Recent events such as Heartbleed and the eBay episode have motivated many users to change their passwords, at least for their most important applications. This has been happening more frequently and it raises the question of effective password management. Eventually we’ll come up with a better way of authenticating users, since the current password system is ineffective and unsustainable. But in the meantime, we need to deal with passwords in such a way that it minimizes our exposure to data breaches.
Anyone who uses the web very much has a lot of passwords to deal with – dozens of them, perhaps many dozens. It’s impossible to remember them all, so the most common approaches as indicated in some recent informal surveys appear to be to use the same password for all of the applications, use password management software, or maintain a memo somewhere of the passwords being used.
Writing down the passwords is and always has been a bad idea. Even if it is offline, the note may be discovered and used against you. If it’s online, then it is subject to hacking and if a hacker comes along your exposure to identify theft and loss is very high. The same goes for using the same password for everything.
Using password management software can be a good solution, depending on the software. There is a lot of it out there, and some caution is warranted in deciding on which to use. It’s important that it has a good encryption system. Also, it’s wise to remember that there is a master password for such software, and anyone who gains access to that master password gets all your passwords.
So the master password needs to be very strong – i.e. a mixture of numeric, alphabet and special characters at least 8 – 10 characters long. You likely won’t be able to remember this password, so it will need to be stored somewhere – not on the computer system where it is used – maybe under your mattress!
Also, you should decide which of your passwords are more important than others and which are least important. For example, your online banking passwords are critical and you don’t want anyone to get them. So you should never put them into password management software and never write them down. Also, don’t let your computer store them, as several systems do automatically. Memorizing them is the only way to go and changing them frequently.
Other passwords that might be important are those where you have stored credit card numbers (a practice which, although convenient, is not a good one from a security viewpoint). Again, these passwords should be strong and changed frequently.
Another type of password that is important is where there is other personal information stored. Again, storing personal information on websites should be avoided where possible, but it isn’t always possible, so it’s important to protect it well.
The rest of the passwords you need to know are probably not all that important, and it may be Ok to use the same one for all of them. As long as that same password is never used for any of your important apps.
Good password management takes a lot of planning and careful execution. But if it avoids identity theft, then it’s worth it.