How does one keep up with having to have passwords at hundreds of places? (Literally: I just counted the number of saved passwords in my Firefox profile and it’s 54. Considering that I just cleared my profile recently, I’m sure that counting all sites I’ve ever registered at will easily take the number over 100.)
The recommended thing, of course, is to have passwords that are
- Hard for others to guess
- not nickname, dog’s name,…
- Hard to brute-force
- sufficiently long, containing both uppercase and lower case letters, digits, symbols,…
- Different for every site
- This is so that if some gains access to one, they don’t have access to your entire online life
- Changed every once in a while
- so that if someone gains access and doesn’t reveal it, they can’t continue to covertly have access to your information for ever — they’ll lose it the next time the password is changed.
- Not written down anywhere
- If you leave your password lying around, someone might see it.
No one does this, I’m sure. No normal person can possibly remember hundreds of obscure, randomly-capitalised strings—which is why it is a bad idea to advise people to do all of the above. Indeed, Microsoft’s Jesper Johansson argues that users should be encouraged to jot down their passwords. Not the best advice, but at least it recognises that people have trouble remembering, and that choosing strong passwords, different for every site, is more important.
So returning to the question: How does one keep track of multiple strong passwords?
- Writing down: others can get at it
- Password manager (software like KeepPass, or store on an encrypted USB keychain: won’t work everywhere): if you lose it, you’re locked out!
- Choose strong but memorable passwords: For example, use a phrase and take first letters: “Ask not what your country can do for you” → “anwyccd4y”, etc.
- Avoid having passwords at all, wherever possible: Bugmenot!
A good solution would be to remember a single password, and then use some secure way of generating passwords for different sites, based on the domain name for example. This had better be one-way, of course, so that someone who gets the password for one site won’t be able to get the other passwords.
Some people have done this, and there are solutions with varying levels of security and ease of use:
- Nic Wolff’s password generating page
- Zarate’s page, with more options
- A better version, and its even better version at hashapass.com.
- A cool-looking version
Note that the above two only draw characters from a 16-letter alphabet; I doubt if they are really safe.
But the one I would most trust to be secure is PwdHash, by Dan Boneh and others at Stanford. You can read their paper or PowerPoint presentation. Dan Boneh is one of the top researchers in Crypto and a great speaker (I have attended some lectures by him, one of which was on phishing and PwdHash and similar solutions.)
It aims to be a solution simple enough for your grandmother to use, and is actually developed as an anti-phishing tool, so it protects you from phishing as well as password theft. It is the one that integrates most perfectly into the “user experience”.
Here’s how it works: you remember just one password, and type your “common” password into a site’s password field, and PwdHash automatically replaces it with another password that is specific to that website, based on the domain name and the password you typed.
How to use it, in detail:
First, pick the single password that you want to remember. Make it begin with “@@”. (If the password you want to remember doesn’t begin with “@@”, you’re out of luck ;-))
- For changing your password on some site: Enter the old password as it exists, and for the new password, type the password you picked above. PwdHash will replace it with a hash based on your password and the domain name.
- For setting your password on a new site: Do the same thing! (Just type your generic password (the one that starts with “@@”, and it will replace it by a specific password.)
- For logging in to some site later: Do the same thing! (Type the generic password, and it will be replaced by the correct password.)
If you are in a place where the extension cannot be used, you can go to https://www.pwdhash.com and generate it there. (Just don’t type the “@@” there.)