|
Summary: With so many sites requiring a password it's very tempting to use only a single password everywhere. That's dangerous, and there are alternatives.
Yes, you can use the same password everywhere, but I really don't recommend it. It simply increases the risk of your accounts being compromised. There are several approaches to password management that don't require using one password everywhere, and also don't require that you remember dozens, if not hundreds, of different passwords. • The risk of using only on password is simply that if that password if compromised then everything you login to is accessible to the person who now has your password. And by using that one password in many different places, there are that many more opportunities for a hacker to get your one password. In an ideal world you would use a different password for every login, but as you say - that's practically impossible to remember. Particularly if, on top of that, we throw in rules that say "passwords should simply be strings of random characters and never words that are easily remembered." So passwords should be hard to remember and guess on purpose, and yet you need to remember them. Yikes. I have three alternatives for you. • Let the computer remember for you. Now, I don't mean let your browser remember, I mean invest in a tool like RoboForm that will automatically remember your passwords for you. In fact, if you set things up properly, you may never need to actually know any of your passwords. The fact that your email password is "bFDiA2W6" and your bank account's is "JhcNTa7Y" is something you might never actually need to know yourself. Roboform simply keeps track and remembers it for you. (It can also generate great random passwords for you as well - those two password examples came from Roboform's generate function.) "Some frighteningly high number of account hacks
are simply due to password guessing."
All you need to do it remember one password: the password to unlock Roboform itself. The problem, of course, is if you ever find yourself without Roboform you may not have your passwords available. I can't tell you my GMail password, for example, and that was an inconvenience the other day as I used a computer that didn't have my Roboform data on it. • Use an algorithm. By "algorithm" I mean choose a set of rules that you use yourself each time you create a password that you can then use later to remember all your passwords. For example you might say that passwords are:
So according to those rules my GMail password might be "goons53Em". Nothing that anyone will guess, but something that I can re-create by the rules without remembering the actual password. That's just an example. You would create your own set of rules using things that you can fairly easily remember and some personal information you're not likely to forget. You can even jot down the algorithm without seriously compromising the passwords themselves. • Use a tiered approach. Could you remember three passwords? Then distribute them accordingly:
This isn't an ideal solution, but it's certainly better than having only one password everywhere. • A couple of additional notes. I'm transitioning, and it's a long transition. For years I used the last alternative. I had four passwords that range from extremely important to not so much. I'm in the process of slowly transitioning to the Roboform generated password approach I mentioned first, as it's much more secure. It's also occasionally painful when I find myself at a computer without my Roboform data. It's important that you change passwords regularly. The more different accounts you have the more of a pain this is. But particularly if you're using passwords you can remember, they're likely easier to guess and thus should be changed more frequently that the truly random machine generated passwords. If you do choose your own passwords, make sure they're good passwords. Some frighteningly high number of account hacks are simply due to password guessing. People who know just a little bit about you are often able to simply make guesses at your password and they'll be right a frightening amount of time. Never write your passwords down. That's exactly where password thieves know to look. Do something that you can remember, or something that your computer can securely remember for you. And finally, I've only touched on a couple of possible password scheme options. I'm certain that readers will also provide interesting approaches in the comments to this article as well. What's your approach? Related:
Article 12712 | Posted September 24, 2008 |
Popular & Hot How do I make a new MSN Hotmail account? How do I delete history items from my Google tool bar? My desktop Recycle Bin has disappeared - why, and how do I get it back? I accidentally deleted my Recycle Bin in Vista - how do I get it back? New & Important How can I get the old Windows Live Hotmail back? Internet Safety: How do I keep my computer safe on the internet? Are free email services worth it? Would you please recover my password? My account has been hacked or I've forgotten it.
Stay Informed Archives Advertisers |
|
•
An excellent alternative RoboForm is the free KeePass Password Safe. It runs on many platforms including most smartphones, which means you can always have passwords securely with you.
Posted by: Ray at September 24, 2008 12:44 PMI just text message my passwords to my phone and keep my phone with me (Kidding! Really!)
The best investment I ever made was in Roboform. I'm looking now at the ThumbDrive version of Roboform. On a computer without Roboform? Plug in the thumbdrive and run it off of there. You lose browser integration, but if you have a U3 device and run firefox off of it, it should integrate just fine.
That might be overcomplicating it a bit though.
Posted by: Ziggie at September 25, 2008 5:47 AMI use Roboform and Roboform for Palm (its a readonly version thats maintained via a
Posted by: Fuzzy at September 30, 2008 11:27 AMconduit & hotsync). When i need the passwords,
I unlock the palm database and look it up there.
One I've found particularly useful is PasswordMaker (http://passwordmaker.org). It's a plugin for your browser that uses an algorithm to calculate your password based on the URL and various other options. There's also an online webpage that can calculate them for you in case you're not at a computer with your plugin.
Posted by: Dave at September 30, 2008 2:52 PMYou repeat the mantra, "It's important that you change passwords regularly." Why? If I have a good password for, say, my bank account and I access this account frequently, I will know very soon if the password has been compromised. If no one has been able to figure out my password in the last three months, why are they any more likely to figure it out in the next three months than a new password?
29-Sep-2008
Posted by: Robert Campbell at September 30, 2008 5:18 PM
I use Roboform on a thumb drive. The Roboform part of the drive has the program and all my passwords. The program itself is password protected and I can use Roboform on any machine.
Posted by: Bobi at September 30, 2008 7:34 PMOne main reason for not using the one password is some sites may store your password as plain text readable by system administrators. They shouldn’t but it makes life easier for them. It's obviously open to abuse if they do.
Posted by: Gordon Ellis at October 1, 2008 5:05 AMPlease translate - "That's exactly where the next level of password their knows to look."
02-Oct-2008
Posted by: P Van Dusseldorp at October 1, 2008 7:00 AM
You're example password algorithm is interesting, Leo. So NOW we know that you're 51 (same as me), and that you're first pet's name was...eh... let's see, Snowie?? A great site, Leo, one of my favourites.
Posted by: Des Buckley at October 1, 2008 8:24 AM