0

The world has progressed to the point where most of us have faulty memories and dozens of passwords to remember. What are good ways to solve this problem?

I am interested in multiple answers and ranked order of answers, such as human memory, a password book, or password key-chains. Each of these solutions seem to have problems either with user convenience or security. Suggestions?

Brent Kirkpatrick
  • 940
  • 4
  • 19

1 Answers1

1

  1. The more entropy in a password, the better. Make your passwords long and complex to avoid hackers brute-strength breaking your account.

  2. Do not use the same password on two systems; if one system is compromised, your password on that system can be used to get into your account on the other system.

These two rules mean that if you want to be secure, you need to have a different complex password for each of the systems you use. To make things worse, many of the systems you have accounts on will force you to change your password regularly.

All of the above means that unless you have a photographic memory, you need some secure place, other than your brain, to store passwords.

I recommend using a password manager. They use encryption to secure all of your passwords, and you access them by using one memorized master password that can be complex, since you only need to memorize that one password rather than remembering dozens or hundreds of different changing complex passwords.

The second best option is to print out all of your passwords on paper and store it in a secure place, like your wallet. The real threat to your system accounts is someone hacking into your computer or the system/server you have an account on, not a mugger running home after taking your wallet and hacking into your accounts. Even if you worry about the losing your wallet, you can go home, grab your backup printed password list, and then quickly change all of your passwords before someone gets into your accounts.

One method I recommend that you use to increase the security of any password storage method is to memorize a secret procedure that can modify any alphanumeric string to form your actual password.

For example, I might memorize a procedure that says "capitalize last letter, append 3, and then move first letter to end'. Then if I store my Gmail password in my wallet as 'googlepassword', the actual password I would use when logging into Gmail would be 'ooglepassworD3g'. You would apply the same secret memorized procedure to all of your stored passwords. This allows your passwords to be very complex, since you no longer need to memorize the password, you only need to memorize the secret modification procedure you use.

If you need to change your password afterward, create a new unmodified password, print it out or store it, apply your method, and then use the modified password on that system.

Using this technique, even if you store you unmodified 'passwords' in an insecure location (such as in a text file or in a wallet lost to a mugger), your real passwords will still be secure.

And finally, I believe that passwords will, at some point, go away as a remote authentication method. I have great hopes that SQRL, or some other form of remote authentication, will make passwords obsolete.

Greenonline
  • 204
  • 2
  • 4
  • 14
Mark Ripley
  • 657
  • 4
  • 9
  • What sense is there in storing all your encrypted passwords in a key-ring controlled by a single password? This seems almost the same as having a single password for all your accounts. Maybe I am missing something, here. – Brent Kirkpatrick Apr 10 '16 at 18:15
  • I thought that introducing a single-point-of-failure was something to be avoided. A password key chain or an SQRL would both be single-points of failure. Actually, a password book would also be a single-point of failure. Is there any other options? – Brent Kirkpatrick Apr 10 '16 at 18:38
  • It's a single password to a file which you can control access to - keep it on a USB key, or otherwise on your person, and you know when it's been taken, and can react, unlike with a DB breach. – Matthew Apr 10 '16 at 19:41
  • It's not a single point of failure, it's a single point of vulnerability. The quote that applies is "Put all your eggs in one basket, and then WATCH THAT BASKET!". Users normally have multiple points of failure because they reuse passwords on multiple systems, and then if one system is compromised their password is then usable to crack another system they used the same password on. – Mark Ripley Apr 10 '16 at 20:12
  • Risk analysis is about multiplying the chance of something occurring by the damage or economic cost of it occurring. Stealing the master password a password manager is much less likely than stealing it from a web site. – Mark Ripley Apr 10 '16 at 20:24