Passwords and Accounts

I’m beginning to be overwhelmed.

A few weeks ago, I lost a USB-key (or flash-drive) with a copy of my master Firefox profile on it. The master profile has all the passwords on it. Think about that for a minute. ALL THE PASSWORDS. In one place.

Ouch.

After a rather frantic day changing the passwords on 227 different accounts, and struggling with a new password regimen, it became clear: I need a way to manage passwords. I probably also need better passwords, or at least more of them.

In the process, I also found which sites had rather poor password policies, and I’ve made a list of places to re-assess. In this day and age,  password policies of “all numeric” or “only eight characters” or “upper-lower case only no numbers” are absurd. I’ve already decided to change vendors in some instances, due to absurdist password policies.

I still have to figure how to manage the passwords. There are several commercial solutions, as well as some open-source, but they almost all suffer from one or more drawbacks. I guess I’ll end up making a compromise, somewhere.

The first problem is with the hardware solutions – you have to carry it around with you, it needs batteries, it only stores a small group of passwords, what if I lose it? I don’t think I’m going to use a dedicated hardware unit.

The software solutions, well, I think I’ll have to go with one of them, but for an alternate path, I’m also beginning to use OpenID. I have accounts on several of the providers, but after having poked around a bit, I think I’ll end up using the Google-based provider most often. In order for this to work, of course, you have to have a Google Profile – and thus a new webpage was birthed.

Along the way I’m also going to finally take the plunge into the smartphone pool – StupidPhone™ is starting to wear out, and it’s about time I stepped forward from the trailing edge of technology. Whichever password manager I pick needs to run on an Android-based phone.

Advertisements

2 thoughts on “Passwords and Accounts”

  1. We have too many passwords here where I work and it is absurd; some systems have high requirements for passwords and others don’t. Yesterday at a meeting it was brought up that someone (in another company) has so many passwords to keep he has a book with a encrypted way of knowing what page has all the right passwords on it.

    Does anybody make a book that has a random set of passwords on every page where one can make up their own ‘combination’ to figure out what page has the current passwords? Maybe that is too low tech; anyway were you looking into RSA token solutions? I am not sure something like OpenID is not more widely adapted honestly but have read in the past short comings that I cannot seem to recollect now.

  2. I’m mostly thinking about how I can handle having more than 500 distinct, theoretically unique id/password combinations. Now, obviously I can’t keep track of that many, so the basic id takes one of several patterns, but still… it’s best practice to not reuse the same password for other sites – but again, given the magnitude of the problem, I do reuse passwords. Thus my panic at losing the flash drive.

    What makes it still more interesting is – not everything I need a password for can be manipulated via a web browser. Routers, switches, Unix shell accounts – all of these also need id / password combinations.

    This is bringing to light two different discussions: 1) How to handle passwords for myself and 2) how to make websites work better.

    Short-term my concern is mostly with item 1, but OpenID may be a solution for the second discussion. I’ll make another post in a day or so about OpenID and my general take on web security and what developer/designers should consider.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s