Keeping track of passwords
July 28th, 2014
I’ve recently changed the way in which I handle passwords. Some folks have asked me about it, so I figured I’d share.
Previously, I had several passwords that I’d reuse based on the importance of the service I was using. My throwaway accounts all had the same password, as did my bank accounts and accounts for which I’d put in payment information. Many services have arbitrary restrictions such as password length (“must be between 6 and 8 characters”) and characters (“must contain one number and one symbol”), so I’d use slight variations for different accounts (e.g. password becomes Passw0rd). This strategy is totally insecure and reveals some of the fundamental brokenness of passwords.
Remembering passwords is hard, but reusing passwords is dangerous. Passwords are frequently stolen by keyloggers, insecure communication protocols, and hackers. If you use a password on multiple sites and even one is careless with security or gets hacked, you’re vulnerable on all of the sites! Do you really trust your security to any website you type a password into? I hope not. Every time an automatic email is sent with a password in plain view, an angel loses its wings.
Ideally, you’d use a different password for every account such that if a site is compromised, you only have to change your password for that site. But remembering passwords for every individual site is impractical. Some people have an algorithm for generating passwords by including the name of the site (e.g. facebookPassw0rd). But, even with an algorithm, you have to keep track of the various restrictions for each site, which ends up being just as complex as remembering unique passwords. This is further complicated if you need to share your passwords with someone else (e.g. your spouse in the event of an emergency). Now two people have to remember individual passwords for every site? Passwords are the worst.
Given the dangerous situation I’d gotten myself in and the recent Heartbleed bug, I decided to tidy up my password life. I started by getting a password manager to keep track of all of my passwords. A password manager works by using a single password to encrypt all of my other passwords. I don’t use the master password anywhere else, lest it be compromised as I described above. Another benefit of a password manager is that it can generate passwords. When I need a new password of a specific length obeying certain character rules, I can plug those rules into the password manager and get something like sQ3=%7f24L. That password means nothing to me, and there’s no way I’ll remember it, but I don’t have to!
After some research on password managers, I found that Keepass / KeePassX meets my needs, but there are a number of options with varying features and pricing. The best password manager for you is the one that you’ll use!
The password database is just a file that sits on my hard drive. It’s encrypted with my master password, so even if my computer is stolen, nothing is revealed. Since it’s encrypted, I can store it anywhere. My wife and I have a shared Dropbox folder that automatically syncs changes we make to our computers and mobile devices. Knowing that we’d be able to access our accounts even if something were to happen to one of us brings us both peace of mind.
I encourage you to generate passwords randomly and store them encrypted in the cloud. The sooner you do it, the better! We’re only spending more money on the internet and putting more of our identity online, and having either compromised would be a huge, unnecessary pain.