A guide to cleaning up your passwords

One organisational chore that I undertake around twice a year is to change my most important passwords.

When I think about staying organised and trying to keep on top of crucial chores, like seeing the dentist or changing my passwords, I always try to remember that the point isn't to be perfect. The point is to do a little work now to protect yourself, protect your assets, or keep yourself in good shape – not "perfect" shape – for the future so that when the next stage of organisation or chores comes, you don't feel overwhelmed and like you have to tackle everything. You will already have done some of the work.

When I think about changing my passwords, I don't get caught up in changing them all. Rather, I prioritise the ones that protect the most important data. And if I have time, maybe I'll do some others. An effective strategy for being organised is to always have building blocks: The organisation you do now should support more organisation or some other activity later. And the concept of blocks is important, too. Every part of a large organisational task must be divisible into component parts.

Changing your most important passwords will probably take you about 15 to 30 minutes if you think of it as three blocks of things to do:

1. Prioritising.

2. Creating a recipe.

3. Changing the actual passwords.

If you're feeling more ambitious and want to redo your entire password system, say, by adopting a password manager like LastPass, give yourself at least an hour. LastPass creates and encrypts passwords for you, and automatically logs you into sites whenever you enter the LastPass password. The only password you have to remember is one password to unlock LastPass. A good password manager also works across multiple devices, like your laptop and smartphone. Remember, setting up a good password manager for the first time takes longer than changing your most important passwords, but it's likely a one-time effort with long-term payoff.

Either way, let's talk about why changing your passwords is so important.

Why password strength matters

I won't go through the whole song and dance about identity theft and fraud, but let me tell a short story. I used to manage an online forum that required all participants to create a username and password. As a forum administrator, I would receive emails from time to time from people who lost their passwords and needed to change them. When I logged into the system to help them, I could see their email address, username, and password – all right there, all unencrypted. Now, this particular site didn't have any financial information, but if any user reused this same email and password combination elsewhere – as many people do – I could have easily gone to any banking website or email program and tried to log in as that person. Sure, it would take some trial and error, but I bet you I could have done it.

A lot of websites that ask you to create a password don't lock down that email/password combo, and you don't know who has access to that information or how secure the site itself is. Never reuse a username and password combination from a banking site or anywhere else that sensitive information is stored.

Okay, let’s move on to carrying out the steps we outlined above.

1. Prioritising: Which passwords are most important?

Before you launch into a password changing frenzy, identify five to ten of the most important of your passwords. They may be different for you, but mine are:

1. Google/Gmail

2. Yahoo Mail

3. Hotmail

4. Work email

5. Bank for current and savings account

6. Bank for retirement account

7. Bank for investing (I have a lot of banks)

8. Credit card

9. Other credit card

My banks and credit card accounts need to be protected, but my email accounts are just as crucial. Any time you forget a password online, typically it's your email address that's used to retrieve it. If someone can get into your primary email account, they can probably get into your banking accounts, especially if you have undeleted emails from the bank telling the perpetrator where you keep your money.

Ten is plenty to tackle. Remember, we're looking at resetting passwords here as an organisational task with building blocks. You can have a tier two list of passwords to change later – don't try to tackle them all at once. It'll become confusing and messy.

2. Password recipes

Before you start changing passwords, you need a method. Changing your passwords is not the kind of task you want to start without first having a plan because you will find yourself flailing about, forgetting where you were, what you've done so far, and which new passwords you've put in place.

I like password recipes. A recipe means you have some kind of algorithm that you can do in your head that generates a password. Preferably, it's an algorithm that only you can compute.

Here's an example (see the image above). Take some meaningful sequence of words, like "Leigh, Hillary, Candice" (my sisters' names), and use the first two letters from each: LeHiCa. Add to that four digits based on the first four letters of the URL you're logging into, so A=1, B=2, etc. As an example, the login for Chase.com would be LeHiCa38119. Then, add one more layer to your recipe, like all banking sites get an asterisk (*) between the letters and numbers, but email accounts use a close parenthesis ( ) ) in the same location and social media sites take a pound sign or hash (#). So now we have LeHiCa*38119. (As a side note, Chase bank actually does not allow non-alpha numeric characters, so we'd have to nix the asterisk!)

Don't make it too complex, but make sure it's something only you will remember. You can even write your recipe down on a note and keep it in your smartphone or wallet; as long as you don't label it "password recipe," it will be pretty tough for someone to figure out what it means.

For more tips or alternative methods of concocting strong passwords, see our article on making sure your passwords are up to scratch.

3. Make the switch

With a recipe in place, you can now go about changing your passwords. I recommend jotting down the ordered list of sites where you'll be changing your passwords and checking them off one by one as you go through them. If you're interrupted, you'll be able to remember which ones you completed already. If this task takes you less than 15 minutes, you might as well check that the mailing address and email addresses are up to date for all these password-protected sites, too.