I
have a pretty good memory, but it’s short. I have about a hundred login IDs and
passwords, and there is no way I can memorize them all. That’s why I manage them all with a secure
Password Management application called KeePass
(http://keepass.info/index.html
).
NOTE: KeePass is
just one of many password management applications available. You may certainly choose one that you feel
suits your needs best. I have found
KeePass meets all of mine.
The
password management application allows me to have different IDs and strong
passwords for different sites without memorizing them all. I only need to remember ONE unique, strong
password that I used to encrypt the password file. KeePass (and most other password managers)
includes a feature that will auto-generate a strong password so I don’t have to
be creative on my own while choosing strong passwords. A strong password would
be one that is at least 8 characters long with a mixture of at least one
character from 3 of the 4 character types - uppercase, lowercase, numbers, and
special characters.
Some
people argue that having a different strong password for every site is too many
to remember, and I agree, but using the same password for everything means that
once that password is exposed, everything is exposed. That’s why I use the password manager, and
it’s also why I save the encrypted password file that the application generates
in a folder that is sync’d with the cloud (DropBox, Box, whatever) so I can
access that encrypted password file from any of my devices that will run the
KeePass application (which is pretty much anything).
If
you don’t want a different strong password for every site, then perhaps you
should break them down into categories so you have fewer to manage. Your tolerance for risk is what will determine
how comfortable you are with this approach.
I still highly recommend a unique and strong password for each site that
contains, or has access to any of your sensitive data such as credit card
numbers, bank account numbers, health information, etc. Here are some
suggestions:
1) Email – password must be strong and
not used anywhere else because many sites use your email to provide you
with a way to generate a new password if you forget one for some reason (with a
password manager, that should be a thing of the past). This means if an
attacker gets your email password, she/he basically has control over ALL your
online accounts.
2) Online Bank – password must be strong and
not used anywhere else
3) PayPal –password must be strong and
not used anywhere else (PayPal has access to your bank account or credit
cards, so you want to protect it well).
4) Online Credit Card Accounts – EACH site password must be strong and
not used anywhere else UNLESS
the site offers what is commonly referred to as two-factor authentication AND you use it. This usually takes the form of the site
sending a special code via text or email that you must enter after you have
entered your password. It helps protect
you even when your password is compromised, because an attacker cannot log in
with your password without also having access to your phone or email account to
obtain that second piece of information the site requires.
5) eCommerce/shopping (amazon, eBay, any
online store) sites – if you do NOT store your credit card number at the
site, you can choose one strong password that is not used by any other
category, and use it for each of your shopping sites. However,
if you store a credit card number at the site for quicker online
purchasing convenience, then select a unique strong password not used
anywhere else for each site. Storing
your credit card information on any shopping site increases the risk of that
card number being stolen, so, despite the convenience, I do not recommend this
practice.
6) Household Billing Accounts (electric, gas,
water, other auto-pay accounts) – choose one strong password for EACH
site that is not used by any other category/site. Like PayPal, you usually store a credit card
number and/or a bank account and routing number at each site so they can
receive automatic payments, which increases the risk of that card or bank
number being stolen.
7) Social Media (Facebook, Twitter, Instagram,
Pinterest, etc.) sites could share the same password if you like, but remember
that each site collects and saves personal information about you such as
phone, email address, home address, where you attended school, birth date,
photos of you which tend to contain hidden geo-location data in them these days
(think GPS data used by navigation systems) so somebody can examine the photos
and determine exactly where you were when the picture was taken. Of course, this does not apply to photos that
have been scanned from physical prints, so maybe Throw Back Thursday pictures
might be exempt J
8) Misc (news sites, blog sites, forums, etc.)
sites – these are sites where you don’t share credit card, SSN, or other
private personal information. For these
sites you could have one password you use for all as there is very little at risk
(other than your reputation on a Forum if somebody impersonates you ;-) )
As
you can see, based upon the sample categories listed above, without taking added risk you really can’t reduce the number of unique
passwords to just a few that you can easily memorize.
Again,
I have a pretty good memory, but it’s short. This is why I personally use a
secure password manager to augment that memory.
No comments:
Post a Comment