You use the same password for lots of different websites. It’s OK. Everyone does it. No matter how many times your IT guy, nerdy friend, or even Slate tells you to use a different password on every site, no one does it because it would be too hard to keep track of all of them. Of course, as numerous hacks of large companies over the years remind you, if you use the same password on your bank account that you use for buying a framed picture of your dog, then someone who hacks the framing site will also have the credentials to get into your bank account.
That’s where a password manager comes in handy. Password managers are apps for your phone, browser, and desktop that let you remember just one password to unlock your unique passwords for every other site and service. You download the app and then use it to generate and save new, unique passwords as you browse the web. Some managers (LastPass, at least) will even let you import existing saved passwords from browsers like Chrome.
Step 1: Choose a password manager. There are lots of options out there—LastPass, 1Password, Dashlane, and KeePassX to name a few. If you’re a Mac user and don’t mind spending money on software, 1Password will probably be your best option. It costs $35.88 per year. PC users will likely want to choose LastPass (free, or you can get a “premium” version at $12 per year). If you’re an open source fan, KeePassX (free) is where it’s at. Many of these password managers allow for exporting and importing your various account credentials, so even if you feel like you chose the wrong one, don’t feel like you’re locked in. The Wirecutter has a guide featuring its top picks. All of these do essentially the same thing: They keep a list of your usernames and passwords that is encrypted—and only your master password can unlock them.
Step 2: Download and install the app and its various other accessory apps. The best password managers have lots of different ways to run them. You should install as many of them as you can. This is the place where you will get your usernames and passwords for logging into everything—so you’ll want to be able to access it no matter where you are. If there are browser extensions, install them. Phone apps? Install those, too.
As part of the installation, you’ll be asked to come up with a master password. Take this part very seriously. This is the last password you’ll need to remember, but it is the key to all the other ones … so it needs to be very good. It should be long. Like sentence-long. You’re also going to have to type it frequently, so choose something that you can type without typos.
Step 3: I recommend that you write that one important password down on a piece of paper, put it in a locked box, and reveal its location to one person you would trust with all your money. You may also want to walk said person through how your password manager works. We’re not all on this earth forever, and I shudder at the idea that my spouse wouldn’t be able to shut down my Twitter accounts after I pass away.
Step 4: This one isn’t mandatory, technically, but it’s smart. Use your new password manager to create a strong and unique password for your email (which, you should also have two-factor authentication on … a different article). Many sites will let an attacker reset passwords by emailing you a reset link. All an attacker needs to know is the password to your email account to start resetting and accessing any of your accounts on the web with which they know your email address is associated.
Each password manager has a different way to generate passwords.
You don’t need to change all of your other passwords immediately (though it wouldn’t hurt, if you have the time). Instead, each time you have to enter that same old password, use your password manager to generate and save a new one that’s unique for that site. Again: You don’t ever need to remember them. The best programs will even keep a history of the passwords they’ve generated.
Step 5: Go wild. Many password managers support storing not just passwords but any files you might want to keep secret. You can upload files, like that digital PDF of your tax returns that contains your Social Security number and birthdate. You can put in the passport numbers for you and the rest of your family.
It may be a bit of a pain to set up the password manager and start using unique passwords for every site. But from now on, when you hear that a website has been hacked, you can safely assume that only your information on that site has been exposed. And that’s a pretty good feeling.
This article is part of the cybersecurity self-defense installment of Futurography, a series in which Future Tense introduces readers to the technologies that will define tomorrow. Each month, we’ll choose a new technology and break it down. Future Tense is a collaboration among Arizona State University, New America, and Slate.