In light of the many high-profile hacking cases that have recently exposed millions and millions of user passwords (LinkedIn, Sony, etc.), I thought I would write down my password management practices, and some practical thoughts for others looking to secure their access to various online services.
Shared Passwords (major no-no)
For a long time, I had three passwords: a weak, eight-character password that I'd use on forums and places I didn't really care about. I had a ten-character password with a number, a capital letter, and a symbol, for medium security (like sites that had my credit card in my account). And I had a fourteen-character password which was truly random (generated by Keychain Access on my Mac) for a couple services that I needed to be extremely secure.
But, none of these passwords are truly adequate nowadays—especially since I reused the passwords on a variety of sites and services! Additionally, I often had trouble remembering which password I used on what site, and had to try all three before successfully logging in.
The major problem is that if a password is ever discovered on one of these services, a hacker will put that password in a big database and use it to crack open passwords on other sites in the future, and the hacker would also presume (rightly) that I may have used the same password on another site. Read this article from Ars Technica for more information: Why passwords have never been weaker—and crackers have never been stronger.
More secure passwords, unique to each service
So, the next step in my password management life was using a text document on a secure (encrypted) disk image on my Mac, and I would generate 12 to 20 character random passwords using Keychain Access, one for each service and website I logged into. The security of my passwords was many times better than before, but retrieving old passwords and storing new passwords was frustrating and involved too much time for my liking.
Even if you don't use Keychain Access to generate random passwords, using a password like 'horse cat flow corvette' is much harder for a hacker to crack than 'xAnsn0', for a few technical reasons, illustrated in this XKCD comic.
A password manager makes life easier
Finally, I put some money into my password organization and purchased 1Password for my Mac, iPhone and iPad. This application makes it relatively easy to generate any kind of password, and store it. It has plugins for all browsers on the desktop so you can quickly autofill login and registration forms with secure passwords. I almost never have to remember or type a password anymore, and my accounts are many times more secure because of this.
1Password helps me have secure passwords because:
- Every account I have (Gmail, iCloud, YouTube, MacRumors Forums, etc.) has a unique, random, 20+ character password.
- I don't have to constantly reset passwords because I forgot them, or because I forgot to put them into my encrypted text file.
- I can quickly generate a highly-secure password from the 1Password icon in my browser.
- I can quickly retrieve passwords for different websites and accounts using 1Password in the browser, or the standalone app.
Even if one of my accounts is compromised, I know that hackers would still not be able to get into any of my other accounts, since they all have different passwords. I also don't tie any accounts together, because savvy hackers know that many people tie their Gmail account to their Yahoo account, for example, meaning that the hacker could use one account to gain access to the other.
Securing passwords on servers and in applications
Since I am a web developer and administer many online servers, I also spend some time worrying about securing passwords from hackers in a few different ways—not only do I go to every length possible to protect databases with passwords and files with databases from ever being exposed to the outside world, I work to ensure any password that users submit to my websites and applications are encrypted in a way that nobody—including me—could ever decrypt within a reasonable amount of time.
I wrote a bit more about this in Flocknote's API documentation: Password Guidelines.
In the end, you should just presume that one of your accounts will be hacked at some point, and take measures to make sure there is limited fallout when that happens. Use a password manager to keep track of your passwords, lest you lose your sanity!