We all need to get out of the mindset that our primary e-mail address combined with a single universal password are our credentials for the world.
Admit it. You have one password. You may even have half a dozen variations on your childhood cat’s name, but it is still the same basic password, and you use it to log into American Express, Netflix, Bank of America, GMail, Comcast, MySpace, Fark, Twitter, Virgin America, EBay, New York Times, and even the message forum where you talk about your obsessive collecting of late 19th century yak bridles.
You think to yourself, hey, what’s the big deal, right? Having the same password in one location won’t affect the security of the other location. If someone compromises your Netflix account, for example, the worst that can happen is they realize you favor tripe like The Notebook and National Treasure rather than quality cinema like Blade Runner and Rocky. It isn’t like they can pull your credit card information from the site and use it elsewhere, and besides, it isn’t like anyone who grabbed your password would be able to figure out all the other websites you visit.
You are forgetting that when you use the same username, an e-mail address, and the same password on numerous websites, you are relying upon the strength of the security of the weakest website you authenticate against to guarantee the secrecy of our login credentials. In other words, if you use the same username and password at 50 odd websites, you are relying upon the laziest system administrator of all 50 systems to keep their web app from being hacked to prevent your credentials from leaking out. Again, big deal, right?
Let’s say someone compromises yakbridletrader.com as part of compromising everyone that is still running PHPNuke. They dump the usernames and passwords online for all to see and share. Someone notices that your e-mail address, yakguy@gmail.com, is in the tuple, and gets the bright idea to go to GMail and try your yakbridletrader.com password. From there they go and figure out what bank backs your credit card, and well… you get the idea.
Having a strong and diverse password everywhere is mandatory now. It is as mandatory as running anti-virus on a PC and having a working set of backups. Like backups and anti-virus, if you don’t have a strong and diverse password that is different on every website you visit, you have no right to complain if you get compromised because someone took down the one-stop yak shop. It is your own damned fault.
So I, like many of you, have the short-term memory of a goldfish that was deprived of oxygen at birth, and I use a password vault to remember all my authentication tokens. There are several available, ranging from the low low cost of free to maybe $70 or so. Firefox has one built in, Symantec’s Norton products have their password manager, and there is an application for the Mac called 1Password, of which I am a huge fan. I don’t care which one you use, just use one.
But Adam, you say, if I use a password vault and I want to log in from a computer at the library / someone steals my computer / my desktop is rootkitted and it sniffs the form completion, then the password vault is ineffective. Well, first of all, don’t log in from computers you don’t control. They are probably already compromised. Second of all, most of these things have a master password, so you can get your machine stolen and you are in okay shape as long as you have a backup. Finally, if your machine is rootkitted and they grab the form completion, well, you are screwed anyways, and you learned your lesson for not running good AV.
We have learned to make backups and anti-virus products standard tools for keeping the data and systems in our possession safe. Now we need to add password management tools to this list to keep our remote data safe, or at least limit the damage in the event of a compromise.
