In the past I've had 3 or 4 different passwords of varying strength that I've used for pretty much everything. That's better than most people (most people only have 1 password for everything), but it's still pretty stupid from a security standpoint. If one or more of those passwords were ever compromised (and trust me, I'm sure they have been at one point or another), then the attacker (or ex-girlfriend) would have access to pretty much everything they'd need to own me. Think about how much information you have out there. Between email, IM, facebook, twitter, banking, bills, student loans.. It's pretty scary.
In 2011 I'm adopting a new policy: unique and reasonably-secure passwords for each and every service. I'm talking about passwords like this:
,H!i43/%]I.3{X#TT"Z2/e%ILDon't use that as your password, BTW. Since it's posted on the internet, it's no longer secure.
Having long, random passwords that are unique for each service is really the best way to protect your data. Not don't get me wrong, passwords suck as a form of authentication by themselves, but it's what we're stuck with for the time being, so it's best to make them as strong as possible. A hash of the password above would not be found in a dictionary attack. It would take an unreasonable amount of time to crack with a rainbow table or brute force method. It is, however, very difficult to memorize a password like that for every service used. That's where the tools come in.
By using a combination of KeePass, KeePassX, and KeePassDroid I am able to access an encrypted database of all my passwords on all of my devices. I use Dropbox to securely sync my password database among my devices.
KeePass allows me to generate, store, and organize secure passwords for all of my services. It also allows me to copy my passwords to the clip board, so I can log into services without having to manually type the complected passwords. I do try to copy something else to the clip board after logging in, however, so that my password isn't lying around in memory.
Hopefully, this new system will help better secure my data in 2011. Are there any problems with this scheme? What is your password policy?
No comments:
Post a Comment