[Update: Back when this was written, very nice password managers like 1Password and LastPass didn't exist or were not very capable of managing passwords as well as they are today—please ignore the advice below and use a password manager to generate very long, random passwords, and use the password manager instead of memorizing anything.]
Every month or so, another scary story about a huge security compromise (a.k.a. a hack) surfaces on the Internet, and this month is no exception. Earlier this month, the whole Twitter corporate heirarchy had a lot to worry about, as a hacker (that's kind of a misnomer... hackers are usually nothing more than persistent, patient and sly computer users) accessed many Twitter employees' email, iTunes, Google, etc. accounts, all because of the fact that one of the employees (probably not the only one, though) left an open door via a few small missteps, security-wise.
The hacker, after gathering tons of personal information gleaned from all over the web, was able to recover a user's Gmail password by guessing a few personal questions Gmail asks on the password recovery form (i.e. "Who was your favorite actor?," "What is your maiden name?," etc.). Then the hacker simply searched through the user's emails for something like "username password," because he knew that a lot of websites (like the Joomla! forums, some gaming sites, online stores, etc.) simply send an email upon a new user registration that contains the person's username and password. Once the hacker got ahold of a few more passwords this way, he was on his way to 'hacking' all the user's accounts... because like most people online, the user had only one or maybe two passwords he used for everything.
...but using the same password for multiple sites/services isn't necessarily a bad thing. Not if you follow these steps:
- Break up your online services into different tiers of password security.
You shouldn't use the same password for your main email account as you do for Flickr, or for a forum you rarely visit. Have a very secure password (see below) that you use only for a few important services (email, Facebook, AIM, computer), then have another password or two that you use for less important services. This way, even if you're hacked on a lower level, your most important online assets are protected.
- Use as secure a password as you are able.
I don't expect you'd be able to memorize something like In3J*@jsN9, but instead of using a password like "iloveme," mix it up and use "i1love9me80" or something that's a bit harder to guess. The more random, the better... of course, a forgotten password doesn't do any good, either!
- Don't mix personal and work passwords.
If you're like me, you manage hundreds of accounts across hundreds of services/sites, including many for yourself. You should never use one of your own personal passwords for a work project or email account. There too many reasons for this to even think about listing them.
- For one-off passwords, use something insanely secure, and change it yearly (at least).
For things like a website database, a hosting account, etc., use a password generation tool (most good programs/operating systems have one) and make a 10+ character long random password using symbols, punctuation, upper/lowercase letters, and numbers. Then mark your calendar to change the password yearly (or more often, if you're paranoid). Then, don't use this password for anything else—ever.
The main thing is, even though there's a huge temptation towards laziness in password management, you need to do as much as you can to ensure your main services/accounts use different and more secure passwords than your less-important ones!
Comments
This is the number one waste of my time at work - other people forgetting passwords and me having to reset them.
They always seem to think I'll somehow remember their passwords as the question always comes in the form "What is my password for..." as opposed to "Sorry, I've lost it can you set another one please". Obviously I'm not about to work out a strategy for remembering passwords other people have chosen - it's enough to remember the ones I need.
Rightly or wrongly, for my own use I've created a pattern for chosing passwords based on a keyword only I know (and remember!) that works in conjunction with the URL of the site I want to log into. To work out what one of mine is, you'd need to know the password, and how it would relate to the URL. I'm reasonably sure, even if you saw two of my passswords, you'd not be able to guess a third even if you know the URL and the keyword. Works for me ;)