Running a Password Manager Workshop

Context

Today I ran an informal Lunch & Learn for my coworkers on the basics of getting a password manager set up. I intended for the session to be ten minutes of light lecture and the rest of the time to get set up—many people have always meant to set it up but never gotten around to it. People had a lot of questions, which was awesome, so I ended up talking for about a half hour.

In case you want to run one of these with your family or coworkers or book club or whatever, here is the outline of what I shared. Please note that I've read a bunch about security, so I'm neither an expert nor a n00b, and I'm assuming you're roughly the same. Some advice is non-obvious so make sure you have enough background knowledge to give correct info.

My general approach was to aggressively simplify my recommendations, provide time and support for installation, and leave room for lots of questions.

Setup

A goal is to have them walk out with the software installed and set up, so don't forget to ask people to bring their phone and computer to the session.

I started the session by asking people what they wanted to get out of it. There was a range: some didn't really know what password managers were but were curious. Others already were using them but wanted reassurance they were using them in the right way.

Providing Background

Since this session was voluntary, all attendees were already more motivated than average to attend. I included brief motivation anyway for two reasons: some might need an extra push if they hit a roadbump, and to give them tools convince others!

1. The Stick: people are trying to hack you right now and this is one of the best things you can do for your security. I have 400+ logins and you probably do too! There's just no way I could do it on my own without reusing passwords. Plus, a little prevention up front is much easier than cleaning up identity theft later. People are also very motivated by stories of epic, tragic hackings like Mat Honan's. I know that strong passwords would not have helped him, but people find this story motivating—I think because it makes the threats tangible and real—so use it.

2. The Carrot: you're going to love using it! I haven't typed out my credit card number or address in five years! The web is faster and easier to navigate! Never try to remember a password again!

3. Key concept: (Pun intended.) The crucial idea to convey is that you have one really secure master password, and then it remembers all your other passwords. And this is very exciting because it means that you can make them totally random, all different, very long, and therefore very hard to crack! I showed them a sample password and the Password Generator feature here.

4. Walkthrough: I then showed them what daily life looks like. I opened 1Password, showed them Logins and Notes (the only two sections I use regularly) and showed them what it looks like on the browser and how I'd use it to buy something. This section provoked lots of great questions!

People asked about my personal practices, and many questions gave nice lead-ins to discussing threat modeling. For instance, I use a much longer master password than I recommend for them because I am worried about online mobs and doxxing. I confessed that I literally used Diceware to choose my master password. Someone brought up that she'd seen Edward Snowden enter passwords with his coat over his head, so I got to talk about the threat model of nation states coming after you.

I like the frame of "what threats are you realistically at risk for" rather than "how paranoid are you feeling" for discussing security preferences. People routinely use the word "paranoid" to dismiss realistic security concerns, so I recommend steering clear of the word entirely.

Because people were interested, I also did a very brief detour into the math of password complexity: if you have a three-character password, each character can be A-Z, a-z, or 0-9, which is 62 characters. So there are 62 * 62 * 62 = 238,328 possibilities. That may sound like a lot, but your clunky old laptop computer can try all of those possibilities in literally seconds.

If you have a three-word password, that is essentially the same number of things to remember but is much harder to guess. Because for each word, you're choosing from a longer list: there are only 62 characters, but Diceware has a list of 76,000 words, and that gives us 438,976,000,000,000 possible three-word passwords. This would take about 2 million times longer to guess than our three-letter password, but is actually easier to remember.

Getting set up

There seem to be several main reasons why people never do this on their own: they don't know how to start, they are paralyzed by the options, and it 'seems like a lot of work.' Lets cut through all three in this section.

Day One: Most people think they need to move every password in right away, and to me that sounds super tiring.

Instead, have them install the software right now and then just go about their everyday life. Each time they log into a new site, the manager will offer to remember their existing passwords. Later they can go back and change weak ones. Some managers also allow you to bulk change weak or reused passwords, which is awesome!

Then try to get them to do these four things before they leave:

1. Install a password manager. Cut down choices to jolt them out of decision paralysis. Give just two: 1Password is nicely designed, hasn't been hacked yet, and is great if you mostly use Macs, iPhone, and Android. LastPass is a little cheaper and runs on Mac and Windows, but I find the red design a little alarming. Much, much more detailed comparisons here. If they can't decide, just start with LastPass! I also went on a little rant to not be cheap about this—the security of your identity and personal information is worth much, much more than $36 or $12 a year.

2. Install browser plugins as these are the tools that fill forms for you as you browse.

3. Install the mobile app (this also lead to a discussion of border security, and sharing the surprising fact that in the US law enforcement can compel you to lock with your fingerprint but not with your passcode)

4. Create a STRONG master password. It is CRITICAL that they know how important this is! It is the key to the rest of your accounts, which contain not just your identity and your money, but personal information about you and everyone you know and love. DO NOT FORGET TO EMPHASIZE THIS! You don't need to scare people but be crystal clear.

Creating a strong master password is so important that it's worth explaining in some depth. One thing to know is that combining whole words together can provide more security than combining characters together (see complexity sidenote above), if done properly.

If you must show that famous-but-misleading XKCD comic, please emphasize you can't just string together the first words you think of and make a secure password. This would be easy to guess because humans are actually extremely predictable! To give you a sense of what happens when people don't fully understand this concept, one attendee floated the password "my password is secure". Others thought about working in their birthdates or pet names, which is risky if they ever celebrate their birthday on Facebook or post their pets on Instagram. Longer is not stronger if the words are easy to guess!

Acknowledge that doing this right is a pain, but that's part of the tradeoff with password managers—we only need to grapple with one password, but it has to be a great one.

• 1Password has a good guide to thinking of a strong, memorable master password.
• Another strategy is to use the Password Generator in Word mode. It will then suggest passwords that are combinations of words that are truly randomly chosen, like "trustful dross sanctify memo", and then you can memorize that. As of 2017, people should use at least six words for their passwords. The faster computers get in the future, the longer your passwords should be.
• You can literally recommend Diceware if you have the type of audience that would actually do it, but this is very rare. Use with extreme caution as it may discourage them from getting started or worse yet, make them feel like they're not the kind of person who would use a password manager.