Brain Drippings

Over the last decade the average person’s need for passwords has increased at a phenomenal rate. It’s quite possible that in 1999 you didn’t need a password at all, or you just had a password for your email account. Today, most people online have at least a couple of email accounts, a Myspace page and/or Facebook page, a Paypal account, an ebay page, and maybe as many as a couple of dozen websites where they login. Add online banking to this mix and  maybe a twitter account and most people with much of an online life are juggling at least a dozen and maybe up to a hundred logins.

How do you juggle 100 passwords?

Well, you don’t.  No one is going to remember hundreds of logins, and creating random passwords for everything has huge issues because you need to keep those passwords somewhere. What most people do instead is use the same password for multiple logins. It’s a terrible idea, but people are people, and how many 8-12 character random strings can your brain hold? Mine seems to cap out around six, far short of the 621 passwords I have stored. Yes, 621. And that is only web-based passwords and does not include the various passwords for my email client, or other local software on my computer. I also have a login password for OS X, a different password for the default OS X keychain, and a different password for the login of my Admin account.  Oh, and one more for World of Warcraft which is just about the only software I own that doesn’t support the OS X keychain.

The trouble with reusing passwords is that if someone nefarious gets a password, they have access to lots and lots of your information, usually enough to get into lots more of your information.  How many of your passwords are in your email? If someone gets into your email can they then get into your bank, Paypal, Facebook, and other accounts?

So, here’s some of the things I do.

First, I delete emails that contain passwords. I don’t just mark them deleted, I move them to the trash and then empty the trash. This is critical, as the email is always the weakest link in your security chain. It’s not stored encrypted and it’s likely the easiest thing for someone to get to.

Second, I store all my passwords in an encrypted keychain file which I then backup many times (multiple hard drives on my computer, my remote server, my time Machine backup, and a USB thumbdrive). The encrypted keychain is protected with a long password (over 15 characters) which is one of the long & random passwords I have to remember.

Third, I use a password manager named 1Password (for Mac OS X and iPhone) which allows me to easily create a random password for a new web site login, store any password I enter automatically, and lets me access my passwords from anywhere I have Internet access. It also has one critical feature, it allows exporting your passwords into a secure html file so that even if the software dies I still have access to all my passwords. The ability to generate a new password on the fly is wonderful; for the vast majority of websites I have no idea what the password even is. On sites that insist on a security question and answer, I generate a second random password for the default question.

Web site: What’s your mother’s maiden name:

Me: xmHb157C8JBMvX9Lh0dF (or Ypxfdbeualozrtgw)

The exception to this is credit cards where I sometimes have to give the ‘security word’ over the phone. But my security word is not my mother’s maiden name.

There are password managers for Windows users too, I think. Just be sure any password manager you use will store everything in both a secure encrypted keychain and in a secure, encrypted open-format file. Make sure that you don’t reuse passwords at all, or at most for a very limited and very specific set of logins. For example, all my email accounts that are on my own email server have the same password, but my gmail account has a different password.

Edit: Zachery Bir pointed out one thing I’d failed to mention about the security of passwords, and that is, “If you control the email account, you can usually get password reset links for other services.” This is an important point, and yes if someone gets access to your email they can get access to a lot of other things simply by resetting the password.

There is not much you can do about this. The easiest, and really only, is to setup a free gmail or yahoo (or whatever) email that you only use for web registrations and never send or receive other emails on.  This is the address the password reset will be sent to. Even if someone gets into your real email account, they aren’t even going to know about this other one. And at least most sites that deal with money have some sort of additional security question for a reset. Sure, you might get emberassed on a web-board, but you are not likely to have someone get into your paypal or bank accounts.