Helping people with computers... one answer at a time.
With so many sites requiring a password it's very tempting to use only a single password everywhere. That's dangerous, and there are alternatives.
Can you use the same password for everything you need one for? Having a lot of different ones is really hard to remember, to the point that I have had to write each one down.
Yes, you can use the same password everywhere, but I really don't recommend it. It simply increases the risk of your accounts being compromised.
There are several approaches to password management that don't require using one password everywhere, and also don't require that you remember dozens, if not hundreds, of different passwords.
The risk of using only on password is simply that if that password if compromised then everything you login to is accessible to the person who now has your password. And by using that one password in many different places, there are that many more opportunities for a hacker to get your one password.
In an ideal world you would use a different password for every login, but as you say - that's practically impossible to remember. Particularly if, on top of that, we throw in rules that say "passwords should simply be strings of random characters and never words that are easily remembered."
So passwords should be hard to remember and guess on purpose, and yet you need to remember them.
I have three alternatives for you.
Let the computer remember for you. Now, I don't mean let your browser remember, I mean invest in a tool like RoboForm that will automatically remember your passwords for you. In fact, if you set things up properly, you may never need to actually know any of your passwords. The fact that your email password is "bFDiA2W6" and your bank account's is "JhcNTa7Y" is something you might never actually need to know yourself. Roboform simply keeps track and remembers it for you. (It can also generate great random passwords for you as well - those two password examples came from Roboform's generate function.)
All you need to do it remember one password: the password to unlock Roboform itself.
The problem, of course, is if you ever find yourself without Roboform you may not have your passwords available. I can't tell you my GMail password, for example, and that was an inconvenience the other day as I used a computer that didn't have my Roboform data on it.
Use an algorithm. By "algorithm" I mean choose a set of rules that you use yourself each time you create a password that you can then use later to remember all your passwords. For example you might say that passwords are:
the first two letters of the site URL that's asking for a password
the first three characters of your first pet spelled backwards
your age on your birthday in the year 2010
two characters that indicate what the site is about - perhaps "ba" for bank, "em" for email, and so on - with the first letter capitalized.
So according to those rules my GMail password might be "goons53Em". Nothing that anyone will guess, but something that I can re-create by the rules without remembering the actual password.
That's just an example. You would create your own set of rules using things that you can fairly easily remember and some personal information you're not likely to forget. You can even jot down the algorithm without seriously compromising the passwords themselves.
Use a tiered approach. Could you remember three passwords? Then distribute them accordingly:
One for a few, but extremely important sites. Make this a very secure password that you change relatively frequently.
One for a few more but less important sites. This should be secure, of course, but you might make it a tad easier to remember.
One for everything else. Perhaps you don't change this very often, perhaps you only use this for sites where you really don't care but are required to give a password anyway.
This isn't an ideal solution, but it's certainly better than having only one password everywhere.
A couple of additional notes.
I'm transitioning, and it's a long transition. For years I used the last alternative. I had four passwords that range from extremely important to not so much. I'm in the process of slowly transitioning to the Roboform generated password approach I mentioned first, as it's much more secure. It's also occasionally painful when I find myself at a computer without my Roboform data.
It's important that you change passwords regularly. The more different accounts you have the more of a pain this is. But particularly if you're using passwords you can remember, they're likely easier to guess and thus should be changed more frequently that the truly random machine generated passwords.
If you do choose your own passwords, make sure they're good passwords. Some frighteningly high number of account hacks are simply due to password guessing. People who know just a little bit about you are often able to simply make guesses at your password and they'll be right a frightening amount of time.
Never write your passwords down. That's exactly where password thieves know to look. Do something that you can remember, or something that your computer can securely remember for you.
And finally, I've only touched on a couple of possible password scheme options. I'm certain that readers will also provide interesting approaches in the comments to this article as well. What's your approach?
Comments on this entry are closed.
If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.
If you don't find your answer, head out to http://askleo.com/ask to ask your question.