I need to confess my password sins. I've shared passwords with my wife. I've used the same password on multiple websites. I have passwords written on a post-it note on my desk. I keep reusing the same 17-year-old password for my...ahem...financially-related accounts. I recycle the same passwords over and over. I also blamed Apple for losing months of content from my iPad when it was actually me who had forgotten my password. I've broken many of the password rules, and I ask for your forgiveness.
Fortunately, I haven't ruined my life. To my knowledge, I own my identity (well, at least I'm pretty sure those who stole it a few years ago don't use it anymore). My credit is good (I just checked). And the U hasn't disabled my account--although they may after reading this. I've been too risky for too long. Today, I'm cleaning myself up. No more bad habits.
This is impossible
I did a little research on password best practices. To follow the rules, I'll need a unique, complex password for each of the dozens of online accounts I maintain--passwords that are somehow easy for me to remember but difficult for others to guess. To keep things interesting, most sites seem to go out of their way to establish a different set of rules: some require more than 8 characters, others less than 8, some need two special characters, some won't take any, a few prohibit the use of spaces, require 3 vowels, only even numbers on Tuesdays, etc. In addition to the password, I'll also need to remember the specific username that accompanies it (I even found one site that requires numbers in the username!). To protect against phishing attacks, I'll also have to memorize each website address so I'm not duped out of my money. For added fun, some sites now make me remember pictures and ask other personal questions to enhance security. And, of course, I should never write any of this down.
I'm left with only one conclusion: following the rules is impossible! No wonder so many people go astray. The message from information security experts is so over-the-top, contradictory, and poorly communicated that it makes very little sense to the average computer user. IT has simply created a mess. To quote Microsoft researcher Cormac Herley (PDF), "When we provide long lists of unordered advice we abdicate all opportunity to have influence and abandon users to fend for themselves."
If you can't win, cheat
In preparing for this column, I asked for advice from the U's IT community. No one had a great answer for how to help faculty, staff, or students with this problem. Most responses were about what they did personally, and no one claimed to follow all the rules. Most strategies were either complicated or somewhat unsafe. Obviously, being a geek doesn't make you any better at managing passwords than the average end-user--we all hate these rules!
The fact is we now live and work in an environment where you cannot realistically be expected to memorize unique and strong passwords for every site. So let's stop trying. Technology created the problem, so let technology solve it. Get a password management tool and use it every day for every site.
Let me be clear, secure passwords are important and I am not suggesting you bypass the rules. However, I am a strong believer that security procedures that are easy to use will be much more successful than those that are not. My recommendation today is to use a tool of convenience.
Is there an app for that?
I received a number of recommendations for password management tools. Many of my fellow geeks admitted most tools were a little clunky (thus they rarely recommended them to end-users), but one app, aptly called 1Password from AgileBits, was recommended highly for its security and high-quality design. It integrates into all the major web browsers like Safari, Firefox, Chrome, and Explorer and works on Macs, PCs, iPads, iPhones, and Android devices. Through the use of Dropbox*, it securely syncs your passwords between all of your devices.
The only drawback is cost as 1Password is not free. You'll spend between $50 and $85 depending on how many computers and other devices you want to install it on. Think of it as your digital purse or wallet, and, in this case, you get what you pay for. Luckily, there is a 30-day trial version on AgileBits website.
If you dedicate yourself to using it, you'll have a super simple process for logging into all of your websites, you'll have passwords that will take even determined hackers years to crack, and you will only need to commit a few passwords to memory. To be successful, I encourage you to use it for every website you can: Facebook, banks, Amazon, email, etc. Using it for only some sites, and not others, defeats the purpose and achieves neither security nor convenience.
I now only need to remember two passwords: one for logging into my computer and another for the master password of my 1Password keychain. All the rest are as long, random, and complex as each site allows. As necessary, 1Password prompts me for the master password and re-locks after a user-customizable 20 minutes or when the computer goes to sleep. It provides a simple keyboard shortcut and a button on my browser tool bar to quickly and conveniently log into all of my websites. I don't need to remember usernames, URLs, or stupid passwords. Like most new ideas, this may take you a little while to get used to, but I can honestly say the new way is easier, quicker, and safer than any of my old habits.
Seek individualized attention
This Reboot column is too short to be a detailed how-to article. I am merely encouraging you to seek a better option than what you may already be doing. If you are as frustrated with confusing password rules as I am, or worried about the security of your private information, then have a talk with your department's Technology Administrator. He or she can talk to you about your specific needs, show you 1Password, or find a more appropriate solution. Just don't expect the rules to get any easier to follow--IT is nowhere near cleaning up this mess.
* - Yes, I am suggesting that you use Dropbox. It is another great tool of convenience. Just be careful. Talk to your Tech Admin before using it, and, for mostly legal reasons, don't use it for unencrypted private data. What is good about the 1Password/Dropbox combination is that the former encrypts the data and gives you the keys and the latter stores the protected information and moves it from device to device for you. Neither tool/service has both the data and the key. Be cautious about competing solutions that have access to both.