April 17th, 2010

How can I remember all these ##@! passwords?

It is a fact of life that passwords are the keys to our online kingdoms … and that keeping these passwords safe is critical to preventing identity theft, ensuring corporate security, keeping private things private, and much more.

However, the number of distinct places that we log into seems to constantly grow.  We have to use secure passwords for all of them and should not use the same password for any two of them.  Oh ya, we should also change our passwords frequently!

Its dizzying and makes your head spin.  Few can remember the plethora of changing passwords and, in desperation, either use the same poor password for everything or use written cheat sheets listing all of the user names and passwords for easy reference (and easy peeking by others should they get a hold of it).

What to do?

The IT folks are indeed correct that you need strong passwords, different passwords, for different sites, and need to change your passwords somewhat frequently.  People who argue differently do so only because they have no way to manage these passwords in a simple secure way.

There are two good tricks that can be used to manage this situation:

  1. Use a scheme to pick memorable passwords that are also strong
  2. Find a way of storing your passwords that is easy to access and update, but which is also secure.

Memorable Strong Passwords

There are many ways to choose strong (i.e. hard to guess) passwords that are also easy to remember.  We have discussed this in detail and given one very good method in this article: Security Simplified: The Base+Suffix Method for Memorable Strong Passwords

Secure Password Storage

Instead of writing the passwords down on paper, you should keep a copy of them electronically — in some encrypted format.  Yes, that means one more password — to open the encrypted password list.  But, in reality, this is the only password that you really have to memorize, all the rest can be looked up any time by decrypting them.  You can also edit and update your passwords in the encrypted storage location at any time.  Your encrypted storage area can be backed up, copies made for security and redundancy — all without compromising the sensitive stored data itself.

One option is to save your passwords in an encrypted file on your computer (i.e. a word, excel or other document).  However, such files are subject to attack if someone should gain access to them — and many of the encryption techniques used to secure these kinds of files are not very good — see How Secure are Password-Protected Files?

It is better to store your encrypted password data online.  Why?

  1. You can always access it via any web browser, so it is always available when you need it
  2. No one will be able access the raw encrypted files by grabbing your computer.  They are safer online.
  3. Online services that specialize in this can use better encryption techniques than you may have available for standard files like Word documents.
  4. Most online services that provide password storage solutions do so in a way that allows only you to access that data.

LuxSci provides such a service with its WebAide Passwords tool:

  • Create lists of passwords, encrypted for you using PGP
  • The passwords can have links, and notes associated with them
  • Accessible via any web browser or mobile device with a modern web browser
  • Share the password lists with other users in your account.  Allow only specified users or groups to be able to decrypt and access specific passwords.
  • Track who has accessed which passwords, when
  • The password lists are backed up securely and can be securely exported for offline archival.

The Passwords WebAide is perfect for both personal password storage and shared company password lists.  LuxSci uses this service itself for managing its corporate passwords.

Leave a Comment

You must be connected or logged in to post a comment. This is to reduce spam comments.

If you have not previously commented, you can connect using existing social media account, or register with a new username and password.