Do you use the same password everywhere?
My assumption is that if you are reading this blog it says you are someone that spends a fair amount of time on the web. Yeah, I know, brilliant observation Dave. If my assumption is correct then you have probably visited sites that require you to sign in so that you can contribute posts, download applications or in some cases even read their content. When you do that, do you use the same password on every site you sign up for?
I really love simple things and I'll try to distill my password strategy into a single line:
Don't use the same password everywhere
There, simple right? I could stop here but you may be wondering why it's important.
Because not every site you signup for is really going to safeguard your data, that's why. Some little forum that requires you to signup, or some freeware application that requires you to create an account may not protect your data like they should. No one has the time to read through every single web site's privacy policies or read through each line of the agreements that everyone makes you acknowledge. Even if the site you signup for has everything set up properly it doesn't mean that an employee of that site might not decide to harvest some user information.
But how useful is it if someone knows your password? Really?
Well, if you happen to use the same password everywhere, including your e-mail account, you are in a serious case of the hurts. Many security systems use e-mail to verify a person's identity. So say some malicious nut ball that works on some forum that you've signed up for decides to take you for a spin. You have used the same password everywhere and used your e-mail address to sign up.
If the e-mail happens to be from Gmail, Yahoo, Hotmail, etc. then the person has everything they need to log in as you and gain access to your identity. If your e-mail is hosted through a domain and e-mail service from a public facing ISP then it only takes an extra step to log in as you. This isn't something that requires a black-hat hacker or even script-kiddie level skills to perform. Anyone can do this.
Once that happens they can search through your old e-mails, see where you've signed up and learn many things about you. They can visit sites that you have accounts on where your credit card has been stored and make purchases, then clear the tracking information out of your e-mail account before you even see it.
Okay, so what's the simple strategy to prevent this?
First off, if you have used the same password in your e-mail account for anything else - and I mean anything else - go change it now. Use a secure password that combines letters, numbers and additional characters (-, |, $, etc.) You can create passwords that are memorable by putting two words together that have letters replaced by symbols, such as S = $, A = @, E = 3, etc. This will help you if someone tries to learn your password through a brute force attack. Don't use a single, english language word. Ever.
You want the password to be memorable because the last thing you want to do is to have to write the thing down. Nothing is more amusing than walking over to someone's computer and seeing their passwords on Post-it notes on their monitor. I am tempted to write "Hack me" on a piece of paper and tape it to their backs. There are lots of applications out there that will securely store your passwords. If you decide to go the old fashioned route and write them down, keep them in a secure place inside your home or office.
You don't need a different password for every single site, just the really important ones. You can create a "throw away" password that is used on those places that you are not sure about. If someone impersonates you on some little backwater forum you don't really have to worry too much.
Finally, change your passwords every once in a while, especially if you suspect that you may have exposed your password to someone else.
But is this really a problem? Nobody uses a single password for everything!
Do a little search in Google on this topic and you will find many surveys that say people use a single password for all of their online activities. I've seen reports that indicates the number is as low as 16% to as high as 61%. Even if it was only half that low number, that means that at least 16M people in the US alone use a single password for everything.
Yeah, it's a problem. If you already use a password strategy then you are in good shape but how about your spouse? Or your kids? Or your parents? Take a minute to ask the folks in your circle if they use a single password everywhere. If they do, enlighten them.
It really only takes a couple of minutes.
Comments
Also, Time Machine will automatically backup the data stored in 1Password, so if you were to lose your machine, you wouldn't lose all those passwords..
(Sorry David that I've recommended this again, it just seemed very fitting! I'm honestly not affiliated to the product!)
Paul
One nice feature is that the passwords are all stored in standard OS X keychains, and the low level keychain software in OS X is all open source. Even if 1Password's developers go out of business, or Apple changes the format, you will be able to extract your passwords to migrate to something else.
There is a bug in Apple's keychain management, by the way. A keychain that is unlocked isn't always reported as unlocked, so just because 1Password and Apple's Keychain Access say it is locked doesn't mean it IS locked. Set your Mac to lock all keychains when it sleeps, and if you are going to step away with the Mac still awake, open Keychain Access and do a "lock all keychains" command. With those precautions in place, you should be fine.
Before that I was using the PwdHash Firefox plugin which I can also really recommend for people who want a free solution and don't want to memorize multiple passwords.
http://crypto.stanford.edu/PwdHash/
This makes the menu bar thingy for Keychain Access a lot less useful than it should be. :-(