Your Passwords and Why You Need More Than One

Lots of websites now require you to use passwords.  When you set up online banking, email accounts, make comments on blogs…  Many sites require you to create a password.

If I created a new unique password for every site I visited, I would not be able to remember them all.  There are several common ways of avoiding this problem.  I will go over some of them in this article and the advantages and issues of each.

Just one unique password

The first thing many people try is using the same password for all of the sites.  This is easy to remember. What are the problems with this approach?   

When you sign up for an account, the websites generally have rules about valid passwords.  It may require you to have at least 8 characters, one upper case, one lower, and one symbol.  It can be hard to remember but you would think a complex enough password would work everywhere.  Unfortunately, this is not the case.  I have seen sites in the past that will not allow long passwords and sites that forbid some special characters.  One password cannot be used everywhere on the web

Also, when you sign up for many sites they keep you locked out until you activate your account through an email link.  Among the reasons they do this to make sure you are a human and to help prevent one person from having hundreds of accounts.  

If all your accounts have the same password, they have your email address and the password you use to access it. The websites should not store your passwords but many of them do. (Ask me about this if you wish understand how they can avoid saving the password).  Some sites even send you a welcome message to your email with your new account password in it.  Anyone who reads this can probably read your email and send email as if they were you.

Because of this you need to have at least two passwords.

Tailored Passwords

Another approach is to tailor the password by site.  A common way of doing this is to append something from the site name to the end of your general password.  For example let me create a general password of “Qwert!”  If I needed a password to log into my Microsoft mail I would use Qwert!ms.  For my Yahoo account I would use Qwert!yh.  For my Wells Fargo bank account I would use Qwert!wf.

This is a far better approach than just one password.  It has its problems though.  Many sites email your account information to you.  If someone sees enough of these emails it is easy to guess the pattern.    

Levels of Passwords

This is the next approach that many people use.  You set up three or more levels of passwords.  Each level is more restricted than the password before it.  This is best explained by examples.

I create a password for simple sites where I do not worry about the security of the information.  For example, I want to post a question on a website in response to a blog post.  I never expect to need to login again perhaps.  Certainly the world will not end if someone else logs in as me.    So I create a password like !Qwerty01.  Next week, I want to setup a Twitter account.  I use the same low level password.  All I need to remember to get back in is what I use for a user name and that this site is not critical to me.

Now if I am going to set up an account that could cause problems if someone gets in but still is not a disaster, I create a second password.  This time I will use a different password totally unrelated to the old password.  %%Tbusb2.  Nobody will be able to guess the first based on the second.  This password will be used for email accounts, job searches, updating web pages and blogs.

Finally we make a third password for financial things.  This unrelated password would be used for all websites that are money related.  Electronic payments for bills like you utilities and bank accounts.

This is more secure than the previous methods. You can remember three (or four) passwords and if you cannot remember the level you assigned the accounts, you can try a couple different ones.

There are problems as well.  If someone breaks one of these accounts you can also be in trouble.

Password Managers

Password Managers are programs or devices that keep a set of passwords protected by encryption.  In order to get access the passwords stored in the “safe” you must know your master password.   The systems can store the username, password and site in one location.    Because only the master password needs to be remembered they can generate passwords that are not guessable.

The idea is to start the program, enter the master password to confirm you are the real you, then just click on the link for the website you wish to log into and you are on.  Wikipedia has a nice article on them.

There are some issues with this approach as well.  Surprisingly, people breaking into the safe is not generally a problem.  It is relatively easy to encrypt the systems to make it basically impossible to decrypt the passwords. 

If your password is your phone number, a word in a dictionary, or some other simple password, tools out there can guess it.  To be secure, you have one VERY hard to remember password that allows access to everything.

If software called a keylogger is installed on your computer, it can record the steps taken to open your safe. A keylogger is program (generally) that runs on your computer without your consent that records what you do one the computer for use by someone else.  They generally get installed in the same way that viruses and other malware are installed. In this situation, it does not matter how secure your master password is, the person who controls the keylogger will know what it is.

The major risk with password managers is losing access to the safe.  If the manager is installed on your computer and your computer dies or you left it at home, your will have problems accessing your websites.  Yes you can have backup copies but you must still have access to them.  If you forget the master password and the system is designed properly, you must reset all of the accounts.

With password managers it can also be harder to give a friend access to one of your accounts if you choose to do so.

Conclusion

All password protection methods have drawbacks. You need to decide how important protecting your access is and what steps you will take.  Personally, I use a combination of the above approaches.

Please do not use any of the passwords above.  Because they have been published they will be added to the lists of commonly used/guessed passwords.  Also,  before anyone wastes a bunch of time trying to break in, I do not have a Wells Fargo account.

One Comments

  1. [...] This post was mentioned on Twitter by Bruce Jacobs, Kathy Jacobs. Kathy Jacobs said: Looking to understand a bit more about what passwords you need? Check out this article from @mindlessfluff http://bit.ly/cLAB47 [...]

Leave a Reply