Pages

Do you use the same password everywhere?

My assumption is that if you are reading this blog it says you are someone that spends a fair amount of time on the web. Yeah, I know, brilliant observation Dave. If my assumption is correct then you have probably visited sites that require you to sign in so that you can contribute posts, download applications or in some cases even read their content. When you do that, do you use the same password on every site you sign up for?

I really love simple things and I'll try to distill my password strategy into a single line:

Don't use the same password everywhere

There, simple right? I could stop here but you may be wondering why it's important.

Because not every site you signup for is really going to safeguard your data, that's why. Some little forum that requires you to signup, or some freeware application that requires you to create an account may not protect your data like they should. No one has the time to read through every single web site's privacy policies or read through each line of the agreements that everyone makes you acknowledge. Even if the site you signup for has everything set up properly it doesn't mean that an employee of that site might not decide to harvest some user information. 

But how useful is it if someone knows your password? Really?

Well, if you happen to use the same password everywhere, including your e-mail account, you are in a serious case of the hurts. Many security systems use e-mail to verify a person's identity. So say some malicious nut ball that works on some forum that you've signed up for decides to take you for a spin. You have used the same password everywhere and used your e-mail address to sign up.

If the e-mail happens to be from Gmail, Yahoo, Hotmail, etc. then the person has everything they need to log in as you and gain access to your identity. If your e-mail is hosted through a domain and e-mail service from a public facing ISP then it only takes an extra step to log in as you. This isn't something that requires a black-hat hacker or even script-kiddie level skills to perform. Anyone can do this.

Once that happens they can search through your old e-mails, see where you've signed up and learn many things about you. They can visit sites that you have accounts on where your credit card has been stored and make purchases, then clear the tracking information out of your e-mail account before you even see it.

Okay, so what's the simple strategy to prevent this?

First off, if you have used the same password in your e-mail account for anything else - and I mean anything else - go change it now. Use a secure password that combines letters, numbers and additional characters (-, |, $, etc.) You can create passwords that are memorable by putting two words together that have letters replaced by symbols, such as S = $, A = @, E = 3, etc. This will help you if someone tries to learn your password through a brute force attack. Don't use a single, english language word. Ever.

You want the password to be memorable because the last thing you want to do is to have to write the thing down. Nothing is more amusing than walking over to someone's computer and seeing their passwords on Post-it notes on their monitor. I am tempted to write "Hack me" on a piece of paper and tape it to their backs. There are lots of applications out there that will securely store your passwords. If you decide to go the old fashioned route and write them down, keep them in a secure place inside your home or office.

You don't need a different password for every single site, just the really important ones. You can create a "throw away" password that is used on those places that you are not sure about. If someone impersonates you on some little backwater forum you don't really have to worry too much.

Finally, change your passwords every once in a while, especially if you suspect that you may have exposed your password to someone else.

But is this really a problem? Nobody uses a single password for everything!

Do a little search in Google on this topic and you will find many surveys that say people use a single password for all of their online activities. I've seen reports that indicates the number is as low as 16% to as high as 61%.  Even if it was only half that low number, that means that at least 16M people in the US alone use a single password for everything.

Yeah, it's a problem. If you already use a password strategy then you are in good shape but how about your spouse? Or your kids? Or your parents? Take a minute to ask the folks in your circle if they use a single password everywhere. If they do, enlighten them. 

It really only takes a couple of minutes.

10 comments:

Paul said...

If people are wanting to have unique passwords for all sites, check out 1Password. It can help you generate *strong* passwords, and then will handily remember them all for you. So long as no-one has 1) physical access to your Mac and 2) knows your Mac login, your data is safe.

Also, Time Machine will automatically backup the data stored in 1Password, so if you were to lose your machine, you wouldn't lose all those passwords..

(Sorry David that I've recommended this again, it just seemed very fitting! I'm honestly not affiliated to the product!)

Paul

David Alison said...

@Paul: No worries man! I am going to look into 1Password shortly. I had this article queued up and after reading in a forum how a guy was worried someone was going to hack his accounts because he used a single password it made me think this might be of value to others.

dndgirl said...

David, if you're interested in 1Password, go to Maczot.com. 1Password is today's zot and you can get it for 42% off, today only.

Anonymous said...

Another option, for Mac, is to use Keychain Access -- that pre-installed utility that automatically saves many of your Mac-related passwords. Most people have never tried, but you can actually launch the utility and create password items and secure note items manually.

tzs said...

I'll second the 1Password recommendation. It is not perfect, but it is good enough that I'll give it the highest praise a developer can give another developer: when I got it (as part of the latest MacHeist), I abandoned the password manager I was designing.

One nice feature is that the passwords are all stored in standard OS X keychains, and the low level keychain software in OS X is all open source. Even if 1Password's developers go out of business, or Apple changes the format, you will be able to extract your passwords to migrate to something else.

There is a bug in Apple's keychain management, by the way. A keychain that is unlocked isn't always reported as unlocked, so just because 1Password and Apple's Keychain Access say it is locked doesn't mean it IS locked. Set your Mac to lock all keychains when it sleeps, and if you are going to step away with the Mac still awake, open Keychain Access and do a "lock all keychains" command. With those precautions in place, you should be fine.

Hendrik said...

I got 1password with the recent MacHeist bundle and it is the one program that I have enjoyed the most out of the bundle so far. Very nice.
Before that I was using the PwdHash Firefox plugin which I can also really recommend for people who want a free solution and don't want to memorize multiple passwords.
http://crypto.stanford.edu/PwdHash/

David Alison said...

@All: Thanks for the great comments. I just downloaded and installed 1Password. Dndgrl - thanks for the tip on Maczot - I just went and purchased a license. I'll write about my experience with it shortly.

ping said...

You can let keychain indicate its status in the menu bar. You can also access all its functions right there.

rick said...

Yep same here, I can't say enough about 1Password. I will look forward to your writeup on it :)

tzs said...

@ping: careful! The keychain status in the menu bar is not accurate. It can indicate locked when the keychain is not locked. Also, when it thinks a keychain is locked, it does not offer the command to lock that keychain, so you can't use the menu bar item to make sure that a keychain is locked.

This makes the menu bar thingy for Keychain Access a lot less useful than it should be. :-(