Too many passwords!!!
I frequently get asked how I deal with so many passwords (I can think of at least 25 right off the top of my head that I use at least once per week). At work people are consistently commenting (complaining) about the number of passwords that they have. I see people writing on Facebook (and less often on Twitter) about the number of passwords they deal with.
In this article, I'm going to put out what I think are some common sense practices that just about anyone can use to help keep their data moderately secure, and still be able to deal with their passwords efficiently.
Let me start by saying that when it comes to your job, and any of your work devices, I wold recommend that you talk to your company's IT staff about what they require (and recommend) for their equipment. I do expect that everyone would fully comply with their corporate IT policy & procedures, even if what they say is in direct contradiction to what I am writing here. Nothing I write in here should be construed as an attack, or a critique of what might be happening at your place of work. With that out of the way ...
I want to start with a couple of common sense rules that should help keep your information more secure.
*Use a separate password for your accounts as much as you can.
*The higher the importance of the data, the longer your password should be.
*Change your passwords.
*Don't try to remember everything.
These days, it is somewhat difficult to do have unique password for every account, but this is the ultimate goal. Short of this, make a list of the passwords you have and rank them by the information about you that they protect. Bank passwords should be unique, online shopping sites where you knowingly save your bank information (Amazon) should be unique. Anything that doesn't contain information that could ruin your life, you can use a common password for; if you have to.
You'll see lots of sites that say that your password should be at least X characters long, and blah blah blah. The simple fact of the matter is that the longer your password is, the harder it is to guess (and when it comes down to it, most of the time when an account is broken into it is because it has been guessed). The more character classes you can use, the more difficult it is to guess.
That last sentence sounds terribly geeky, but it isn't all that bad. In your average correctly capitalized and punctuated sentence, one uses 3 out of 4 commonly identified character classes -- upper case letters, lower case letters, & punctuation (with the the 4th class being digits). So for the most important accounts, choose a sentence that you will remember, and type it out.
There's another advantage to using a sentence -- it is generally easier to remember. \"Overall, I think that yellow potatoes taste better than purple squash\" is much easier to remember than, \"E0imB1k3\". The great part is that it is more secure as well. The more traditional password has a total search space of 62 possible characters, and a total search size of 221,919,451,578,090. That sentence has a total search space of 85 with a total search size of a number so large that I'm not going to bother publishing it. Suffice to say that it is a number with 45 commas in it. Simply put, that traditional passphrase could be guessed by a routine attack in about 45 minutes, while the sentence would take several hundred centuries to guess.
Sorry about geeking out right there, but I wanted to make sure that you got the point. A secure password doesn't need to be difficult to remember.
There are some passwords that I should change more frequently than I do. There are other passwords that I change 4 times per year. Some passwords get changed more. As I go back through my history, I see that I have had 7 Facebook passwords in calendar year 2012. I'd recommend that you try to change everything at least 2x per year. Some accounts you should certainly change more frequently.
So by this point you probably think this is impossible -- multiple passwords that are insanely long and get changed multiple times per year. How could anyone ever remember that? Well, my secret -- I don't. Or at least I don't worry about remembering them.
There is lots of software out there that can help you securely manage your online accounts & passwords. The common objection to this sort of software, of course, is one of convenience. If your passwords are all stored on your PC at home, how can you get one when you are at the in-laws? The answer (hopefully) is your phone.
I always have either my iPhone or an iPad with me anywhere I am. To duplicate my password management system, follow these steps:
Go to Dropbox.com and sign up for a free account. We'll come back to this in a bit, but you need the account to really get started. Download a piece of software called KeePass and install it on your PC. KeePass is password management software. When you first run it, it will prompt you to create a database, and it prompts you for a password. Make the password solid -- make it long, and do your best to get a digit and some punctuation in it. This will be the absolute last password that you'll ever have to remember. Enter all of your passwords into KeePass, remembering to hit save from time to time. Take the time to poke around in KeePass and get to know it. It is fairly intuitive, but it is still worth getting a good feel for it. Once you are ready, go back to your Dropbox account, and create a folder called /Crypted Move the KeePass database file to the /Crypted folder in your dropbox account Grab your trusty iPhone, and install an app called KyPass. Yes you have to pay for it. It's a couple of bucks, and well worth a little peace of mind. Open KyPass, and it should walk you through setting itself up. Essentially it will need to connect to your Dropbox account, where it will find your password database. Enter in your super secret password that you made when you set up KeePass, and voilà, you should have all of your password at your fingertips. As long as you have an Edge connection (hopefully better) you should be able to get to your passwords from anywhere. *Now put a password on your iPhone.
So in the end, you end up with an encrypted password database that stores all of your passwords in the cloud and you can access from anywhere. The only 2 things that you absolutely have to remember are the KeePass password and your iPhone unlock code. You can forget all of the rest, knowing that it is stored somewhere more secure than in your brain.
Now there's no more excuse for using the same password on your bank account that you have had on your Hotmail account since 1996 (and has been compromised 14 times). Now there's no reason not to change frequently, since you don't really have to remember the new password, you only need to save it. And you've got no reason for choosing pathetic password. Did I miss anything?
At the beginning of this article, I mentioned that I have a ton of password that I remember. It's true, but I remember them because I access a lot of different systems frequently. I remember through repetition, not because I make an effort to remember. In fact, it seems to me that making an effort to remember something is a sure fired way to ensure that you forget it. There are dozens more passwords that I don't use that frequently, but I have stored in a KeePass file. No muss, no fuss.
If you do move to adopt something similar to what I do, a couple of words of common sense.
First, make a backup of that KeePass file from Dropbox from time to time. Even if it is just stored on your PC, just make sure that you make an effort to grab an extra copy of it once per month or so. When encrypted files corrupt (and all files can get corrupt), there is generally no recovery -- it's encrypted, remember? If you wanna go all out on this, then put a copy of it on a thumbdrive once a month, and keep it in your safe deposit box.
Second, write down the KeePass password and put it somewhere secure. Don't write \"KeePass password\" at the top, and then the password right underneath it. Just write the thing on a Post-It or a small piece of paper, and put it somewhere where you no you won't lose it -- in a safe deposit box, or something like that. That way if you do forget the one password you have left to remember, you can still get your data out of there.
Third, keep dropping breadcrumbs. If you haven't figured it out yet, those first 2 common sense items were to help safegaurd your data fro yourself. Take the last step, and put the following info in that safe deposit box (or whatever you are using): your Dropbox password, and the email address that you used to register.
Fourth, don't keep all of your breadcrumbs in a notebook in your underwear drawer. While it is highly unlikely that anyone is going to be snooping through your skivs, you can't leave everything in one place, unless it is truly secure -- like the bank.
So there you have it. Now take the step, and get started. After all, you write yourself notes to remember to get beer and pretzels. Why not document something that is truly important?