Wednesday, August 06, 2008

Password Safe

I have around 60 different accounts with passwords to manage. That includes all of my various website login details - online banking, mail, message boards, social networking sites, etc... - and my computer account credentials. And this count doesn't include my dozen or so work accounts, only my personal ones. So all in all, I have to manage around 75 different credentials - that's 75 usernames and passwords! And I'm certain there are sites out there I've registered with but can't even remember! Don't ask me how or why I have so many accounts, I just do. And truth be told some of them I hardly ever use anymore, and I probably ought to get rid of them... But I digress...

So the question is, how on Earth does one manage so many usernames and passwords?

Usernames tend to be simple enough, since you rarely obfuscate a username. It's the passwords that are tricky. The simplest method of remembering passwords is to use a single password, or a small set of passwords, for all of your accounts. The drawback is self-evident however - if one password is compromised, a whole bunch of accounts are also compromised with it! As far as I'm concerned, this is not a viable option.

It should be immediately obvious that - barring an eidetic memory - it isn't feasible to memorize 75 different passwords either. From a practical standpoint, you need to write them down somewhere so that you can look them up when you need to use them; the risks involved in doing this should also be immediately obvious.

My solution - and the solution of many others - is to use Password Safe (or something similar, but this one is open source and fairly well known). It's a piece of software that allows you to manage your passwords and keep them secure by storing them in an encrypted file, making them accessible only via a master password. On the one hand this system introduces a single point of failure, but as long as you pick a complex enough password it becomes computationally infeasible to crack it, and as long as you don't write it down somewhere (this is the one password that absolutely must be committed to memory) no one can accidentally stumble upon it. Of course, you'll probably still give it up under torture if it came to that, but if someone's torturing you for your password, you've probably got major issues that make your passwords pale into insignificance!

So, I use Password Safe with a very strong master password and use a wide array of passwords for all of my accounts, safe in the knowledge that they are stored securely and can be readily looked up. Not every account needs a unique password, only the important ones that are associated with finances or personal information; I still share passwords between accounts that I consider trivial, although even then I tend to ensure that there's no link between those accounts. That is, I group accounts under a common password only when those accounts are completely independent of each other.

Of course, I still have frequently used passwords committed to memory (it's just practical and happens automatically over time in any case), but there can't be more than 10-15 of those. One of the things I've noticed about using a password safe is that it's very easy to come up with complex passwords when they don't need to be 'memorable' - sometimes when I look one up even I'm surprised by it, since they do not adhere to any pattern or 'system'! (the downside is that the ones that I need to commit to memory take a little longer to memorize)

There are other issues surrounding passwords - such as what constitutes a good one and how long you should use the same one before changing it - but I'm not going to go into that right now! What I will do right now, however, is recommend Password Safe to anyone who feels overloaded by the number of passwords that they have to manage.