An older family member of mine (>50yo) is storing all her not so unique passwords on a Google Sheets.Furthermore, she use the same word for her password (with some minor tweaks to comply with websites requirements), and this word already leaked (breachdirectory.org).
I have no idea how she hasn’t been breached yet, despite this password being out there for at least two months.
Unfortunately, I can’t visit her due to distance so she will have to do everything herself.
I was thinking the first step will be that she export her google sheet to a password manager.
I personnaly use Bitwarden, but what would you advise for her ? It will need to be easy to use/understand and have great autofill capabilities.
Something like Bitwarden would be ideal but if you think that’s too complicated maybe go with the browser password manager if they use an up to date webbrowser like chrome/brave/safari/firefox.
While this isn’t best practice it works and is a huge step up in security.
Make sure they do a local backup of the password database every now and then.
Best way is for you to generate the passwords yourself and write it down in a notebook.
Older people who grew up without tech will have a hard time using our password managers. You have to hit a compromise of accessibility (at their level), ease of use, and security.
1-2-3 backups of the password still applies, 3 copies, 2 different media (specifically one copy that is not in paper) and 1 in a remote area (meaning you). You can keep the relative in a separate password vault of your choosing.
We can’t know how your mother will handle using a password manager, as the only information we have to go on is that she’s 50 years old. She could find a password manager easy to use, or she could find it an extreme burden and not want to deal with it.
If the latter is the case, I honestly recommend that she simply note down her passwords (most preferably unique passphrases, which you could help her create) in a physical notebook, and store it in a relatively safe place.
That is of course assuming that there isn’t a high risk that the notebook gets stolen. If there isn’t, I think this approach is simply a lot safer than reusing insecure passwords and noting them down on a computer.
Well, she does use a phone and even use Signal. Not like she isn’t iliterate.
1 Password is paid though , right ?
Writing in a notebook seems inconvenient, and the goal in the long term will be to make her use unique passwords, so that’s where having a password manager will be useful.
I would also suggest for going with 1Password. Its UI is better than Bitwarden and simple to use. You can get a family sub and add your grandparents into the group.
I agree with a simple notebook. However, I have found my elders a bit irresponsible with the notebook itself. Leaving it, losing it, etc. If you choose an online manager consider one that has a forgot password workflow or store their master password in your vault.
An advantage if you go with the latter is that you can audit their master password for complexity. They probably don’t need 7 randomly generated words, but you want to avoid them using “grandsonname1”. Some form of 2FA makes sense here as this individual might be more susceptible to phishing, etc.
I recently set up bitwarden for an older (but certainly not tech illiterate) family member. I had to do the process for them, then import old passwords (and cull out repeats), but since then it has been working well for them.
I never tested 1password but I heard it has a good UI.
Protonpass honestly has a nice and simple UI, especially on a desktop browser. Their free tier is enough for an elderly who just needs to store passwords.
If I am nearby, I would recommend using a free password manager for sustainability like Bitwarden and Proton Pass. Since the helper (you) is already familiar with BW, then BW.
But it’s hard to get people to use new, more secure but more complicated stuffs remotely, so using a password book, with maybe BW passphrase generator, and adding TOTP app (with its complication of having to have a backup) later would probably be what I choose to get her to do first. If she later finds it inconvenient, but understand the need for backups etc., then a password manager would be a natural progression.
ps: there have been reports of some older people taking to BW like fish and water once it is set up.
Honestly, for an older (elderly?) person the best bet might be generating unique pass phrases for each account and storing those securely somewhere in their house. My parents are in their 70s, and can essentially use their phone for texting, web browsing, and email. I already provide constant tech support for simple tasks, I would never in a million years try to teach them how to use an app based password manager. MFA would be stretching it.
Btw - if you think I’m being harsh or pessimistic, last time I helped out my dad, the issue was his laptop was connecting to his truck’s WiFi network resulting in lag and dropped connections. My mom, on the other hand, doesn’t understand why zooming in and cropping a photo on her phone makes it “blurry”. That’s what I’m working with.
Too bad if their house burns down, a backup is always a good idea.
The other reason this might be bad advice is because it may allow less trustworthy members of your family to coerce older people into handing over money. That is a very common thing that occurs.
Of course everyone is different, some are able to, do more than others at that age, so select what you feel is appropriate. I will say this though 1Password has a much better UI than Bitwarden. I haven’t looked at Proton Pass, but that’s always an option if they aready use Proton’s products I guess.
All of my high end tech equipment, firearms, family heirlooms, marriage license, birth certificates for my kids, all of my hobby equipment… The list goes on. More than likely not going to be able to save it all in a fire!
Those can be insured or replaced generally even with effort. Maybe with the exception of heirlooms, but in that case you’d store them in fire proof safe (or box if you can hide it well).
That is kind of annoying to do with your banking password / email account passwords that might be tied to other accounts.