So I read two interesting articles this past week, both by the same author. The first one that I read was The only secure password is the one you can’t remember (first seen by me on Lifehacker). The second article that I read was an older article, linked from the first one: Who’s who of bad password practices – banks, airlines and more.
The first article discusses the need to use strong, unique passwords for all of your online accounts, and the struggle to remember all of these unique, strong passwords. The author makes the claim that if all of your unique passwords are strong enough, that you'll never be able to remember all of them. Thus, you need to use a password manager like LastPass, KeePass, or 1Password. The password manager, like it sounds, manages all of your passwords, enabling you to only have to remember one singular password that will let you access all of your online accounts. Each of your online accounts will then be protected by a strong, unique password that you are unlikely to remember.
This sounds good in theory, but what happens when your one singular password is compromised by a keylogger? No one is impervious to viruses and keyloggers, as I found out two weeks ago. From what I understand about LastPass, it allows you to log into your accounts from any computer, from anywhere. If it allows you to do that, what's to stop someone who compromised your master password via keylogger from doing the same?
Even if the password file is stored on your local machine, what's to stop someone from writing a virus specifically targeted at LastPass (or another one of these password managers) that will grab the password file from your local machine? If these password managers become widely used, you know that black hat hackers are going to be all over writing malicious software to target them.
As such, I personally believe that using a password manager compromises too much security for its convenience. So what to do instead? How do you create strong, unique passwords for each of your online accounts that you will actually remember?
Well, I'm not going to tell you my exact method, because I don't want anyone being able to guess my passwords. But you have to come up with a system that create one base, strong password that you will remember, and a system of altering that base password for each online account so that each one is different. I used the following Consumerist articles for inspiration for my system: Create A Different Password For Every Site And Never Forget A Single One and How To Easily Remember A Different Password For Every Site.
I won't lie, if someone got access to one of my passwords -- say, my Facebook password -- a human could probably look at the password and guess my Gmail password. But it would take a human to do so. No one is going to have a virus that is able to not only grab my Facebook password, but also systematically figure out my Gmail password, because the two passwords are different. It would take a human looking at my password to figure it out. I personally think I'm much more likely to be hit by a virus that targets millions of people over someone targeting me specifically.
Now, the frustrating part is after you come up with your awesome password remembering scheme that uses a strong password as its base, and then you encounter companies like Blizzard and Verizon that have stupid requirements on their passwords -- not letting you use certain characters -- that break your awesome password. I have to remember "different" passwords for these sites, unfortunately. These companies make me grumpy.