The problem is we are all having to remember too many passwords. And because of the way we humans function, we tend toward the simpler answer to what can be a very serious technology headache: we use the same simple password across all our digital lives, and that, unfortunately can lead to disaster.
As this Forbes article points out, it is way too easy to be lazy about password security. The consequences are huge. If you chose a password that is easily guessed (and any word from the English dictionary is insecure), it’s probably just a matter of time before your account falls pray to hackers.
So what to do? In the past, it was much easier to manage passwords. You usually had only a few accounts, and the access to those account typically only happened from a computer you had access to, and which you could limit others from having access to.
Now, given the growth of the smartphones like the iPhone or any of the Android phones, the places we access accounts has changed, and the devices we access them on are more susceptible to theft. The impact on password security is significant.
Because of my role at work, I have had to find ways to manage passwords. In another post I will deal with what constitutes a secure password, but for now I want to discuss password management.
There are options for Internet users, ranging from low tech to high tech, from cloud based to paper based. They each have advantages. One under appreciated need for a good password management utility is portability. Can you take it with you? Can you export your passwords (you will be shocked how many you can have) if you decide to use another product?
- KeepPass - KeepPass is an encrypted password safe that resides on your local computer. It is not cloud based, and is open source. If concerns about cloud bases services are important for you, this is a good option. The Windows client is better, IMO, than the Mac client, at least in terms of a user interface. If you want to transfer your KeepPass passwords, you can use the export function.
- LastPass – LastPass is a cloud based service that syncs your passwords across all devices you use, starting with browsers (plugins for IE, Mozilla Firefox, Google Chrome, Safari, and Opera), smart phones from iPhone, Android, Blackberry, Win 7 Phone, Symbian and WebOS), as well as tablets (Android and iPad), and support for Windows, MacOS X and Linux. The level of encryption is 256 AES, the grade used by US Government for encrypting top secret data. The features are numerous, but I can attest from personal use that it is unobtrusive, while being incredibly functional.
- Paper Password – If you are in your 40s or 50s you’ll probably remember the IT support telling you repeatedly not to write down your password for your computer. Amazing, this is now changing. Writing a list and keeping it on your person is widely seen as a fine means of protecting a password from being stolen via online means. If you do chose the paper password route, I strongly encourage you NOT to use a stick-it note and leave it on your computer.
- Dangers of Unencrypted Passwords – It is very easy for users to assume that if they only keep a password on their home computer (desktop or notebook doesn’t matter), that they are inherently safe. In fact, for many people they would believe their password is safer in any state on their home computer than a cloud based password management tool like LastPass. But if you store passwords on your local computer in a text file or Word document or Excel spreadsheet, and they are not encrypted, you are simply asking for trouble, and even more so if you are a user of any version of Windows. Why? Because malware of any type that infects your system will look for just such files. And passwords are what hackers love.
I hope I haven’t sounded too strident in suggesting you need to use good password management, as well as strong passwords (most ecommerce sites will give you a visual cue about the strength of your password).
One last thought. Best practice among security experts says to change your password on some frequency, say every 90 or 120 days. I follow that rule, and suggest you do these same.
What are you doing about password security? Have any horror stories to tell?