Your Password Stinks

password_3c

I have bad news. I hope you don’t take this personally. Your password (probably) stinks.

Let’s face it, passwords are a major pain to keep track of. Every web site that you visit will ask you to create a new user id and password. It quickly becomes daunting.

For simplicity, I’m going to use the pronoun “we”, since I am just as guilty as your are.

The most common crutch that we use is “reuse”, i.e. we use the use the same password. Again. And again. Rinse, lather, repeat. The problem with this approach is that once that password becomes compromised, the bad guys may have access to your bank accounts, your investment accounts, your online shopping accounts. The list goes on. Anywhere that you used the same combination of user id and password, you are vulnerable. Assume for sake of argument that you have a Yahoo! email account that was compromised. (Oh wait, that actually happened.) Now the hackers have a combination of user id and password that they can, with minimal effort, try to use on an infinite number of web sites.

There are other crutches that we use: we write down our passwords (don’t do this!), we use short passwords (it turns out that the longer the password the better; 8 characters is good, 16 characters is really good), we use personal information in our passwords such as a child’s birthday or the street we live on (stop doing this), we use words that you can find in the dictionary (definitely don’t do this), we never change our passwords (you should change your password regularly). The list could go on and on.

I am speaking from personal experience. Full mea culpa: I used the exact same user id and password for years. I used it on name brand websites such as Yahoo! Mail. I used it on fly by night websites where I thought to myself “this web site probably won’t be here a year from now”. I’ve used it for eCommerce transactions on web sites that I assumed I would only visit once in my lifetime. Eventually this behavior came back to haunt me. Someone used those reused credentials on an eCommerce site, and ordered themselves a laptop. I had forgotten that I even had a login to this particular web site, so you can imagine my surprise when I received an order confirmation email for a new laptop. When I went to go and reset my password, the web site actually sent me an email with my “old” password. This was painful confirmation that it was the same user id and password that I used…everywhere. (I would later estimate that I had used the same user id and password over 50 times.)

There is a better mousetrap. A relatively simple way to overcome your stinky password habit, which is to use a password management system.

There are 2 primary functions that these services provide: first, they are a master repository of your passwords, and secondly, they allow you to generate long and completely random passwords.

I have used LastPass for several years (ever since the hacking mentioned above). There are a number of other well regarded services such as 1Password, Dashlane, RoboForm, and others.

There is one final gotcha with password management systems. You need to create a “master” password to get into that system. Some of these systems add extra security by having no password recovery mechanism for the master password. If you forget your master password, you are completely locked out. The method that I have found to work is to have a long pass phrase, that only you know, and that you abbreviate into the password. For example, you can start with a quote such as “If not us, who? If not now, when?” You might turn that into “if<>Uwif<>Nw?3000”. The key is to make it personal, something that you will remember, but that is impossible to guess.

Summary

There is no other way to explain it, you simply need to do a better job of creating and managing your passwords. We often use shortcuts of various forms to help manage our passwords, to our own detriment and peril. Know that here is a better way. A password manager can help.

 

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s