Stop! Before you read any further, try something for me….
Go to HaveIBeenPwned.com and enter your email address. Don’t worry, it’s safe. While you’re there, why not try both your personal email address and your school email address?
When you’re done, come back and continue reading….
Back? Okay, let’s continue.
There’s a very good chance that you received a message like the one below. If you did it means that your email address and password were involved in a data breach sometime in the past. Don’t worry if it has been, I going to run through the best way to secure your account below.
What is a password manager?
I’ve worked in schools for more than 20 years, so I understand the frustration of having to seemingly use a hundred different passwords for different education apps. Because of that, I also understand the temptation to use the same password for every account, use a really short password, or write your passwords in the front cover of a mark book or on a Post-It.
But as we become increasingly reliant on services like Microsoft 356 and Google G Suite to secure our school’s most sensitive data, it’s essential that we treat our passwords like gold.
Imagine a scammer got access to your school password. What could they access? Your school MIS/SIS system? Your personal teaching resources? Who could they communicate with under your identity?
That’s where password managers come in. Password managers are apps that remember all your passwords for you. When you need to login to a website your password manager knows which password to use and logs in automatically. When you need to create a new password, your password manager creates the most secure password possible and stores it away safely for future use.
You’ll never have to remember a password again.
Using a password manager also means that you can use a different password for every account you have, and each of those passwords can be so long and complicated that neither man nor machine will ever be able to crack them.
Popular password managers include:
Most password managers also sync passwords across all your devices. So, if you’re on your iPhone waiting for a train, you’ll still be able to access your bank account with the login information stored on your laptop.
There are lots of password managers available, some are apps that you can install (like LastPass), others are built into your web browser or operating system. We’ll look at each of these options below and outline the pros and cons.
Why use a password manager?
You might have heard of password managers before. In fact, you might already be using one without realising it. Web browsers like Google Chrome and Microsoft Edge have password managers built-in, and smartphones like iPhone and Android provide their own versions built right into the operating system.
But using a built-in password manager may not be the safest solution.
Keeping your most sensitive data, like your bank account information, access to your personal photos, and your school logon account tied to your web browser is convenient, but not the most secure.
Anyone using your device can access your information and if your passwords sync back to your school (as is the case with Google Chrome and Microsoft Edge) anyone with access to your school account may also be able to login to your accounts.
Password managers like LastPass and NordPass keep your passwords separate other applications installed on your smartphone or laptop. They also create extremely strong random passwords, proactively check that none of your passwords have been hacked or compromised, and automatically change passwords which might be at risk.
Password Managers can prevent phishing attacks
By far the biggest threat to your personal and school data are phishing attacks. This type of attack, which I wrote about recently, is becoming so common and so sophisticated that they are easy to be caught out by even the most technically savvy person.
A phishing attack is when a scammer sends you an email that directs to a fake website. Often these websites contain an official school logo, and, in several attacks I’ve seen recently, the scammers have copied entire pages from the school’s website. When you enter your password into one of these fake sites, the scammer has complete access to your account and all the data held within, and you often won’t know about it until it’s too late.
Using a password manager can significantly reduce the risk of getting caught out by a phishing attack by automatically detecting that a website is fake and refusing to enter your password. LastPass is extremely good at highlighting when a website is not genuine.
Use a different password for every account
It’s unlikely that passwords from any of the big internet companies will be compromised. Google, Facebook, Microsoft are all about as secure as you can get. But if you use the same password for several accounts, a scammer doesn’t have to hack Google to access your school Google account. They just have to hack another weaker service or app that you use the same password for.
The password of an old account that I used to use was recently compromised. I received an alert that this had happened because I was signed up to HaveIBeenPwned. When the breach occurred, I started receiving repeated password reset alerts on my Google account, my Facebook account, my Instagram, and my Microsoft account.
Someone had taken a list that contained my password and was systematically testing popular services and apps with the login details. Had I not been using a password manager and used the same password for each of those accounts, every account I owned, and all the personal data would have been compromised.
Always let your password manager create passwords for you
Because you don’t have to remember any passwords stored in your password manager, they can be extremely long and complex. Your password manager will automatically create and store complex passwords for you with just a few clicks, so your account will be as secure as possible with minimal work.
Isn’t this putting all my eggs in one basket?
It’s true that storing all your passwords within a single service creates additional risks. To deal with this most popular password managers — LastPass in particular — store your passwords within an encrypted vault that only you have access to. Not even the company itself can access your data. Even if a hacker did get access to your vault, they couldn’t use it without both your password and a two-factor authentication code.
LastPass also supports USB Yubikey fobs if you would rather use an additional device to sign on.
Use two-factor authentication on all your accounts.
Two-factor authentication, sometimes called multi-factor authentication, adds an additional step when logging in to your accounts. To access an account with two-factor authentication enabled, a scammer would need your username or email address, your password, and a code or authorisation token from a fob or mobile app.
Most popular services like Facebook, Instagram, Microsoft 365, and Google G Suite support two-factor authentication and most password managers are similar.
If you use online banking you’ve already used two-factor authentication in the form of an electronic fob, or a code generator on your smartphone.
Popular two-factor authentication apps include Google Authenticator and Microsoft Authenticator. But password managers also often manage your two-factor authentication accounts for you. LastPass has its own optional two-factor authentication feature built into its mobile app.
Recommended Password Managers
LastPass is the number one password manager in the business and has held that position for some time. It has apps available for most platforms and syncs passwords between all your devices.
LastPass offers a free account, which has all the features you need to securely secure your passwords and accounts, but if you really want to secure all of your teacher’s accounts, there’s also a team version available which lets you provide LastPass account to all of your teachers which can be managed by your IT team.
LastPass will also features a security check which automatically checks whether any of your passwords have been compromised and offer to automatically change them for you.
NordVPN has apps available for all popular platforms and can also sync your passwords between devices.
Cost: Free personal version, including devices sync, but the paid version needed to use on more than one device at a time.
Dashlane is another popular password manager. The benefit of using Dashlane is that even with the free version, you get access to most features, although your are limited to storing 50 passwords. Once you upgrade to the paid plan, which is very cheap compared to other apps, you get all the features and unlimited password storage. It’s an interesting model that allows you to fully test out the app before you buy it.