Archive for October, 2010

How do you manage your passwords?

I’m going to write quite a lot about passwords here. It’s not very glamorous, but it is important.

What is a password anyway?

A password is a means of proving your identity. [In information security terms this is known as authentication.] It’s useful for systems to know who you are so that they can assign you the appropriate rights and remember how you like things to work.

Most people know two things about passwords:

1. You should never tell anyone else your password.

If you tell someone else your password – or let someone else use your account when you are logged in – as far as the system knows, they are you: they can do anything you can do, and anything they do will be attributed to you. Any well-designed system will have built-in workarounds for for those times when someone needs to do something on your behalf. This ensures that there is a clear audit trail.

2. You should use different passwords for everything.

But surely, if you follow rule #1 and never tell anyone else your password, why should it matter if you use the same one for different systems? Unfortunately, just because you’ve never told anyone else your password, it doesn’t mean no one can find out what it is.

In a poorly-designed system, they may be able to use built-in “forgotten password” functionality to get your password e-mailed to them. (This was how someone managed to gain access to Sarah Palin’s personal e-mails during the 2008 US presidential election campaign.)

Even in a well-designed system, hackers might be able to gain access to the database and extract the passwords from it.¹

If you use the same password for several systems, an attacker could now has access to everything of yours in those systems. And because they’re using your password, you may not even be aware of it. ²

1. Passwords are usually stored in an encrypted form; however many systems use widely-used encryption methods for which there are readily available workarounds.

2. However, it’s a definite warning sign if your password changes unexpectedly. In these cases it is important not only to change your password but also any supplementary information the service uses (e.g. security question) in order to identify you when you reset it.

How on earth am I meant to remember all these passwords!?

The easiest way to remember several different passwords is to have a system for choosing them. For example, I could take the first couple of lines of a song or poem I know; e.g. Ozymandias by P. B. Shelley:

I met a traveller from an antique land
Who said, “Two vast and trunkless legs of stone

And use the first letter of each word:

ImatfaalWstvatlos

Not a bad start! Now I’ll replace some letters; ‘two’ becomes ‘2’, ‘and’ becomes ‘&’ and ‘of’ becomes ‘/’ to make the password harder to crack.

ImatfaalWs2v&tl/s

As you can see, the result is a random-looking string of letters, numbers and symbols – ideal for a password but still memorable to you because you know how you arrived at that result. Just remember that you should pick a different source for each password you need to create.

While using a different password for every service is good practice, there are a few further steps you can take to improve your passwords. I’ll be looking at these in a future article – but in the mean time I hope you’ve found this useful.