Considering that there have been two security breaches in the past few days, both here at our very own BHW and at Yahoo as well (though they're not the same in nature) I have decided to put together a guide detailing how to effortlessly manage all of your passwords and keeping them as secure as humanly possible. Frankly, I was a bit shocked to see that many people, even here on BHW use the same passwords for multiple sites, hopefully this guide will help a lot of people in overcoming the habit of using the same passwords for multiple sites. Let's get to it, shall we ? My online security system is based on 4 tools: LastPass KeePass Dropbox (optional) Google Two Factor Authentication Both tools are free and available on all major platforms. In this guide I'll be covering how to secure all of your passwords and having them available on all the computers and other devices that you have (primarily tablets and smartphones). With my system you will only have to remember 2-3 passwords, those are: Your Email password (optional but highly recommended) LastPass Master Password KeePass Master Password LastPass I'll try to be short here, LastPass is basically a browser extension (or plugin) on the front end. Once you set it up it will generate unique password for each site you register on and save it. Next time when you visit the same site it will automatically fill out the login form so you can just click Login and that's it. I recommend that you use a password generator for your 3 passwords since it's not a lot everyone should be able to remember these and chances are you won't change them for years. A nice password generator I use sometimes is http://www.pctools.com/guides/password/ NOTE: Use these passwords only for their respective service, not for ANYTHING ELSE After a few weeks of use the passwords will be burned into your memory and you should have no problem remembering them but just in case print them out and store them somewhere safe, just make sure that you don't indicate which password is for what so even if someone finds it, they won't have a point of reference to determine for what it is. Moving on. Since we're on BHW I don't think that I have to teach you how to install a plugin in your web browser. Once you install LastPass, sign up and setup your master password make sure that you DON'T enable the Remember Password option. You should type your master password into LastPass every time you log in, that is essential. It is OK to remember your email though. Once that's done proceed to enabling two factor authentication, I won't explain this step by step in detail here, for instructions how to setup Two Factor Authentication please see the following: http://support.google.com/accounts/bin/answer.py?hl=en&answer=1066447 http://helpdesk.lastpass.com/security-options/google-authenticator/ Once you've setup Two Factor Authentication also make sure that you DON'T mark your computers as trusted. If you do that it won't prompt you to enter your "token" code every time you login into LastPass and that's the whole point here. At this point you're pretty much done when it comes to LastPass. When you now register on a site LastPass should prompt you to generate a password for registration and if you accept it will automatically fill in the password in the registration form and save it. If it doesn't you can just click on the LastPass icon in your browser and go to Tools-> Generate Secure Password. Next time you visit your site it should automatically fill out the login form, again if it doesn't just click the LastPass icon and it will show you the password entry at the bottom of the dialog, from there you can just copy the username and password and paste it into the login form, LastPass will then ask you if you want to save your new login and if you click Yes in the future it will automatically fill out the form. KeePass I use KeePass for my important Web site passwords and non-website passwords. I won't be going into much detail on how to setup KeePass as there is a very good article on how to do so on LifeHacker: http://lifehacker.com/5063176/how-to-use-dropbox-as-the-ultimate-password-syncer If you want to sync your password database across computers you can use Dropbox, and that part is also explained in the lifehacker article I provided. One thing that isn't provided in the article however is using the KeePass database on a mobile device. I have an iPhone and use MiniKeePass with Dropbox for iPhone for this, but there are many KeePass apps for iPhone so your choice isn't limited to MiniKeePass. Securing your Gmail (Google Apps email) You should first change your password for your primary email account and setup a new one, just like you did for LastPass and KeePass. Now that your email has a secure password you proceed to two factor authentication. Since it's already enabled for your account you just have to add it for your email as well, same way you did for LastPass. First time you login into your email with two factor authentication enabled it will ask you to Remember this computer for 30 days,just like LastPass did and you SHOULD NOT do that here either since it defeats the purpose of two factor authentication to some degree. That's basically it, once two factor auth is setup and you have a unique password for your mail that isn't used anywhere else your account will be extremely secure because for anyone to gain access to your account they would have to both gain your password and your mobile device to get the "token" code. NOTES After you enable two factor authentication you can't use your normal Google account password to login into software that requires it and third party service like Reeder app for example, for those you have to setup a Application Specific Password in your Google account. For more details on how to do this please see: http://support.google.com/accounts/bin/answer.py?hl=en&answer=185833 After you enable two factor authentication you should also print out some backup codes for your Google account. Backup codes are, as the name suggests a way to login into your account just in case you lose access or acidentally delete the "token" app on your phone. I personally have 2 copies printed out and hidden where they're both safe and where nobody has access to them. EXTRA BONUS - ENHANCE PAYPAL SECURITY What always extremely bothered me with Paypal was that they're basically a banking institution and they're no more secure than your email account, heh, actually they're less secure in some ways. I couldn't get my hand around the fact that they're not offering a token like device for all of their customers, they do however offer a token for US Customers. Unfortunately, again it costs money and you have to wait for it...it's a hassle. Fortunately, for once at least you can use a free app called VeriSign VIP Access as your security key or token. Basically you would download the app to your iPhone or Android device, follow the steps in the app until it's activate and then go to the following link: https://www.paypal.com/us/cgi-bin?c...curitycenter/PayPalSecurityKey-outside&bn_r=o and click on Activate Now, you'll be prompted to login into your PayPal account, just click on Activate Token on the next page and follow the steps. That's about it, your account now has two-factor authentication so any nasty script kiddie or cracker trying to get his greasy little hands on any of your passwords will find a hard nut to crack. ____________________ Phew, that was a long one. If you have any questions, please feel free to ask.