated a daily almanac that tells me what I managed to do each day.

Now I am moving into more practical automation. The most practical kind of automation, for me, does a couple things:

1. It automates something that I do frequently so that I don’t have to do it.
2. It frees up the time I spend doing #1 so that I can do other things.
3. It sometimes comes with added bonuses.

In thinking about what to automate next, I tried thinking about what I do during my day, and looking at those things I do frequently. One thing I do frequently is use a lot of online sites and services, each of which has a different account, password, etc., and that means that I am entering various passwords multiple times throughout the day. It also means I have to remember a bunch of passwords, and if I get lazy and reuse passwords, I do so at the risk of compromising my online security.

So I decided to spend this weekend automating my password entry and at the same time, improving my overall security. Below, I describe what I did, but I warn you now, this is not for the faint-of-heart. I probably spent 6-7 hours this weekend doing all of this. I fully expect to recover that time through the automation it allows. But it did take an investment of time.

Before automation

I track all of my online account usage in a spreadsheet. I track the website, the login I use, a code that represents which password I use, when I last changed the password, etc. On Friday, I had 107 sites on my spreadsheet. These represented all kinds of online services, from streaming services like NetFlix to email and productivity services like Google Docs.

Before the weekend, my strategy for passwords was to use about half a dozen of them, and scatter them across all sites by differing levels of security. For sites that required high security, I would use one password; for very low security sites (that I didn’t care much about) I’d use another. This grew to about 6 over time and they were divided up so that if my password was compromised for, say, my social networking sites, it would not be compromised for my email.

I found that despite things like remembering passwords on my home machines, I was still entering passwords a dozen or more times a day. In many of these cases, it was for sites I didn’t access as frequently, and I was constantly checking my spreadsheet to see which login and password to use.

My goals for the weekend were as follows:

1. Create a unique, strong password for every site. Put another way, never reuse a password. This is the highest level of password security you can get. If someone gets my password for, say, Twitter, that password is only good on Twitter. It won’t work anywhere else. What’s more, it’s a long, randomly-generated string that includes all four classes of password characters (upper and lowercase letters, numbers, and symbols).
   
2. Use 2-factor authentication wherever possible. This adds a little overhead to some sites, but it greatly enhances security. What 2-factor authentication means is that when you log into a site, you put in your password, you are then prompted for a code, which is sent to you directly by another means–text message to your phone for instance. You enter the code texted to your phone and then you are allowed into the site. Usually, you only have to do this once per access point. It makes things much more secure because even if someone got my password, they’d be asked for a code and that code would be texted to my phone.
3. Find a tool that would allow me to automatically log into sites using these passwords. There is no way I am going to memorize 107 unique, long passwords, but there are tools out there that can do this for me. What’s more, they do it securely, and can be added right into my browser so I don’t have to think about it.

After some research, the tool I picked was LastPass. LastPass is a cross-platform browser plugin that does everything I describe above. It manages all of your passwords, it provides a security assessment of your passwords. It can generate passwords for you on the fly, according to a configurable set of rules. It stores the encrypted version of the password in the cloud. But–and this is important–the encryption and decryption is done locally as opposed to LastPass’s servers–making it much more secure. There are apps for the iPhone and iPad, and it works on my Google Chromebook.

How I automated this process

1. I downloaded LastPass, watched the instructional videos and read through some of the documentation. (I am a documentation-first reader.)

2. I installed the LastPass plugin for Google Chrome on my iMac and Chromebook.

3. I created my LastPass account. This involves creating a master password which unlocks everything else.

4. I opened up my spreadsheet, and for each of the 107 accounts/sites listed, I went to the site, logged into the account with my old password, changed the password to one randomly generated by LastPass, updated my spreadsheet and tested out the site to make sure I could still get into it. This took a long time. I think the bulk of my weekend was spent doing this.

LastPass does make this fairly easy. Whenever you log into a site, LastPass asks if you want it to remember the login information. If you say yes, it creates a record which stores the information. Then, when you go to change the password, LastPass does 2 things:

1. It offers to generate a random password for you. If you take the offer you see a screen that looks like this:
   You can tweak the settings and regenerate it. Or you can use what is suggested. Also, for some sites, instead of the “Copy” button, you see an “Accept” button. Clicking that button automatically populates the change password form with the new password.
2. When LastPass detects a password change for an account it already manages, it asks if you want to update the account.

I also took advantage of this process to review and verify other settings on these accounts. If I was no longer using a service, I deleted the account.

The results

I am just starting to experience the results this morning. When I open my browser in the morning, I log into the LastPass plug-in to activate it. That is the only time I should have to type a password all day long.

When I got to a website that requires a login, LastPass detects it and uses the settings I’ve made for that account to determine what to do. For instance:

1. It can do nothing. I can right-click on the login or password box and select a menu option that fills in the item for the account manually.
2. It can populate the boxes with the login and password but take no further step.
3. It can populate the boxes and login to the account.

Generally, it does the latter for me. Meaning that when I go to, say United Airline’s website and want to check my miles, I no longer have to remember anything. I simply go to the sign-on page, wait a second while LastPass logs me in and I’m all set. No remembering a password, no typing a password, and best of all a much higher level of security than before.

Hiccups and gotchas

I didn’t really run into too many problems. There are a couple of websites that don’t seem to allow LastPass to auto populate its login fields. In those cases, I can simply right-click in the password box and click the “Populate password from LastPass” option. Those were few and far between.

About the only real probably I ran into was with my Chromebook. I changed my Google password and then restarted my Chromebook and could not log in with either the old or new password. After some quick online research, it seemed that the update to the Chromebook could take a little while. I think it took an hour. After an hour, when I attempted to log into the Chromebook with the new password, it worked fine.

Some devices can be tricky. I had to update the password for NetFlix on the Apple TV. To do this, I had to look up the randomly generated password in LastPass and then use the Apple TV remote to type in the 15-20 character password. Fortunately, you only have to do that once.

Some sites have password rules that thwart more complex passwords. I discovered about a dozen places, for instance, where a password could not include a symbol ($%^&, etc.). In these instances, I had LastPass generate the longest possible password without symbols the site would allow. So if the site allowed a 20 character password but no symbols, I set the password length to 20 characters.

---

I think this is both a very obvious and very practical place to automate. There is a serious time investment in doing it, and you have to be comfortable with the software and technology, but I found that the latter wasn’t difficult to use. With half the day gone, it’s probably saved me from having to type or lookup a password half a dozen times. Multiply that out by a year and you can start to see the serious amount of time and frustration you save.

Moreover, if any one of my passwords is compromised, it can only be used for the one site to which it belongs. It won’t work on any other site, since I never used a duplicate password.

LastPass is not the only tool out there that does this kind of thing. 1Password is another product, for instance, but LastPass seemed to me to be the most practical cross-platform product. Also, keep in mind that LastPass is designed for the web. It does not work for applications on your computer that require passwords. For those, you have to use other tool.