I’m not a security expert and don’t pretend to be one, but half-cooked advice on fundamental security issues p***es me off big time. Today it’s a lengthy article at the Boston Globe: Please do not change your password.
It’s based on a study by a Microsoft researcher, who concludes that regularly changing passwords is a big waste of time – so far so good and I’ve just saved you reading 3 pages –but what’s the conclusion?
- Use strong, bullet-proof passwords in the first place
- Use updated security software, don’t install unknown stuff to avoid keyloggers
It all makes sense, except that it’s hard to do. Statistics show that over 60% of Internet users have a favorite set of login credentials and they use that single set across many systems. Very-very dangerous, but the reason we do it is that this is what we can remember easily.
The missing piece from the advice is how we deal with the “bullet-proof” and unique set of login credentials we create on dozens of systems we need to log in. Some people will develop a formula to make up such passwords – too bad such patterns are often recognizable. (Update: see Bob’s example for algorithmic passwords.) Others will write them down … ouch!
So we’re left with two options:
- physical devices, be it lists, passcode cards, USB sticks..etc, what if you lose them?
- password management systems like Keypass, Lastpass, Passpack, Syferlock… – what if they get compromised?
What’s your solution?