The start of a new year is the season of resolutions. I propose that you make a resolution to organize your passwords. Build a list of your accounts and their passwords. Also, make sure those passwords are strong. In a previous tech tip I talked about how to test your passwords’ strength and how to select strong passwords. I’ll reiterate some of that tech tip’s suggestions and add some recommendations on creating and maintaining your password list.
You often hear the recommendation that you should use a long, complex and unique password for each system and change each of these passwords every month. From a security viewpoint, I agree with this recommendation completely, but I don’t think it is at all practical or realistic for most people. Instead, I think it’s more reasonable to make this recommendation: Use very long passwords and maintain a written list.
Some day in the future we might login to our accounts using a thumb print or an iris scan. When this day comes then security will be easy. We simply press our thumb on a device or look into a camera and wait for a few seconds. Gone will be the days of remembering a myriad of passwords, typing in passwords and resetting forgotten passwords! However, our current reality is that we all have many, many password-protected accounts. So what’s the best way to handle this?
In this current paradigm, security and convenience are inversely related. The more secure things are, the less convenient they are. Or, stating the converse, the more convenient things are the less secure they are. Let me illustrate this. It’s very convenient for you to use one password on many or all of your accounts, but this is very insecure. If one account is compromised then they are all effectively compromised. If one account is compromised you obviously have to select a new password for that account and really, you should change the password for all of the accounts for which you use that same password. What a headache. How inconvenient!
Thus, I recommend a more balanced approach. Use at least a handful of passwords, select long passwords and maintain a password list. One of the easiest ways to make a password secure is to make it long. If your password is currently cactus. Simply change your password to cactuscactuscactus. (It would be better if you made it complex like this: c@ctuSc@ctuSc@ctuS, but I won’t push my luck.) However, even if you do your best to pledge to use a really long or complex password, your efforts could be thwarted by systems that put a cap on the maximum length of a password or don’t allow the use of punctuation marks in a password. Thus, you’ll end up with a greater variety of versions of your passwords than you’d like. Thus, it’s important to maintain a password list.
Let’s focus on this list. It could be handwritten on paper, but clearly this isn’t very secure. If you do put it on paper then securely store it in a locked drawer or a safe. However, locking up your list makes it less convenient to grab and to update. So if you’re going to maintain your list on paper I recommend that don’t write the password itself. Instead, write a hint. For example, if your password is your childhood street address then you could simply write old address as the hint. This way you could keep the password list close to your computer and even if a burglar found it he wouldn’t immediately have all of your passwords.
An even more secure way to store your password list on a computer is in an encrypted disk image. I think this solution offers a great combination of security and convenience. A previous tech tip describes how to setup an encrypted disk image. Since the disk image is on your computer, you’ll always have this information conveniently at your fingertips, but it’ll be stored in a secure, encrypted manner. Of course, you’ll have to remember your password for your disk image. If you forget it then you’ve lost access to your entire list!
Another option that some of my colleagues use and recommend is a password manager like 1Password or mSecure. This blog article covers 8 password managers for the Mac and iOS devices. 1Password and mSecure are the two that I’ve personally worked with.
Whichever method you choose, I hope you compile a list of your current accounts and passwords and hopefully take some time to select longer, more secure passwords for these accounts.