Helping people with computers... one answer at a time.
With so many sites requiring a password it's very tempting to use only a single password everywhere. That's dangerous, and there are alternatives.
Can you use the same password for everything you need one for? Having a lot of different ones is really hard to remember, to the point that I have had to write each one down.
•
Yes, you can use the same password everywhere, but I really don't recommend it. It simply increases the risk of your accounts being compromised.
There are several approaches to password management that don't require using one password everywhere, and also don't require that you remember dozens, if not hundreds, of different passwords.
•
The risk of using only on password is simply that if that password if compromised then everything you login to is accessible to the person who now has your password. And by using that one password in many different places, there are that many more opportunities for a hacker to get your one password.
In an ideal world you would use a different password for every login, but as you say - that's practically impossible to remember. Particularly if, on top of that, we throw in rules that say "passwords should simply be strings of random characters and never words that are easily remembered."
So passwords should be hard to remember and guess on purpose, and yet you need to remember them.
Yikes.
I have three alternatives for you.
•
Let the computer remember for you. Now, I don't mean let your browser remember, I mean invest in a tool like RoboForm that will automatically remember your passwords for you. In fact, if you set things up properly, you may never need to actually know any of your passwords. The fact that your email password is "bFDiA2W6" and your bank account's is "JhcNTa7Y" is something you might never actually need to know yourself. Roboform simply keeps track and remembers it for you. (It can also generate great random passwords for you as well - those two password examples came from Roboform's generate function.)
All you need to do it remember one password: the password to unlock Roboform itself.
The problem, of course, is if you ever find yourself without Roboform you may not have your passwords available. I can't tell you my GMail password, for example, and that was an inconvenience the other day as I used a computer that didn't have my Roboform data on it.
•
Use an algorithm. By "algorithm" I mean choose a set of rules that you use yourself each time you create a password that you can then use later to remember all your passwords. For example you might say that passwords are:
-
the first two letters of the site URL that's asking for a password
-
the first three characters of your first pet spelled backwards
-
your age on your birthday in the year 2010
-
two characters that indicate what the site is about - perhaps "ba" for bank, "em" for email, and so on - with the first letter capitalized.
So according to those rules my GMail password might be "goons53Em". Nothing that anyone will guess, but something that I can re-create by the rules without remembering the actual password.
That's just an example. You would create your own set of rules using things that you can fairly easily remember and some personal information you're not likely to forget. You can even jot down the algorithm without seriously compromising the passwords themselves.
•
Use a tiered approach. Could you remember three passwords? Then distribute them accordingly:
-
One for a few, but extremely important sites. Make this a very secure password that you change relatively frequently.
-
One for a few more but less important sites. This should be secure, of course, but you might make it a tad easier to remember.
-
One for everything else. Perhaps you don't change this very often, perhaps you only use this for sites where you really don't care but are required to give a password anyway.
This isn't an ideal solution, but it's certainly better than having only one password everywhere.
•
A couple of additional notes.
I'm transitioning, and it's a long transition. For years I used the last alternative. I had four passwords that range from extremely important to not so much. I'm in the process of slowly transitioning to the Roboform generated password approach I mentioned first, as it's much more secure. It's also occasionally painful when I find myself at a computer without my Roboform data.
It's important that you change passwords regularly. The more different accounts you have the more of a pain this is. But particularly if you're using passwords you can remember, they're likely easier to guess and thus should be changed more frequently that the truly random machine generated passwords.
If you do choose your own passwords, make sure they're good passwords. Some frighteningly high number of account hacks are simply due to password guessing. People who know just a little bit about you are often able to simply make guesses at your password and they'll be right a frightening amount of time.
Never write your passwords down. That's exactly where password thieves know to look. Do something that you can remember, or something that your computer can securely remember for you.
And finally, I've only touched on a couple of possible password scheme options. I'm certain that readers will also provide interesting approaches in the comments to this article as well. What's your approach?
Article C3511 - September 24, 2008 « »
Leo A. Notenboom has been playing with computers since he
was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed.
After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers
to common computer and technical questions. More about Leo.
September 30, 2008 5:18 PM
You repeat the mantra, "It's important that you change passwords regularly." Why? If I have a good password for, say, my bank account and I access this account frequently, I will know very soon if the password has been compromised. If no one has been able to figure out my password in the last three months, why are they any more likely to figure it out in the next three months than a new password?
29-Sep-2008
September 30, 2008 7:34 PM
I use Roboform on a thumb drive. The Roboform part of the drive has the program and all my passwords. The program itself is password protected and I can use Roboform on any machine.
October 1, 2008 5:05 AM
One main reason for not using the one password is some sites may store your password as plain text readable by system administrators. They shouldn’t but it makes life easier for them. It's obviously open to abuse if they do.
October 1, 2008 7:00 AM
Please translate - "That's exactly where the next level of password their knows to look."
02-Oct-2008
October 1, 2008 8:24 AM
You're example password algorithm is interesting, Leo. So NOW we know that you're 51 (same as me), and that you're first pet's name was...eh... let's see, Snowie?? A great site, Leo, one of my favourites.