Where do you have to put in a username and password in your daily computer geekery? Here’s what it looks like for me.
Work stuff
my laptop running Windows • our crappy corporate email client • our crappy corporate travel provider • the software that controls the phone on my desk • lots of other programs not smart enough (or not allowed) to authenticate me based on other methods
Personal stuff
our Mac at home • our Linux desktop at home • our Linux laptop • our email provider • our bank • Skype • Paypal • Amazon.com • Amazon.de • iTunes • Twitter • dozens, if not hundreds more
I imagine your situation is similar. With the personal stuff, you really should not be using the same passwords at multiple websites. Just one site being sloppy about security and getting breached by hackers is enough for them to send email in your name and steal money or service from you — look what happened to usernames and passwords recently at Gawker Media. You probably know someone whose account got hacked with real-world financial implications — I know two people to whom this happened in 2010 (and a third who got hacked but apparently didn’t lose any money). It happens all the time.
You and I both know you this is not a safe practice. But what can you do about it? With so many usernames and passwords in your daily life, the natural inclination is to stick to just a few username/password pairs and reuse them entirely or perhaps modify them slightly. Writing down passwords and usernames onto paper might be OK at your home, I guess, but that means you need to carry that piece of paper with you out into the world if you are going to do any sort of mobile computing. Writing those usernames and passwords onto paper at the office is a terrible idea; don’t ever let your IT people know that you do it.
Instead, you can use Password Safe on Windows or a compatible program like Password Gorilla on Windows / Mac / Linux — and even on your iPhone or iPod Touch via the PasswordVault app. Instead of those hundreds of username/password combinations to remember (or look up), you only have to know one password to get into your “safe.” From there, you can copy usernames and passwords with the mouse (and keyboard shortcuts) from the “safe” into whatever application is requesting your credentials. Password Safe can randomly generate passwords for you based on policies you define: minimum password length, exclusion of easily mistaken characters (like zeroes/O’s or ones/L’s), inclusion of punctuation characters, etc. Lots of cryptologically sound practices there. “But how will I ever remember those randomly-generated passwords?” you ask? Well, you won’t. You’ll have to remember the one password to get you into the “safe” and the application will remember the rest for you.
I keep my “safe” file updated on my Windows computer, and then synchronize that periodically to my Mac and Linux machines via Dropbox. From my Mac, it synchronizes into my iPod touch. This means I am carrying that piece of paper with all the sensitive info on it around with me after all, but in electronic and encrypted form: I still have to enter the password to open the “safe” on all those computers/devices in order to get a glimpse of the content.
But hey, I can remember one password pretty easily, especially if it virtually eliminates the chances of someone stealing my purchased Skype-out credits or impersonating me via a hacked Gmail account.
Nice. We use Passerby, which does essentially the same thing. One password that Nate and I both know to keep a crap-ton of encrypted passwords.
I am intrigued: is it cross-platform and mobile-device (i.e., iPod touch or iPhone) compatible? My method involves three distinct pieces of software to manage one file and Dropbox and iTunes to “glue” them together.
That makes me a little nervous, I guess, because there’s no real guarantee that those three software dudes are going to continue to churn out compatible programs. I mean, they’re not compatible by accident, but my proposed solution seems kinda rickety when you think about it. I’m open to more stable suggestions!
Well, it can be taken anywhere and run on several platforms but I don’t know about iPhone/pod… http://passerby.sourceforge.net/ That is the website.
Mr. Moose installed something similar recently on our computer (single platform afaik). I was resistent at first. The new password is long and complicated and a pain the tush to remember, but I have come to see the light. There are a few passwords I could now make more complicated – thanks for the reminder to get on that.
Update: I’m using the Password Safe beta for Linux and it’s working just fine, so far. Also, I’ve had good results using Password Safe on Linux via Wine. I’m less impressed with Password Gorilla, but for a long time, that seemed to be the only cross-platform option.
I still don’t see anything better than Password Gorilla for Mac OS X, but am open to suggestion!
[…] have elaborated on a few methods of personal information security before (here and here). I still prefer […]