You have separate keys for your house, your desk at work, your safe, your car, your bike lock…right?
Clearly, it’s so that when you hand over your car keys to your mechanic for an oil change, you are reasonably assured you won’t find him, or someone who tricked him, at home in your den perusing your tax returns.
Where do you have to put in a username and password in your daily computer geekery? Here’s what it looks like for me.
my laptop running Windows • our crappy corporate email client • our crappy corporate travel provider • the software that controls the phone on my desk • lots of other programs not smart enough (or not allowed) to authenticate me based on other methods
our Mac at home • our Linux desktop at home • our Linux laptop • our email provider • our bank • Skype • Paypal • Amazon.com • Amazon.de • iTunes • Twitter • dozens, if not hundreds more
I imagine your situation is similar. With the personal stuff, you really should not be using the same passwords at multiple websites. Just one site being sloppy about security and getting breached by hackers is enough for them to send email in your name and steal money or service from you — look what happened to usernames and passwords recently at Gawker Media. You probably know someone whose account got hacked with real-world financial implications — I know two people to whom this happened in 2010 (and a third who got hacked but apparently didn’t lose any money). It happens all the time.
You and I both know you this is not a safe practice. But what can you do about it? With so many usernames and passwords in your daily life, the natural inclination is to stick to just a few username/password pairs and reuse them entirely or perhaps modify them slightly. Writing down passwords and usernames onto paper might be OK at your home, I guess, but that means you need to carry that piece of paper with you out into the world if you are going to do any sort of mobile computing. Writing those usernames and passwords onto paper at the office is a terrible idea; don’t ever let your IT people know that you do it.
Instead, you can use Password Safe on Windows or a compatible program like Password Gorilla on Windows / Mac / Linux — and even on your iPhone or iPod Touch via the PasswordVault app. Instead of those hundreds of username/password combinations to remember (or look up), you only have to know one password to get into your “safe.” From there, you can copy usernames and passwords with the mouse (and keyboard shortcuts) from the “safe” into whatever application is requesting your credentials. Password Safe can randomly generate passwords for you based on policies you define: minimum password length, exclusion of easily mistaken characters (like zeroes/O’s or ones/L’s), inclusion of punctuation characters, etc. Lots of cryptologically sound practices there. “But how will I ever remember those randomly-generated passwords?” you ask? Well, you won’t. You’ll have to remember the one password to get you into the “safe” and the application will remember the rest for you.
I keep my “safe” file updated on my Windows computer, and then synchronize that periodically to my Mac and Linux machines via Dropbox. From my Mac, it synchronizes into my iPod touch. This means I am carrying that piece of paper with all the sensitive info on it around with me after all, but in electronic and encrypted form: I still have to enter the password to open the “safe” on all those computers/devices in order to get a glimpse of the content.
But hey, I can remember one password pretty easily, especially if it virtually eliminates the chances of someone stealing my purchased Skype-out credits or impersonating me via a hacked Gmail account.