Originally posted on Network World
I admit it: I sometimes suffer from “security fatigue,” and I bet you do, too.
If you’ve ever reused a password for a new site login, thinking the site isn’t that important, you suffer from it. If you’ve clicked on a tempting email offer or social media request, even if it looked sketchy, you’ve got it. And if you’ve sent a business document to your private e-mail so you can keep working on it at home, you’ve definitely got it.
You’re not alone. Security fatigue is a bug the majority of us have. A NIST study this fall reported that most people don’t do the right thing when it comes to cybersecurity because they’re too lazy, too hurried, or not convinced that they are a target for cybercrime.
The study summed up a problem we all know is true. Comb through the stories about security fatigue and you’ll find many figures citing the prevalence of the problem—91% of people in the NIST study report using passwords across sites, for example. And even as surrounded by security-conscious folks as I am, I’ve yet to meet one person who claimed they never, ever succumb to the disease.
There must be an “easy” immunization for this disease, I figured. So I decided that I’d try to inoculate myself against my worst symptoms. I started at home: with me and my wife, and our cobbled together approach to password management. It was time for me to quit saying “Use a unique password for every site!” and not doing it. I needed to overcome laziness (and hypocrisy) and start using a password manager. Boy, has it been hard! Here’s how my battle to overcome security fatigue went, in 6 “easy” steps:
Step 1: Select a Password Manager
This was the easiest part. There are numerous options out there, and ample reviews from reputable sources to help you make a choice. I chose Dashlane, but I could well have gone with LastPass, KeePass, 1Password, or several others. But let me say this: if an app promises that it’s going to be simple, it’s a lie. You are about to change a deeply ingrained habit and it’s going to be hard.
Step 2: Prepare Yourself
Whatever you do, do not tell yourself “this is going to be easy.” Because if you do that, you are doomed. Read up on what’s involved in fixing all your past sins when it comes to passwords, and steel yourself for the work ahead. If you don’t like to delude yourself (I don’t), recognize that it’s going to take commitment and you’ll be ready for the next, and hardest, part.
Step 3: Prepare Your Spouse (optional)
If you are in a relationship where you share access to financial information or any form of password-protected information, recognize at the outset that choosing to use a password manager is a major relationship decision, like having children or inviting your mother to live with you. So don’t think you can do this yourself—you’re going to have to get the buy-in and participation of your partner.
Tell them it’s going to be arduous and painful and incredibly time-consuming. It’s going to require that they learn some new habits and commit themselves to doing the right thing EVERY SINGLE TIME they create a new login and EVERY SINGLE TIME they need to change an old login. If you tell them it’s going to be easy, you’re doomed.
Also, get ready to beg for forgiveness. Because even if you tell them all of the above, the process of fixing all your passwords and developing new habits is going to be painful. They’re going to blame you and take their frustration out on you. You’re going to have to say, again and again, “I know, honey, but we both agreed that it would be worth it for us to do the right thing, and I promise it will get easier with time.”
All of this advice is given in the context of me having a wife who is reasonable, intelligent, and willing to humor a husband who really believes in the importance of password security. If your spouse is a belligerent numbskull who thinks you’re prone to hare-brained ideas, give up now.
Step 4: Do the Work!
Doing the work—identifying reused passwords, going to each and every site to create new credentials, and killing access to sites you no longer use—isn’t the hard part, it’s the tedious part. And it takes HOURS, but it’s the only way to sort out the mess you’ve created through years of bad habits. I had over 700 different logins (including multiple logins to the same site), with numerous passwords classified as weak, reused, old, or compromised. And I had to start the work of fixing all of these.
Honestly, that work is not yet done. I set aside about 30 minutes every week to chip away at the stack, and it’s gratifying to watch my security score (a number that’s reported on my Security Dashboard) slowly increase. It’s going to take a while to finish, but I’ve made good progress, and I can see the end of the tunnel.
Step 5: Practice New Habits
Even as you fix your past sins, you’ll need to start new practices, since you’re likely to continue to create accounts on new sites. Luckily, this is the easy part. (Yeah, there is an easy part after all.)
Once I learned the steps to creating a new secure login, Dashlane makes it very easy to quickly generate a secure, unique password, which it automatically stores in my vault, which I can access from any of my devices. Sure, it’s a little weird realizing that I’ll never know most of my passwords, but that’s the point. And now that I’ve gotten used to it (and put Dashlane in an easy to use location on all my devices), it’s really simple for me to log in anywhere.
Step 6: Reap the Rewards
You knew there had to be a good part, right? Well, it really is very satisfying knowing that all of my financial information is hidden behind a diabolically difficult password, which is itself in an encrypted password vault that uses a long master password only my wife and I know. And with every login I improve, I know I’m closer to password nirvana, with no weak or reused passwords.
That’s a good feeling.
Better yet, I know I’m not being such a damned hypocrite, telling my clients and employees to do the right thing, while I continue to be lazy myself. It feels right to overcome this security fatigue, in the same way it felt right to start wearing a seatbelt regularly some 30 years ago: awkward at first, but virtuous. I’m hoping that with time my new password management practices will become as ingrained and second-nature as buckling up.
I’m not going to wax on about how we all need to do our part to save the world from security fatigue. I get that it’s hard. But I suggest that each of us in the business of encouraging employees to do the right thing improve our own security practices, because going through the process is instructive and valuable.