Sunday, July 13, 2008

Dealing with password overload

One of the most frequent questions I get asked is how to manage passwords. It seems like every web site requires you to have a password, and if you listen to some security advice, you should have a different password for each web site and write none of them down. Well, unless you have the memory of a computer, that's just not practical. In this post, I'll share my strategy for managing my passwords. It involves categorizing your passwords based on their importance, and taking an approach that balances security and ease of use.

I'm going to focus this post on passwords for the web. It could also apply to passwords for other things (it does in my case), but I'm guessing most of you use passwords primarily for the web, and focusing on those will keep this post simpler. I'm also going to assume you use a personal computer in your home that only you access, or at least only you and people you trust. If you are using a public terminal, or have others accessing your computer who you don't entirely trust (e.g., roommates, kids, dogs), you will have to wait for another post.

OK, on to the advice...

Not all passwords are created equal. The first thing I do with any new password is to decide how important it is to protect the password. Some passwords, such as the one for my online bank account, are very important to me - if they were to fall into the wrong hands it would mean real pain and suffering (i.e., financial loss). I'll call this group of passwords the important group. Many of the passwords I have are not that important. I care somewhat about them, but their misuse would be annoying not but disastrous. And, I tend to use them often, so having them be easy for me to use is important. An example is my password for a dog training discussion group; I read the group every day and if someone where to get the password, they could cause me some embarrassment (they could make fake posts claiming to be me), but no lasting harm.

How you categorize your passwords may differ from how I categorize mine. You may consider some passwords important that I don't, or vice-versa. The key concept is not the exact method I use, but the general strategy. Once I've decided the importance of a password, I apply a method to protect it that is in proportion to its importance.

Why not just protect all passwords as if they were important? Because protection is a trade off with ease of use. As I describe subsequently, I protect my most important passwords in a way that makes them inconvenient to use. While I don't mind jumping through the extra hoops to protect my online banking, it's more effort than I want to make to during my daily web surfing routine.

Except for your important passwords, let your web browser do the heavy lifting. You might have noticed that most of the time when you enter a user name and password into a web site, your web browser will ask if you want it to remember the password for you. Except for passwords in my important group, my answer is always a resounding "Yes". This gives me easy access to this password for future web browsing.

I also record these passwords (using the same method I use for important passwords, described next) for two reasons. First, if I use a different computer (hence a web browser that doesn't know my passwords), this allows me to access my normal web sites. Second, if some catastrophe were to occur and I were to lose my computer or its hard drive, the recorded passwords save me from trying to recall all my passwords.

High security for the important passwords. For the important passwords, I don't have my browser remember them, instead I write them down. Yes, write them down. Contrary to "old school" advice to never write passwords down, there are just too many passwords to remember today. I believe it's better security to create a different password for each of the important web sites I use and to write it down, than it is to deal with the limitations of my memory.

When I say "write down," it literally can be that simple. A viable low-tech option is to write the passwords down on a piece of paper and then keep that paper somewhere safe, such as your wallet, purse, or locked in a desk drawer. The high-tech alternative (and what I do) is to use a password management program such as Password Safe, KeePass, or Apple's Keychain. I'll talk about these more in a later post.

What this decision means is that if I'm doing online banking, or accessing some other web site of importance to me, I have to get at my written passwords. Inconvenient, yes, but this prevents anyone who has access to my browser, either physically or via a worm or virus, from easily getting at these important passwords.

Generating passwords. Up until now I've discussed how to handle passwords I already have. What about generating new passwords? I create a new, different password for each web site. The nice thing about using the methods described above is that I don't have to remember any of these passwords, so this different-password-per-website doesn't add any burden. And, it gives me some extra security in that if someone gets ahold of one password, they only can access one of my web sites.

How do I create all these passwords? The trick is to pick a password that isn't easily guessable. This means no words in the dictionary (English or otherwise), and nothing so simple as replacing all the "i"s with "1"s, "e"s with "3"s, etc. There are two methods I use. The first is to create a password that is completely random characters. The password management programs I mentioned before all have build in password generators that will do this for you.

The second method is to choose a sentence that is meaningful and then use the first letter from each word. Choose a sentence that incorporates some numbers and include those directly, and/or use some creative substitutions like "&" for "and", "@" for "at", etc. Some examples: "My favorite football team is the San Francisco 49er's" would become "MfftitSF49ers", "Tom and Jerry are the best" would become "T&Jatb", "The dog always barks at 5 AM" becomes "Tdab@5AM", etc. As you see, you can create some very hard-to-guess passwords that are memorable to you. I use this method a lot for work passwords that I type everyday and hence want to remember.

That's it. Hope you found this useful.