“What password problem?” you might ask. Hah – as if you didn’t know. At some point you’ve no doubt seen an irate memo from the IT department or otherwise encountered password guidelines to this effect: All passwords should be unique, complex, frequently changed, and not written down. Ignoring these guidelines puts you at risk for identify theft, credit card fraud, and countless other hacks ‘n’ scams.
However, almost no one actually follows sound password security practices (even most IT staff, but shh… don’t tell) because they just don’t jibe with our limited human memory and need for simplicity. We have too many accounts and use too many different computers to access them, and while computers are great at storing and retrieving semi-random combinations of symbols, human brains are not. That’s why most people use the same, too-simple, never-changed, and written-down passwords for virtually everything online, be it online banking, shopping, or that throwaway account you created just so you could read one article. The trouble is that over time your password becomes only as secure as the least secure web site that stores it, and you can’t depend on everyone taking your privacy as seriously as you do.
Security breaches are always a concern, but I’m far more worried about the flunkie who works at one of those web sites looking up my password in the database and selling it to someone who has nothing better to do than try out my username and password combination on a several major banks, PayPal, Amazon.com, Gmail, eBay… you get the idea. Just imagine what kind of identity theft would be possible if someone gained access to many or all of your online accounts: insurance, banking, work, shopping, social networks — not to mention email, which can often be used as a means of gaining access to all of the above.
So what’s the solution? The best method I’ve found is to (1) Stop relying on our puny human brains and let the computer do what it does well, and (2) Bend the rule about “not written down.”
On the first point, there are several very good (and free) programs such as Password Safe or LastPass that will generate all the passwords you need (with proper length and complexity) and store them in an encrypted database. As to the second point, I agree with security expert Bruce Schneier:
“We already know how to secure small bits of paper. Write your passwords down on a small bit of paper, and put it with all of your other valuable small bits of paper: in your wallet.“
It’s far more important to use strong, unique passwords than worry unduly about writing them down. And in fact, you only need to have one password written down: the master password to your password safe. Of course, storing all of your passwords in a single location poses risks of its own — the biggest probably being that the database could be lost in a hard drive failure. That’s why it’s a great idea to backup the password safe frequently to a secondary device like a USB drive and store it in a fire- and water-proof box.
But what if you need to access your password safe from multiple computers? One method is to install the password management software on each computer and keep the safe on a USB drive that you carry on your keychain. Even if your keys were lost, no one could open the database without knowing your master password. Another way of eliminating the hassle of synchronizing passwords on multiple computers is to use LastPass. It can be installed in virtually any web browser and also allows you to access your password safe from any internet-connected computer via lastpass.com.
Six Steps for a Happier, More Secure You
1) Recognize that you have a password problem.
2) Download and install a password manager on all your computers. I prefer LastPass.
3) Come up with a strong master password for your password safe and memorize it. This is the one password you should write down and keep somewhere safe.
4) Log in to all of your online accounts and change the passwords using complex, unique passwords generated by the password manager.
5) Back up the password safe to an external device whenever you add or change passwords.
6) Never worry about forgetting another password or repeatedly using weak passwords that put you at risk. Password problem solved.
For extra credit and a gold star on your report card, set up a calendar reminder to change your passwords every 90 days or so. If you can’t be bothered to do this for all of your accounts, just change the most sensitive ones (bank, insurance, etc.).
I admit it takes a decent time investment to get this all set up, especially if you manage 50+ passwords like I do, but once you’re using the system you’ll wonder how you ever survived without it.
Scott
