Some time ago, I read in some issue of Women's Health, a magazine my wife subscribes to, that you can survive in the modern always-connected online world on just three passwords. One password for your financial institutions, one password for the less important sites (say, your social sites, or your shopping sites), and one password for everything which you don't consider important or particularly care about or is essence a one off.
Bloody nonsense, was how I put it to myself at the time and took the mag for recycling.
Incredible bloody nonsense, is how I put it now. One reason? Well, you may have heard that Twitter had some issues today. They sent out password reset emails to a bunch of users due to some anomalous behavior with their accounts, The reason? Well, it seems that these users had been using the same password on some compromised sites as they had on Twitter. Bad guys do some harvesting of userid/password combinations on the compromised sites, try them out on Twitter (and I dare say on other sites too), and make hay with those logins that work. Holy crap.
And on top of all that, about a month ago, an interview with a Facebook employee was published about the "master" password that was (is still?) used internally to provide full permissions to anyone's Facebook page and user details. Think about it: a rogue employee who could harvest logins from the company they work for, resign, and then use those logins willy-nilly.
Look, it's not difficult. Use a good password database program. There are free ones out there (Password Safe being by Bruce Schneier, the crypto guru), or you can purchase them. I use one called SplashID, mainly because you can sync the database between an app on your PC and one on your iPhone. There are very few sites I remember my password to any more, really only my banks, my network logins, and my PCs because I use them every day. These password programs even come with password generators to avoid having to use ordinary words (a dictionary attack, even with 1337 character substitutions, will discover a single word passwords in less than half a second). The answer to the question posed by the post title should be "it can't be done, not without exposing yourself to some possible bad things happening". You should have a unique password for each site.
No excuse.
Posted via email from Julian's posterous
3 Responses
#1 Scott Bussinger said...
03-Feb-10 12:08 AMAnother great application I've started using is LastPass.com. It's a combination of local browser plugin and webservice. Basically you can generate the really good random passwords for each website and only have to remember one password.
It works really well for synchronizing between various computers, the iphone, and the various VM's I tend to run.
#2 Ruud Vermeij said...
03-Feb-10 1:16 AMAnd who is going to use this?
Most people I guess do in fact survive on a three password policy (at best). In general people don't want a keychain with 50 keys on it. Are "common" people going to use a "nerdy" solution like Password Safe?
Does this mean that our whole system of secure internet usage is not functioning?
#3 julian m bucknall said...
03-Feb-10 9:26 AMRuud: Indeed you are correct. We have the technology, so why the heck don't we have a true single sign-on for all internet websites? We seem to be going in that direction with OpenID, etc, but we certainly aren't there yet.
Mind you, with single sign-in, the server farm that provides it would be an extraordinary single point of attack...
Cheers, Julian
Leave a response
Note: some MarkDown is allowed, but HTML is not. Expand to show what's available.
_emphasis_
**strong**
[text](url)
`IEnumerable`
* an item
1. an item
> Now is the time...
Preview of response