- Go to Have I Been Pwned and see how many breaches you’ve already been in.
- Make sure your email and internet banking passwords are not the same as anything else.
- Set up a password manager if you can.
- Set up 2 Factor Authentication if you can.
For password management, there are great products on the market, like LastPass, 1Password, and Dashlane. I’ve tried them all, and they have some rough edges for non-techs but generally work pretty good.
But they cost money. And you have to place some trust that the service providers have done their jobs correctly making sure an attacker can’t steal your passwords. I don’t actually use any of these services any more because I’m willing to undergo the additional frustration of a more hands-on solution. This hands-on solution is free, if you don’t factor in your own time spent setting it up.
- I use KeePassXC for creating and managing my passwords on my desktop.
- I store the
passwords.kdbxthat KeePassXC uses in my Google Drive.
- I use Keepass2Android on my phone (Android) to access my
passwords.kdbxvia Google Drive.
What I get with this is a cross-platform open source password management solution with mobile integration, and I can add fingerprint auth to the mobile app for quick unlock. Feature-wise, it’s about as good as it can be for the base services offered by LastPass and the rest. If I was concerned about the Google Play store “compromising” the Keepass2Android app, then I always have the freedom to use the F-Droid store to install one of the Keepass-compatible apps there too.
I keep a hard copy of my password stored in a safe place in case of emergency, and every 6-12 months (basically whenever I remember to) I take an offline backup of my password database.
It’s not all rosy with this setup:
- I sometimes get sync issues between the desktop and phone. I have lost passwords before because of this (but can always do a password reset with the services that were forgotten).
- The Keepass2Android app sometimes updates and forgets all of its settings, like even where my password database is.
- The Keepass2Android app sucks at autofill. E.g. if you have the Twitter app open, it won’t find the Twitter credentials automatically, it’ll try to find “com.android…” as the entry in the database.
- Without a good Google Drive app on Linux, that’s the only system that is tricky to work with for sync. Other cloud storage providers work fine too, I just pay for Google Drive so I might as well take advantage of it.
So ultimately you don’t need to pay someone for a password management solution, you can take a more DIY approach. And if you’re a luddite, you can even get a physical book to store your passwords. Whilst that book is fundamentally flawed if you leave it lying around in the open, it’s still impervious to hacking from someone overseas (just keep it locked up somewhere, and maybe a backup copy at a trusted location in case of a house fire).