(I wrote this primarily for friends and colleagues. I’m posting it on my blog for efficiency/discussion/amendment.) My IT manager recently sent around a warning about phishing attacks. (And I just attended a scary CSE seminar on spear-phishing — but that is another story.) Among his advice was:
You should use a strong password on all UCSD accounts and you should never use the same password on any other account you have,
That’s perennial advice that is both good and impossible. It’s good because many (most?) web sites keep making security mistakes that lead to massive breaches, exposing millions of passwords at a time. (The recent+ 100 million account breach at Target, for example.) It’s impossible because we have a decade or more of experience, research, and discussion that says using unique passwords for each login is completely impractical, and nobody actually does it.
Fortunately, a solution exists in the form of password manager programs. The most popular is 1password, which is what I use. The basic concept for all of these is to store unique passwords for each of your accounts, and then serve them up whenever you need them. 1password also makes it easy to generate genuinely hard-to-crack passwords, such as APuxHTo2&Q or (easier to pronounce but not as secure) In2Nud8iR6. I use one master password to unlock my 1P database; after that, no more remembering or typing.
Yes, this is a hassle, but yes it’s worth it. Even if you did not use unique passwords everywhere, it’s now necessary to create 10+ character random passwords. Password cracking has moved from art toward science, with programs available for a few dollars that take advantage of common “tricks” to generate passwords, starting with using real words. And they are getting a lot of use. (Why passwords have never been weaker—and crackers have never been stronger.) Plus there are many other ways besides cracking to attack one of your accounts, and from there get to the rest.
Rather than lay out the rationale and methods myself, here is a comprehensive article on the subject: http://arstechnica.com/information-technology/2013/06/the-secret-to-online-safety-lies-random-characters-and-a-password-manager/ There are 3 main password managers available: 1password, LastPass, and Apple’s “low end” keychain manager. Most people now use one that also works on their cell phone, using the same personal database of passwords on the cloud. 1password and Apple both do this.** Apple’s system mostly works with Safari, and has other limits. http://arstechnica.com/information-technology/2013/11/apples-icloud-keychain-it-works-but-its-limitations-are-frustrating/ LastPass is free, but I erased it after a few weeks. (Ars Technica is the best source I know for non-technical coverage on these issues.)
Some random recent examples of security breaches at companies where, one would have thought, customer security was paramount:
- EBay urging users to change passwords after breach
- VeriSign Hacked: Security Repeatedly Breached At Key Internet Operator
**Personally, I don’t trust my cellphone, or “the cloud”, that much, so if I need a password on my cell, I hand type it, APuxHTo2 and all.