State of hacking: you need a password manager.

(I wrote this primarily for friends and colleagues. I’m posting it on my blog for efficiency/discussion/amendment.) My IT manager recently sent around a warning about phishing attacks. (And I just attended a scary CSE seminar on spear-phishing — but that is another story.) Among his advice was:

You should use a strong password on all UCSD accounts and you should never use the same password on any other account you have,

That’s perennial advice that is both good and impossible. It’s good because many (most?) web sites keep making security mistakes that lead to massive breaches, exposing millions of passwords at a time. (The recent+ 100 million account breach at Target, for example.) It’s impossible because we have a decade or more of experience, research, and discussion that says using unique passwords for each login is completely impractical, and nobody actually does it. Continue reading