My approach to website passwords (and why it is the right one)
Recently, I read yet another article that asked people how many of their accounts would be compromised if someone got their password on a non-critical website. My answer is simple: none. And I think that this should be the answer for most everyone, to the point where it irritates me that it isn't.
I always use unique passwords for each website, generally a strong random one. For non-critical websites, I have my browser memorize them for me (and I get irate when this is not possible for stupid reasons). For critical websites, I write down the password on a physical piece of paper and then keep careful track of where it is; this is no particular burden, because there are very few critical websites.
In theory, this is hideously insecure; a single system weakness on my workstation could give an attacker access to many of my accounts. In practice, there are two things wrong with the theory. First, I have already decided that those are non-critical accounts that I don't care too much about the security for, and second, in practice it is far more likely that one of the websites I use will have its account database or login system compromised; in fact, such compromises are routine.
The clear conclusion is that using different passwords and allowing my computer to memorize them is in practice the more secure approach. Of course, this is not the approach most people are taught, which irritates me a great deal; it is a perfect example of mathematically correct security.
The website security fantasy, pushed by at least some security practitioners, is that people will use separate passwords on all websites and memorize them. This is not happening, because it is a pain and people don't do painful things. So we have two real choices; either people memorize one password and use it everywhere, or people use different passwords everywhere and have their computer memorize them. Sadly, teaching people the fantasy generally winds up with the reality being the first option.
Comments on this page:Written on 16 February 2009.